《2022年风险评估模板 .pdf》由会员分享,可在线阅读,更多相关《2022年风险评估模板 .pdf(21页珍藏版)》请在taowenge.com淘文阁网|工程机械CAD图纸|机械工程制图|CAD装配图下载|SolidWorks_CaTia_CAD_UG_PROE_设计图分享下载上搜索。
1、RISK ASSESSMENT REPORT TEMPLATEInformation Technology Risk Assessment For 名师资料总结-精品资料欢迎下载-名师精心整理-第 1 页,共 21 页 -Risk Assessment Report i Risk Assessment Annual Document Review HistoryThe Risk Assessment is reviewed,at least annually,and the date and reviewer recorded on the table below.Review Date Re
2、viewer 名师资料总结-精品资料欢迎下载-名师精心整理-第 2 页,共 21 页 -Risk Assessment Report ii TABLE OF CONTENTS1INTRODUCTION.12IT SYSTEM CHARACTERIZATION.23RISK IDENTIFICATION.64CONTROL ANALYSIS.85RISK LIKELIHOODDETERMINATION.116IMPACT ANALYSIS.137RISK DETERMINATION.158RECOMMENDATIONS.179RESULTS DOCUMENTATION.18LIST OF EXH
3、IBITSEXHIBIT 1:RISK ASSESSMENT MATRIX.18 LIST OF FIGURESFIGURE 1 IT SYSTEM BOUNDARY DIAGRAM.4 FIGURE 2 INFORMATION FLOW DIAGRAM.5 LIST OF TABLESTABLE A:RISK CLASSIFICATIONS.1TABLE B:IT SYSTEM INVENTORY AND DEFINITION.2 TABLE C:THREATS IDENTIFIED.4 TABLE D:VULNERABILITIES,THREATS,AND RISKS.5 TABLE E:
4、SECURITY CONTROLS.6 TABLE F:RISKS-CONTROLS-FACTORS CORRELATION.8 TABLE G:RISK LIKELIHOOD DEFINITIONS.9 TABLE H:RISK LIKELIHOOD RATINGS.9 TABLE I:RISK IMPACT RATING DEFINITIONS.13 TABLE J:RISK IMPACT ANALYSIS.13 TABLE K:OVERALL RISK RATING MATRIX.15 TABLE L:OVERALL RISK RATINGS TABLE.15 TABLE M:RECOM
5、MENDATIONS.17 名师资料总结-精品资料欢迎下载-名师精心整理-第 3 页,共 21 页 -Risk Assessment Report 1 1 INTRODUCTIONRisk assessment participants:Participant roles in the risk assessment in relation assigned agency responsibilities:Risk assessment techniques used:Table A:Risk Classifications Risk LevelRisk Description&Necessa
6、ry Actions High The loss of confidentiality,integrity,or availability could be expected to have a severe or catastrophic adverse effect on organizational operations,organizational assets or individuals.Moderate The loss of confidentiality,integrity,or availability could be expected to have a serious
7、 adverse effect on organizational operations,organizational assets or individuals.Low The loss of confidentiality,integrity,or availability could be expected to have a limited adverse effect on organizational operations,organizational assets or individuals.名师资料总结-精品资料欢迎下载-名师精心整理-第 4 页,共 21 页 -Risk A
8、ssessment Report 2 2 IT SYSTEM CHARACTERIZATION 名师资料总结-精品资料欢迎下载-名师精心整理-第 5 页,共 21 页 -Risk Assessment Report 3 2 IT SYSTEM CHARACTERIZATION Table B:IT System Inventory and Definition IT System Inventory and Definition Document I.IT System Identification and Ownership IT System ID IT System Common Nam
9、e Owned By Physical Location Major Business Function System Owner Phone Number System Administrator(s)Phone Number Data Owner(s)Phone Number(s)Data Custodian(s)Phone Number(s)Other Relevant Information II.IT System Boundary and Components IT System Description and Components IT System InterfacesIT S
10、ystem BoundaryIII.IT System Interconnections(add additional lines,as needed)Agency or Organization IT System Name IT System ID IT System Owner Interconnection Security Agreement Status Table B:IT System Inventory and Definition(continued)名师资料总结-精品资料欢迎下载-名师精心整理-第 6 页,共 21 页 -Risk Assessment Report 4
11、Overall IT System Sensitivity Rating and Classification Overall IT System Sensitivity RatingMust be“high”if sensitivity of any data type is rated“high”on any criterionHIGHMODERATELOWIT System Classification Must be“Sensitive”if overall sensitivity is“high”;consider as“Sensitive”if overall sensitivit
12、y is“moderate”SENSITIVENON-SENSITIVEDescription or diagram of the system and network architecture,including all components of the system and communications links connecting the components of the system,associated data communications and networks:Figure 1 IT System Boundary Diagram Description or a d
13、iagram depicting the flow of information to and from the IT system,including inputs and outputs to the IT system and any other interfaces that exist to the system:名师资料总结-精品资料欢迎下载-名师精心整理-第 7 页,共 21 页 -Risk Assessment Report 5 Figure 2 Information Flow Diagram 名师资料总结-精品资料欢迎下载-名师精心整理-第 8 页,共 21 页 -Risk
14、 Assessment Report 6 3 RISK IDENTIFICATION Identification of Vulnerabilities Vulnerabilities were identified by:Identification of Threats Threats were identified by:The threats identified are listed in Table C.Table C:Threats Identified Identification of Risks Risks were identified by:The way vulner
15、abilities combine with credible threats to create risks is identified Table D.名师资料总结-精品资料欢迎下载-名师精心整理-第 9 页,共 21 页 -Risk Assessment Report 7 Table D:Vulnerabilities,Threats,and Risks Risk No.VulnerabilityThreatRisk of Compromise of Risk Summary 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
16、 23 24 25 名师资料总结-精品资料欢迎下载-名师精心整理-第 10 页,共 21 页 -Risk Assessment Report 8 4 CONTROL ANALYSIS Table E documents the IT security controls in place and planned for the IT system.Table E:Security Controls Control AreaIn-Place/PlannedDescription of Controls 1 Risk Management 1.1 IT Security Roles&Responsi
17、bilities 1.2 Business Impact Analysis 1.3 IT System&Data Sensitivity Classification 1.4 IT System Inventory&Definition 1.5 Risk Assessment 1.6 IT Security Audits 2 IT Contingency Planning 2.1 Continuity of Operations Planning 2.2 IT Disaster Recovery Planning 2.3 IT System&Data Backup&Restoration 3
18、IT Systems Security 3.1 IT System Hardening 3.2 IT Systems Interoperability Security 3.3 Malicious Code Protection 3.4 IT Systems Development Life Cycle Security 4 Logical Access Control 4.1 Account Management 名师资料总结-精品资料欢迎下载-名师精心整理-第 11 页,共 21 页 -Risk Assessment Report 9 Control AreaIn-Place/Planne
19、dDescription of Controls 4.2 Password Management 4.3 Remote Access 5 Data Protection 4.4 Data Storage Media Protection 4.5 Encryption 6 Facilities Security 6.1 Facilities Security 7 Personnel Security 7.1 Access Determination&Control 7.2 IT Security Awareness&Training 7.3 Acceptable Use 8 Threat Man
20、agement8.1 Threat Detection 8.2 Incident Handling 8.3 Security Monitoring&Logging 9 IT Asset Management 9.1 IT Asset Control 9.2 Software License Management 9.3 Configuration Management&Change Control 名师资料总结-精品资料欢迎下载-名师精心整理-第 12 页,共 21 页 -Risk Assessment Report 10 Table E correlates the risks identi
21、fied in Table C with relevant IT security controls documented in Table D and with other mitigating or exacerbating factors.Table F:Risks-Controls-Factors Correlation Risk No.Risk Summary Correlation of Relevant Controls&Other Factors 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
22、名师资料总结-精品资料欢迎下载-名师精心整理-第 13 页,共 21 页 -Risk Assessment Report 11 5 RISK LIKELIHOOD DETERMINATION Table G defines the risk likelihood ratings.Table G:Risk Likelihood Definitions Effectiveness of ControlsProbability of Threat Occurrence(Natural or Environmental Threats)or Threat Motivation and Capabili
23、ty(Human Threats)Low Moderate High Low Moderate HighHigh Moderate LowModerate High High Low Low Moderate Table G,evaluates the effectiveness of controls and the probability or motivation and capability of each threat to BFS and assigns a likelihood,as defined in Table F,to each risk documented in Ta
24、ble C.Table H:Risk Likelihood Ratings Risk No.Risk SummaryRisk Likelihood EvaluationRisk Likelihood Rating 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 名师资料总结-精品资料欢迎下载-名师精心整理-第 14 页,共 21 页 -Risk Assessment Report 12 Risk No.Risk SummaryRisk Likelihood EvaluationRisk Likelihood Rating 20 21 22 23
25、24 25 名师资料总结-精品资料欢迎下载-名师精心整理-第 15 页,共 21 页 -Risk Assessment Report 13 6 IMPACT ANALYSIS Table I documents the ratings used to evaluate the impact of risks.Table I:Risk Impact Rating Definitions Magnitude of ImpactImpact Definition HighOccurrence of the risk:(1)may result in human death or serious in
26、jury;(2)may result in the loss of major COV tangible assets,resources or sensitive data;or(3)may significantly harm,or impede the COVs mission,reputation or interest.ModerateOccurrence of the risk:(1)may result in human injury;(2)may result in the costly loss of COV tangible assets or resources;or(3
27、)may violate,harm,or impede the COVs mission,reputation or interest.LowOccurrence of the risk:(1)may result in the loss of some tangible COV assets or resources or(2)may noticeably affect the COVs mission,reputation or interest.Table J documents the results of the impact analysis,including the estim
28、ated impact for each risk identified in Table D and the impact rating assigned to the risk.Table J:Risk Impact Analysis Risk No.Risk SummaryRisk ImpactRisk Impact Rating 12 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 名师资料总结-精品资料欢迎下载-名师精心整理-第 16 页,共 21 页 -Risk Assessment Report 14 Risk No.Risk SummaryRisk
29、ImpactRisk Impact Rating 18 19 20 21 22 23 24 25 Description of process used in determining impact ratings:名师资料总结-精品资料欢迎下载-名师精心整理-第 17 页,共 21 页 -Risk Assessment Report 15 7 RISK DETERMINATION Table K documents the criteria used in determining overall risk ratings.Table K:Overall Risk Rating Matrix R
30、isk LikelihoodRisk ImpactLow(10)Moderate(50)High(100)High(1.0)Low 10 x 1.0=10Moderate 50 x 1.0=50High 100 x 1.0=100 Moderate(0.5)Low 10 x 0.5=5Moderate 50 x 0.5=25Moderate 100 x 0.5=50 Low(0.1)Low 10 x 0.1=1 Low 50 x 0.1=5 Low 100 x 0.1=10 Risk Scale:Low(1 to 10);Moderate(10 to 50);High(50 to 100)Ta
31、ble L assigns an overall risk rating,as defined in Table K,to each of the risks documented in Table D.Table L:Overall Risk Ratings Table Risk No.Risk SummaryRisk Likelihood RatingRisk Impact RatingOverall Risk Rating 12 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 名师资料总结-精品资料欢迎下载-名师精心整理-第 18 页,共 2
32、1 页 -Risk Assessment Report 16 Risk No.Risk SummaryRisk Likelihood RatingRisk Impact RatingOverall Risk Rating 21 22 23 24 25 Description of process used in determining overall risk ratings:名师资料总结-精品资料欢迎下载-名师精心整理-第 19 页,共 21 页 -Risk Assessment Report 17 8 RECOMMENDATIONS Table M documents recommenda
33、tions for the risks identified in Table D.Table M:Recommendations Risk No.RiskRisk RatingRecommendations 12 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 名师资料总结-精品资料欢迎下载-名师精心整理-第 20 页,共 21 页 -Risk Assessment Report 18 9 RESULTS DOCUMENTATIONExhibit 1:Risk Assessment Matrix Risk No.VulnerabilityThreatRiskRisk Summary Risk Likelihood RatingRisk Impact RatingOverall Risk RatingAnalysis of Relevant Controls and Other Factors Recommendations 12 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 名师资料总结-精品资料欢迎下载-名师精心整理-第 21 页,共 21 页 -