风险评估模板

1、RISK ASSESSMENT REPORT TEMPLATEInformation Technology Risk AssessmentForRisk Assessment ReportRisk Assessme nt Annual Docume nt Review HistoryThe Risk Assessment is reviewed, at least annually, and the date and reviewer recorded on the table below.Review DateRevieweriRisk Assessment ReportTABLE OF C

2、ONTENTS1 INTRODUCTION12 IT SYSTEM CHARACTERIZATION 23 RISK IDENTIFICATION 64 CONTROL ANALYSIS 85 RISK LIKELIHOOD DETERMINATION 116 IMPACT ANALYSIS 137 RISK DETERMINATION 158 RECOMMENDATIONS 179 RESULTS DOCUMENTATION 18LIST OF E XHIBITSEXHIBIT 1: RISK ASSESSMENT MATRIX 18LIST OF FIGURESFigure 1 -IT S

3、ystem Boundary Diagram 4Figure 2 -Information flow diagram 5LIST OF T ABLESTABLE A: RISK CLASSIFICATIoNS 1TABLE B: IT SYSTEM INVENToRY AND DEFINITIoN 2TABLE C: THREATS IDENTIFIED 4TABLE D: VuLNERABILITIES ,THREATS, AND RISKS 5TABLE E: SECuRITY CoNTRoLS6TABLE F:RISKS-CoNTRoLS-FACToRS CoRRELATIoN 8TAB

4、LE G: RISK LIKELIHooD DEFINITIoNS 9TABLE H: RISK LIKELIHooD RATINGS 9TABLE I:RISK IMPACT RATING DEFINITIoNS 1 3TABLE J:RISK IMPACT ANALYSIS 13TABLE K:oVERALL RISK RATING MATRIX 1 5TABLE L:oVERALL RISK RATINGS TABLE 1 5TABLE M:RECoMMENDATIoNS 1 72Risk Assessment Report1 INTRODUCTIONRisk assessme nt p

5、articipa nts:Participant roles in the risk assessment in relation assigned agency responsibilities:Risk assessme nt tech niq ues used:Table A: Risk Classificati onsRisk LevelRisk Descripti on & Necessary Acti onsHighThe loss of con fide ntiality, in tegrity, or availability could be expected to have

6、 a severe or catastrophic adverse effect on orga ni zati onal operati ons, orga ni zati onal assets or in dividuals.ModerateThe loss of con fide ntiality, in tegrity, or availability could be expected to have a serious adverse effect on orga ni zati onal operati ons, orga ni zati onal assets or in d

7、ividuals.LowThe loss of con fide ntiality, in tegrity, or availability could be expected to have a limited adverse effect on orga ni zati onal operati ons, orga ni zati onal assets or in dividuals.2 IT SYSTEM CHARACTERIZATION2 IT SYSTEM CHARACTERIZATIONTable B: IT System Inventory and DefinitionIT S

8、ystem Inventory and Definition DocumentI. IT System Identification and OwnershipIT System IDIT System Common NameOwned ByPhysical LocationMajor Business FunctionSystem OwnerPhone NumberSystem Administrator(s)Phone NumberData Owner(s)Phone Number(s)Data Custodian(s)Phone Number(s)Other Relevant Infor

9、mationII. IT System Boundary and ComponentsIT SystemDescription andComponentsIT System InterfacesIT System BoundaryIII I匚System Interconnections (add additional lines as needed)Agency or OrganizationIT System NameIT SystemIT System OwnerInterconnection Security Agreement StatusIDTable B: IT System I

10、nven tory and Defin iti on (con ti nued)3Risk Assessment Report4Risk Assessment ReportHIGHMODERATELOWIT System ClassificationMust be“ Sensitive” if overall sen sitivity ishigh ; con sider asis “ moderate ”SENSITIVENON-SENSITIVEOverall IT System Sensitivity RatingMust beOverall_IT System Sensitivity

11、Rating and ClassificationSen sitive ” if ovehigh ”if sensitivity of any data type is ratedon any criterion#Risk Assessment Report#Risk Assessment ReportDescription or diagram of the system and network architecture, including all comp onents of the system and com muni cati ons links conn ect ing the

12、comp onents of the system, associated data com muni catio ns and n etworks:Figure 1 IT System Boundary DiagramDescription or a diagram depicting the flow of information to and from the IT system, in clud ing in puts and outputs to the IT system and any other in terfaces that exist to the system:#Ris

13、k Assessment ReportFigure 2 -Information Flow Diagram3 RISK IDENTIFICATIONIdentification of VulnerabilitiesVulnerabilities were identified by:Identification of ThreatsThreats were ide ntified by:The threats identified are listed in Table C.Table C: Threats Ide ntifiedIdentification of RisksRisks wer

14、e identified by:The way vuln erabilities comb ine with credible threats to create risks is ide ntified Table D.Table D: Vuln erabilities, Threats, and RisksRiskNo.Vul nerabilityThreatRisk ofCompromise ofRisk Summary123456789101112131415161718192021222324254 CONTROL ANALYSISTable E documents the IT s

15、ecurity controls in place and planned for the IT system.Table E: Security Con trolsCon trol AreaIn-Place/ Pla nnedDescripti on of Con trols1 Risk Man ageme nt1.1 IT Security Roles & Responsibilities1.2 Business Impact Analysis1.3 IT System & Data Sensitivity Classification1.4 IT System Inventory & D

16、efinition1.5 Risk Assessment1.6 IT Security Audits2 IT Con ti ngency Pla nning2.1 Continuity of Operations Planning2.2 IT Disaster Recovery Planning2.3 IT System & Data Backup & Restoration3 IT Systems Security3.1 IT SystemHardening3.2 IT Systems Interoperability Security3.3 Malicious Code Protectio

17、n3.4 IT Systems Development Life Cycle Security4 Logical Access Con trol4.1 AccountManagementCon trol AreaIn-Place/ Pla nnedDescripti on of Con trols4.2 PasswordManagement4.3 Remote Access5 Data Protectio n4.4 Data Storage Media Protection4.5 Encryption6 Facilities Security6.1 Facilities Security7 P

18、ersonnel Security7.1 Access Determination & Control7.2 IT Security Awareness & Training7.3 Acceptable Use8 Threat Man ageme nt8.1 Threat Detection8.2 IncidentHandling8.3 Security Monitoring & Logging9 IT Asset Man ageme nt9.1 IT Asset Control9.2 Software License Management9.3 Configuration Managemen

19、t & Change Control9Risk Assessment ReportTable E correlates the risks ide ntified in Table C with releva nt IT security con trols docume nted in Table D and with other mitigat ing or exacerbati ng factors.Table F: Risks-C on trols-Factors Correlati onRiskNoRisk SummaryCorrelati on of Releva nt Con t

20、rols & Other Factors1234567891011121314151617181920212223242510Risk Assessment Report5 RISK LIKELIHOOD DETERMINATIONTable G defi nes the risk likelihood rat in gs.Table G: Risk Likelihood DefinitionsEffective ness of Con trolsProbability of Threat Occurre nee (Natural or En vir onmen tal Threats) or

21、 Threat Motivati on and Capability (Huma n Threats)LowModerateHighLowModerateHighHighModerateLowModerateHighHighLowLowModerateTable G, evaluates the effective ness of con trols and the probability or motivati on and capability of each threat to BFS and assigns a likelihood, as defined in Table F, to

22、 each risk docume nted in Table C.Table H: Risk Likelihood Rati ngs1911Risk Assessment Report19#Risk Assessment ReportRiskNo.Risk SummaryRisk Likelihood Evaluati onRisk LikelihoodRati ng4567891011121314151617181912Risk Assessment Report13Risk Assessment ReportRiskNo.Risk SummaryRisk Likelihood Evalu

23、ati onRisk LikelihoodRati ng202122232425#Risk Assessment Report6 IMPACT ANALYSISTable I docume nts the rat ings used to evaluate the impact of risks.Table I: Risk Impact Rating DefinitionsMag nitude of ImpactImpact Defin iti onHighOccurre nce of the risk: (1) may result in huma n death or serious in

24、 jury; (2) may result in the loss of major COV tan gible assets, resources or sen sitive data; or (3) may significantly harm, or impedethe COV s mission, reputation or interest.ModerateOccurre nce of the risk: (1) may result in huma n in jury; (2) may result in the costly loss of COV tan gible asset

25、s or resources; or (3) may violate, harm, or impede the COV s mission, reputation or interest.LowOccurre nce of the risk: (1) may result in the loss of some tan gible COV assets or resources or (2) may noticeably affectthe COV s mission, reputation orin terest.Table J docume nts the results of the i

26、mpact an alysis, in clud ing the estimated impact for each risk identified in Table D and the impact rating assigned to the risk.Table J: Risk Impact An alysisRiskNo.Risk SummaryRisk ImpactRisk Impact Rating1234567891011121314151617RiskNo.Risk SummaryRisk ImpactRisk Impact Rating1819202122232425Desc

27、ription of process used in determining impact ratings:15Risk Assessment Report7 RISK DETERMINATIONTable K docume nts the criteria used in determ ining overall risk rati ngs.Table K: Overall Risk Rat ing MatrixRisk LikelihoodRisk ImpactLow (10)Moderate(50)High (100)HighLowModerateHigh(1.0)10 x 1.0 = 1050 x 1.0 = 50100 x 1.0 = 100ModerateLowModerateModerate(0.5)10 x 0.5 = 550 x 0.5 = 25100 x 0.5 = 50LowLowLowLow(0.1)10 x 0.1 = 150 x 0.1 = 5100 x 0.1 = 10Risk Scale: Low (1 to 10); Mo