Graduate Level Writing!!! Cyber/Computer Security Only!!!
atlshawty76
Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology by Gary Stoneburner, Alice Goguen, and Alexis Feringa
comprises public domain material from the National Institute of Standards and Technology, Technology Administration, U.S. Department of Commerce.
APPENDIX B: SAMPLE RISK ASSESSMENT REPORT OUTLINE
EXECUTIVE SUMMARY
I. Introduction
• Purpose • Scope of this risk assessment
Describe the system components, elements, users, field site locations (if any), and any other details about the system to be considered in the assessment.
II. Risk Assessment Approach
Briefly describe the approach used to conduct the risk assessment, such as—
• The participants (e.g., risk assessment team members) • The technique used to gather information (e.g., the use of tools, questionnaires) • The development and description of risk scale (e.g., a 3 x 3, 4 x 4 , or 5 x 5 risk-level
matrix).
III. System Characterization
Characterize the system, including hardware (server, router, switch), software (e.g., application, operating system, protocol), system interfaces (e.g., communication link), data, and users. Provide connectivity diagram or system input and output flowchart to delineate the scope of this risk assessment effort.
IV. Threat Statement
Compile and list the potential threat-sources and associated threat actions applicable to the system assessed.
V. Risk Assessment Results
List the observations (vulnerability/threat pairs). Each observation must include—
• Observation number and brief description of observation (e.g., Observation 1: User system passwords can be guessed or cracked)
• A discussion of the threat-source and vulnerability pair • Identification of existing mitigating security controls • Likelihood discussion and evaluation (e.g., High, Medium, or Low likelihood) • Impact analysis discussion and evaluation (e.g., High, Medium, or Low impact) • Risk rating based on the risk-level matrix (e.g., High, Medium, or Low risk level) • Recommended controls or alternative options for reducing the risk.
VI. Summary
Total the number of observations. Summarize the observations, the associated risk levels, the
SP 800-30 Page B-1
recommendations, and any comments in a table format to facilitate the implementation of recommended controls during the risk mitigation process.
SP 800-30 Page B-2
(1) Risk
(Vulnerability/ Threat Pair)
(2) Risk Level
(3) Recommended
Controls
(4) Action
Priority
(5) Selected Planned Controls
(6) Required Resources
(7) Responsible
Team/Persons
(8) Start Date/ End Date
• Disallow inbound telnet
• Disallow “world” access to sensitive company files
• Disabled the guest ID
APPENDIX C: SAMPLE SAFEGUARD IMPLEMENTATION PLAN SUMMARY TABLE
(9) Maintenance Requirement/
Comments Unauthorized users can telnet to XYZ server and browse sensitive company files with the guest ID.
High
• Disallow inbound telnet
• Disallow “world” access to sensitive company files
• Disable the guest ID or assign difficult-to-guess password to the guest ID
High
10 hours to reconfigure and test the system
John Doe, XYZ server system administrator; Jim Smith, company firewall administrator
9-1-2001 to 9-2-2001
• Perform periodic system security review and testing to ensure adequate security is provided for the XYZ server
(1) The risks (vulnerability/threat pairs) are output from the risk assessment process (2) The associated risk level of each identified risk (vulnerability/threat pair) is the output from the risk assessment process (3) Recommended controls are output from the risk assessment process (4) Action priority is determined based on the risk levels and available resources (e.g., funds, people, technology) (5) Planned controls selected from the recommended controls for implementation (6) Resources required for implementing the selected planned controls (7) List of team(s) and persons who will be responsible for implementing the new or enhanced controls (8) Start date and projected end date for implementing the new or enhanced controls (9) Maintenance requirement for the new or enhanced controls after implementation.
SP 800-30 Page C-1