In Step 1 you identified the critical IT assets in your department. In Step 2 you will analyze the risks facing those assets and identify and prioritize strategies for protecting them.
This process is explained concisely by the current state IT security standard:
Once the level of sensitivity of the information resources has been identified through the business impact analysis, the threats to which they are subject need to be identified and evaluated. This process is referred to as a risk assessment. As an example, the probability of each threat event occurring and the resultant impact of that event on the information resources could be assessed during this process. Examples of potential impacts that would adversely affect the [department] include financial loss, public embarrassment, loss of public confidence, noncompliance to State or Federal statutes, and degraded customer (public) service. The [department] needs to decide if and when a residual level of risk may be acceptable.
Based on the business impact analysis and the risk assessment, the [department] determines what types of safeguards are appropriate to address their defined risks. In this manner, the safeguards deployed reflect the true importance of the… investment in the information resources used to accomplish the [department’s] mission.
A focus on departmental mission is vital; departments cannot – and are not expected to – mitigate every risk but must prioritize based on the threat to their mission and available resources.
Three sets of templates and/or tools are included to assist in this process:
2.1 Risk assessment questions (with paths determined by applicability of laws)
- Assess departmental security practices against audit, state and federal standards
2.2 Threat, attack and vulnerability scenarios (with response strategies)
- Map your department’s assets from Step 1 to the threat scenarios provided (and others that your department identifies)
- Assign weight to each threat to your assets based on the likelihood of it occurring in your environment and the impact of any vulnerability
- Prioritize the threats you face
- Map these threats back to response strategies provided (and others your department develops)
2.3 Security plan development (template)
- Create (or update if you already have one) your department’s security plan for mitigating or accepting the identified risks
- Take into account previously implemented strategies and existing plans – use (and document) effort and analysis that you have already produced
- Document your key decisions and justifications