A risk evaluation from a system security perspective is known as a risk assessment (or security assessment). The process of the risk evaluation is detailed in NIST SP 800-30, Guide for Risk Assessments and NIST SP 800-39, Risk Management.
Risk evaluation means risk identification. Risk identification has 7 mains steps (two additional steps dedicated to recommendation and documentation):
1) System characterization – a System Security Plan (SSP). Evaluate the Asset information covers the following:
- System interfaces (e.g., internal and external connectivity)
- Data and information
- Persons who support and use the IT system
- System mission (e.g., the processes performed by the IT system)
- System and data critical (e.g., the system’s value or importance to an organization)
- System and data sensitivity
2) Threat Evaluation – Evaluate possible threat sources by looking at what negative activities are likely to happen to the system.
3) Vulnerability Evaluation – Look at the vulnerabilities and evaluate the biggest weakness in the systems.
4) Security Control Evaluation – Examine what controls the system already has applied.
5) Likelihood of occurrence evaluation – The probability that your asset will be exploited is based on the threat source motivation, threat capability, your vulnerability and the security controls you have in place. Based on all these factors you can calculated the likelihood of an attack or disaster.
6) Impact Evaluation – This where you gather all the data from asset identification, threat source, vulnerability identification, security controls, likelihood of attack and figure you what would happen if something really did happen. How important is your system and its data? What would happen to the mission or bottom line or profits if the system went down for a few hours? a few days? a few weeks? Some system are so important that they cannot be down for even a minute. Impact is very important to the level of risk. The more important the system is, the high the risk.
7) Risk Determination / Risk Evaluation – Based on all the data gathered you can make a pretty good risk determination. You should have defined the systems components and what data is important, made a pretty good conclusion on threat sources and likelihood of the vulnerability exploits and know exactly what kind of impact there will be if the system goes down.