【经典资料,WORD文档,可编辑修改】
【经典考试资料,答案附后,看后必过,WORD文档,可修改】
RISK ASSESSMENT REPORT TEMPLATE
Information Technology Risk Assessment For
Risk Assessment Annual Document Review History
T ABLE OF C ONTENTS
1INTRODUCTION (1)
2IT SYSTEM CHARACTERIZATION (2)
3RISK IDENTIFICATION (6)
4CONTROL ANALYSIS (8)
5RISK LIKELIHOOD DETERMINATION (12)
6IMPACT ANALYSIS (14)
7RISK DETERMINATION (16)
8RECOMMENDATIONS (18)
9RESULTS DOCUMENTATION (20)
L IST OF E XHIBITS
E XHIBIT 1:R ISK A SSESSMENT M ATRIX (20)
L IST OF F IGURES
F IGURE 1–IT S YSTEM B OUNDARY D IAGRAM (4)
F IGURE 2–I NFORMATION F LOW D IAGRAM (5)
L IST OF T ABLES
T ABLE A: R ISK C LASSIFICATIONS (1)
T ABLE B: IT S YSTEM I NVENTORY AND D EFINITION (2)
T ABLE C: T HREATS I DENTIFIED (4)
T ABLE D: V ULNERABILITIES,T HREATS, AND R ISKS (5)
T ABLE E:S ECURITY C ONTROLS (6)
T ABLE F:R ISKS-C ONTROLS-F ACTORS C ORRELATION (8)
T ABLE G:R ISK L IKELIHOOD D EFINITIONS (9)
T ABLE H:R ISK L IKELIHOOD R ATINGS (9)
T ABLE I:R ISK I MPACT R ATING D EFINITIONS (14)
T ABLE J:R ISK I MPACT A NALYSIS (14)
T ABLE K:O VERALL R ISK R ATING M ATRIX (16)
T ABLE L: O VERALL R ISK R ATINGS T ABLE (16)
T ABLE M: R ECOMMENDATIONS (18)
1 INTRODUCTION
Risk assessment participants:
Participant roles in the risk assessment in relation assigned agency responsibilities: Risk assessment techniques used:
2 IT SYSTEM CHARACTERIZATION
2 IT SYSTEM CHARACTERIZATION
Sensitivity Rating and Classification
H IGHM ODERATEL OW
IT System Classification
Must be “Sensitive” if overall sensitivity is “high”; consider as “Sensitive” if overall
sensitivity is “moderate”
S ENSITIVEN ON-S ENSITIVE
Description or diagram of the system and network architecture, including all components of the system and communications links connecting the components of the system, associated data communications and networks:
Figure 1 – IT System Boundary Diagram
Description or a diagram depicting the flow of information to and from the IT system, including inputs and outputs to the IT system and any other interfaces that exist to the system:
Figure 2 – Information Flow Diagram
3 RISK IDENTIFICATION
Identification of Vulnerabilities
Vulnerabilities were identified by:
Identification of Threats
Threats were identified by:
Identification of Risks
Risks were identified by:
The way vulnerabilities combine with credible threats to create risks is identified Table D.
4 CONTROL ANALYSIS
Table E correlates the risks identified in Table C with relevant IT security controls documented in Table D and with other mitigating or exacerbating factors.
Risk No.Risk Summary
Correlation of Relevant Controls & Other
Factors
1 2 3 4 5 6 7 8 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
5 RISK LIKELIHOOD DETERMINATION
Table G defines the risk likelihood ratings.
Table G , evaluates the effectiveness of controls and the probability or motivation and capability of each threat to BFS and assigns a likelihood, as defined in Table F, to each risk documented in Table C. Risk No. Risk Summary
Risk Likelihood Evaluation
Risk Likelihood
Rating
1 2 3 4 5 6 7 8 9 10 11 12
Risk No.Risk Summary Risk Likelihood Evaluation
Risk Likelihood
Rating
13
14
15
16
17
18
19
Risk No.Risk Summary Risk Likelihood Evaluation
Risk Likelihood
Rating
20
21
22
23
24
25
6 IMPACT ANALYSIS
Table I documents the ratings used to evaluate the impact of risks.
Table J documents the results of the impact analysis, including the estimated impact for
Description of process used in determining impact ratings:
7 RISK DETERMINATION
Table K documents the criteria used in determining overall risk ratings.
Risk Scale: Low (1 to 10); Moderate (>10 to 50); High (>50 to 100) Table L assigns an overall risk rating, as defined in Table K, to each of the risks documented in Table D.
Description of process used in determining overall risk ratings:
8 RECOMMENDATIONS
Table M documents recommendations for the risks identified in Table D.
9 RESULTS DOCUMENTATION
Exhibit 1: Risk Assessment Matrix。