Information Security Risk Assessment: Practices of Leading Organizations

Published by the Government Accountability Office on 1999-11-01.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                 United States General Accounting Office

                 Accounting and Information
GAO              Management Division

November 1999
                 Information Security
                 Risk Assessment
                 Practices of Leading
                 A Supplement to GAO’s May 1998
                 Executive Guide on Information
                 Security Management


Managing the security risks associated with our government’s growing reliance on
information technology is a continuing challenge. In particular, federal agencies, like
many private organizations, have struggled to find efficient ways to ensure that they fully
understand the information security risks affecting their operations and implement
appropriate controls to mitigate these risks.

This guide is intended to help federal managers implement an ongoing information
security risk assessment process by providing examples, or case studies, of practical risk
assessment procedures that have been successfully adopted by four organizations known
for their efforts to implement good risk assessment practices. More importantly, it
identifies, based on the case studies, factors that are important to the success of any risk
assessment program, regardless of the specific methodology employed.

The information provided in this document supplements guidance provided in our May
1998 executive guide Information Security Management: Learning From Leading
Organizations (GAO/AIMD-98-68). In that guide, we outlined five major elements of risk
management and 16 related information security management practices that GAO
identified during a study of organizations with superior information security programs.
One of the five elements identified encompasses assessing risk and determining risk-
reduction needs.

This guide is one of a series of GAO publications, listed in appendix I, that are intended
to define actions federal officials can take to better manage their information resources.
Contributors to this supplementary guide include Jean Boltz, Ernest Döring, and Michael
Gilmore. If you have any questions about this guide, please contact me at (202) 512-6240
or by e-mail at brockj.aimd@gao.gov.


Jack L. Brock, Jr.
Director, Governmentwide and Defense
 Information Systems

GAO/AIMD-00-33 Information Security Risk Assessment                                       1

Preface                                                     1
Introduction                                                4

    Federal Guidance                                                                   4
    Risk Assessment Is an Essential Element of Risk Management                         5
    Basic Elements of the Risk Assessment Process                                      6
    Challenges Associated With Assessing Information Security Risks                    7
Overview of Case Study Findings                                                        9

    Critical Success Factors                                                         11
    Tools                                                                            15
    Benefits                                                                         16
Case Study 1: Multinational Oil Company                                              17

    Distinguishing Characteristics                                                   17
    Initiating a Risk Assessment                                                     19
    Conducting and Documenting the Assessment                                        19
    Reporting and Ensuring That Agreed Upon Actions Are Taken                        23

Case Study 2: Financial Services Company                                             24

    Distinguishing Characteristics                                                   24
    Initiating a Risk Assessment                                                     26
    Conducting and Documenting the Assessment                                        26

Case Study 3: Regulatory Organization                                                32

    Distinguishing Characteristics                                                   32
    Initiating a Risk Assessment                                                     34
    Conducting and Documenting the Assessment                                        34
    Reporting and Ensuring That Agreed Upon Actions Are Taken                        38

2                                    GAO/AIMD-00-33 Information Security Risk Assessment
Case Study 4: Computer Hardware and Software                               39
   Distinguishing Characteristics                                          39
   Initiating a Risk Assessment                                            41
   Conducting and Documenting the Assessment                               41
   Reporting and Ensuring That Agreed Upon Actions Are Taken               46

Appendix I: GAO Guides on Information Technology Management                47
Appendix II: Objectives and Methodology                                    48

Table 1: Risk Assessment Matrix                                            36
Table 2: Risk Assessment Table                                             37

Figure 1: Risk Management Cycle                                             6
Figure 2: Risk Assessment Practices and Related Benefits                   10
Figure 3: Risk Assessment Process Diagram 1                                18
Figure 4: Risk Assessment Matrix                                           22
Figure 5: Risk Assessment Process Diagram 2                                25
Figure 6: Abbreviated Example of Standardized Questionnaire                28
Figure 7: Risk Assessment Process Diagram 3                                33
Figure 8: Elements Considered in Ranking Risk                              35
Figure 9: Risk Assessment Process Diagram 4                                40
Figure 10: Questionnaire Items Related to Authorization                    43
Figure 11: Example of Five Strength Levels for Security Training           45

GAO     General Accounting Office
NIST    National Institute of Standards and Technology
OMB     Office of Management and Budget

GAO/AIMD-00-33 Information Security Risk Assessment                         3

The federal government is increasingly reliant on automated and interconnected systems
to perform functions essential to the national welfare, such as national defense, federal
payments, and tax collection. The benefits of such activities include improved
government information processing and communication. However, the factors that
benefit government operations—speed of processing and access to information—also
increase the risks of computer intrusion, fraud, and disruption.

Information systems have long been at some risk from malicious actions or inadvertent
user errors and from natural and man-made disasters. In recent years, systems have
become more susceptible to these threats because computers have become more
interconnected and, thus, more interdependent and accessible to a larger number of
individuals. In addition, the number of individuals with computer skills is increasing, and
intrusion, or “hacking,” techniques are becoming more widely known via the Internet and
other media.

Numerous government reports published over the last few years indicate that federal
automated operations and electronic data are inadequately protected against these risks.
 These reports show that poor security program management is one of the major
underlying problems. A principal challenge many agencies face is in identifying and
ranking the information security risks to their operations, which is the first step in
developing and managing an effective security program. Taking this step helps ensure
that organizations identify the most significant risks and determine what actions are
appropriate to mitigate them.

Federal Guidance
The Office of Management and Budget (OMB), as part of Circular A-130, Appendix III,
“Security of Federal Automated Information Resources,” requires federal agencies to
consider risk when deciding what security controls to implement. It states that a risk-
based approach is required to determine adequate security, and it encourages agencies to
consider major risk factors, such as the value of the system or application, threats,
vulnerabilities, and the effectiveness of current or proposed safeguards. The OMB
Director reiterated these responsibilities on June 23, 1999, when he issued Memorandum
99-20, “Security of Federal Automated Information Resources,” reminding federal
agencies that they must continually assess the risk to their computer systems and
maintain adequate security commensurate with that risk. This memorandum was issued
in response to a spate of intentional disruptions of government web sites.

The National Institute of Standards and Technology (NIST) also recognizes the
importance of conducting risk assessments for securing computer-based
resources. NIST’s guidance on risk assessment is contained in An Introduction to
Computer Security: The NIST Handbook, Special Publication 800-12, December 1995, and

4                                     GAO/AIMD-00-33 Information Security Risk Assessment
Generally Accepted Principles and Practices for Securing Information Technology
Systems, published in September 1996.

Risk Assessment Is an Essential Element of Risk Management

As discussed in our May 1998 executive guide Information Security Management:
Learning From Leading Organizations (GAO/AIMD-98-68), assessing risk is one element
of a broader set of risk management activities. Other elements include establishing a
central management focal point, implementing appropriate policies and related controls,
promoting awareness, and monitoring and evaluating policy and control effectiveness.

Although all elements of the risk management cycle are important, risk assessments
provide the foundation for other elements of the cycle. In particular, risk assessments
provide a basis for establishing appropriate policies and selecting cost-effective
techniques to implement these policies. Since risks and threats change over time, it is
important that organizations periodically reassess risks and reconsider the
appropriateness and effectiveness of the policies and controls they have selected. This
continuing cycle of activity, including risk assessment, is illustrated in the following
depiction of the risk management cycle.

GAO/AIMD-00-33 Information Security Risk Assessment                                        5
    Figure 1: Risk Management Cycle

                                       Risk &

         Implement                      Central                      Monitor &
         Policies &                      Focal                       Evaluate
          Controls                       Point


Basic Elements of the Risk Assessment Process
Risk assessments, whether they pertain to information security or other types of risk, are
a means of providing decisionmakers with information needed to understand factors that
can negatively influence operations and outcomes and make informed judgments
concerning the extent of actions needed to reduce risk. For example, bank officials have
conducted risk assessments to manage the risk of default associated with their loan
portfolios, and nuclear power plant engineers have conducted such assessments to
manage risks to public health and safety. As reliance on computer systems and
electronic data has grown, information security risk has joined the array of risks that
governments and businesses must manage. Regardless of the types of risk being
considered, all risk assessments generally include the following elements.

    Identifying threats that could harm and, thus, adversely affect critical operations and
    assets. Threats include such things as intruders, criminals, disgruntled employees,
    terrorists, and natural disasters.

6                                      GAO/AIMD-00-33 Information Security Risk Assessment
   Estimating the likelihood that such threats will materialize based on historical
   information and judgment of knowledgeable individuals.

   Identifying and ranking the value, sensitivity, and criticality of the operations and
   assets that could be affected should a threat materialize in order to determine which
   operations and assets are the most important.

   Estimating, for the most critical and sensitive assets and operations, the potential
   losses or damage that could occur if a threat materializes, including recovery costs.

   Identifying cost-effective actions to mitigate or reduce the risk. These actions can
   include implementing new organizational policies and procedures as well as
   technical or physical controls.

   Documenting the results and developing an action plan.

There are various models and methods for assessing risk, and the extent of an analysis
and the resources expended can vary depending on the scope of the assessment and the
availability of reliable data on risk factors. In addition, the availability of data can affect
the extent to which risk assessment results can be reliably quantified. A quantitative
approach generally estimates the monetary cost of risk and risk reduction techniques
based on (1) the likelihood that a damaging event will occur, (2) the costs of potential
losses, and (3) the costs of mitigating actions that could be taken. When reliable data on
likelihood and costs are not available, a qualitative approach can be taken by defining
risk in more subjective and general terms such as high, medium, and low. In this regard,
qualitative assessments depend more on the expertise, experience, and judgment of
those conducting the assessment. It is also possible to use a combination of quantitative
and qualitative methods.

Challenges Associated With Assessing
Information Security Risks

Reliably assessing information security risks can be more difficult than assessing other
types of risks, because the data on the likelihood and costs associated with information
security risk factors are often more limited and because risk factors are constantly
changing. For example,

     data are limited on risk factors, such as the likelihood of a sophisticated hacker
     attack and the costs of damage, loss, or disruption caused by events that exploit
     security weaknesses;

     some costs, such as loss of customer confidence or disclosure of sensitive
     information, are inherently difficult to quantify;

     although the cost of the hardware and software needed to strengthen controls may
     be known, it is often not possible to precisely estimate the related indirect costs,
     such as the possible loss of productivity that may result when new controls are
     implemented; and

GAO/AIMD-00-33 Information Security Risk Assessment                                           7
     even if precise information were available, it would soon be out of date due to fast-
     paced changes in technology and factors such as improvements in tools available to
     would-be intruders.

This lack of reliable and current data often precludes precise determinations of which
information security risks are the most significant and comparisons of which controls are
the most cost-effective. Because of these limitations, it is important that organizations
identify and employ methods that efficiently achieve the benefits of risk assessment while
avoiding costly attempts to develop seemingly precise results that are of questionable

To assist agencies in meeting this challenge and to supplement our May 1998 guide on
information security management, we studied the practices of four organizations that
had institutionalized practical risk assessment methods. We identified these
organizations based on recommendations from government and private sector sources.
These sources recommended over 30 private and public sector organizations that were
known to have strong security programs or be actively pursuing improved risk
assessment practices. The four organizations included a multinational oil company, a
financial services company, a regulatory organization, and a computer hardware and
software company. This guide describes the factors that these organizations considered
critical to the success of their risk assessment processes and the benefits they cited as a
result of these practices. In addition, it provides a description of the procedures they
followed and examples of the tools they used to facilitate the process.

The organizations we selected had chosen risk assessment methods and developed tools
that were relatively simple and, for the most part, qualitative in nature. However, one
organization used a combination of qualitative and quantitative methods. In some cases,
agencies may find that it is more appropriate to use more detailed, quantitative methods
to assess the risks associated with certain aspects of their computerized operations.
However, incorporating the critical success factors that we identified is likely to make
any type of methodology more effective. Appendix II contains a more detailed
description of the scope of our study and the methodology we used.

8                                      GAO/AIMD-00-33 Information Security Risk Assessment
 Overview of Case
 Study Findings

The organizations in our study recognized that risk assessments were an integral part of
managing risks. They had developed various procedures and tools to ensure that this
aspect of their information security programs was not neglected. They also recognized
that the data on threat likelihood and on the costs of risk reduction techniques were
limited, but they did not believe these limitations precluded effectively exploring,
understanding, and ranking information security risks to their operations and assets. The
procedures they had implemented helped ensure that these risks were periodically
discussed and understood and that the most significant risks were identified and
addressed. In their view, achieving these benefits far outweighed the costs of performing
the risk assessment procedures they had adopted.

Although all of the organizations had long considered various risks to their business
operations, their increased reliance on networked computer systems in recent years had
accentuated serious and real vulnerabilities and prompted them to bolster their efforts to
assess information security risks. All had begun to improve and better define their
information security risk assessment processes during the previous 2 to 4 years, and all
were continuing to refine the process as they gained experience.

Although their methods and tools varied, the organizations cited similar practices that
they considered to be essential to the success of their risk assessment programs. They
also cited similar benefits, such as increased understanding of risks and support for
needed controls throughout the organization. The critical success factors, methods and
tools, and benefits are illustrated in the following diagram.

GAO/AIMD-00-33 Information Security Risk Assessment                                     9
Figure 2: Risk Assessment Practices and Related Benefits

                                           Critical Success Factors
                                    1. Obtain senior management support
                                       and involvement
                                    2. Designate focal points
                                    3. Define procedures
                                    4. Involve business and technical experts
                                    5. Hold business units responsible
                                    6. Limit scope of individual assessments
                                    7. Document and maintain results

                  Process                                                              Tools
    1. Identify threats and likelihood of                                  1. Tables
       those threats materializing                                         2. Questionnaires
    2. Identify and rank critical assets                                   3. Standard report formats
       and operations                                                      4. Software to facilitate
    3. Estimate potential damage                                              documentation and analysis
    4. Identify cost effective mitigating                                  5. Lists of threats and controls
    5. Document assessment findings

                                   1. Assurance that the greatest risks have
                                      been identified and addressed
                                   2. Increased understanding of risks
                                   3. Mechanism for reaching consensus
                                   4. Support for needed controls
                                   5. Means for communicating results

    10                                                  GAO/AIMD-00-33 Information Security Risk Assessment
Critical Success Factors
During our study, we identified a set of common critical success factors that were
important to the efficient and effective implementation of the organizations’ information
security risk assessment programs. These factors helped ensure that the organizations
benefited fully from the expertise and experience of their senior managers and staff, that
risk assessments were conducted efficiently, and that the assessment results led to
appropriate remedial actions. As might be expected, several of these factors are similar
to the more general information security management practices identified in our May
1998 executive guide.

Obtain Senior Management
Support and Involvement

Senior management support was important to ensure that risk assessments were taken
seriously at lower organizational levels, that resources were available to implement the
program, and that assessment findings resulted in implementation of appropriate changes
to policies and controls. This support extended to participating in key aspects of the
process, such as (1) assisting in determining the assessment’s scope and the participants
at the start of a new assessment and (2) approving the action plan developed to respond
to recommendations at the end. For example, at the oil company we studied, business
units were keenly aware of the importance of conducting risk assessments due largely to
the expectations of senior executives and the related support they provided. Security was
paramount in this organization and failure to comply with organizational risk assessment
policy required significant justification on the part of the business owner. Also, senior
managers at the unit being assessed were actively involved in determining the scope of
each assessment and in responding to final results and recommendations.

Designate Focal Points

Groups or individuals had been designated as focal points to oversee and guide the
organizations’ risk assessment processes. These focal points facilitated the planning,
performance, and reporting associated with the organizations’ risk assessment programs
and helped ensure that organizationwide issues were appropriately addressed. All focal
points were either located at the corporate level or were members of a corporate-level
committee that coordinated the progress of the risk assessment from an organizationwide

   At the oil company, a corporate-level facilitator served as a focal point for
   assessments throughout the company, including those pertaining to information
   security. Because of familiarity with the tools and the reporting requirements, this
   experienced individual helped reduce the amount of training required for others
   involved in the process, such as those responsible for collecting and analyzing data.

   At the financial services company, each business unit had a designated individual
   responsible for the business unit's risk assessment activities. The facilitators

GAO/AIMD-00-33 Information Security Risk Assessment                                    11
     generally met weekly as a group to discuss organization-wide risks and lessons
     learned from prior and ongoing assessments.

     At the computer hardware and software company, a council had been created for the
     purpose of improving the overall risk assessment process and reviewing the results
     of risk assessments.

In addition, corporate focal points were involved in developing, disseminating, and
periodically updating risk assessment guidance and often provided training to others.

The use of focal points enhanced the quality and efficiency of the risk assessments. In
particular, using focal points to coordinate the planning and performance of the risk
assessments helped ensure that

     tools were used effectively under the direction of an individual who was experienced
     in using them,
     successful techniques were promptly applied to subsequent assessments,
     terms and methods were applied consistently,
     reports were developed quickly and according to a standardized format, and
     expectations of senior executives were met.

Define Procedures

Each organization had defined and documented procedures for conducting risk
assessments and developed tools to facilitate and standardize the process. These, along
with the use of focal points, helped institutionalize the process, ensure a level of
assessment consistency, and prevent individual business units from “reinventing the
wheel” each time a new assessment was required. To provide flexibility, business units
generally could supplement or alter procedures when needed. These modifications were
often shared with other units in an effort to promote the use of best practices.

Defined procedures generally specified

     who was responsible for initiating and conducting risk assessments,
     who was to participate,
     what steps were to be followed,
     how disagreements were to be resolved,
     what approvals were needed,
     how assessments were to be documented,
     how documentation was to be maintained, and
     to whom reports were to be provided.

Involve Business and
Technical Experts

Drawing on knowledge and expertise from a wide range of sources was viewed as
essential to help ensure that all important risk factors were considered. Business

12                                    GAO/AIMD-00-33 Information Security Risk Assessment
managers generally had the best understanding of the criticality and sensitivity of
individual business operations and of the systems and data that supported these
operations. Accordingly, they were usually in the best position to gauge the business
impact of system misuse or disruption. Conversely, technical personnel, including
security specialists, brought to the process an understanding of existing system designs
and vulnerabilities and of the potential benefits, costs, and performance impacts
associated with new controls being considered. As a result, meetings conducted during
the risk assessment process usually included a variety of individuals from the business
unit with expertise in business operations and processes, security, information resource
management, information technology, and system operations. Others from outside the
business unit might also be included, such as internal auditors and, occasionally,
contractors with specific pertinent expertise.

All the organizations relied almost exclusively on in-house personnel to perform the risk
assessment rather than contractors. The computer hardware and software company
initially relied on contractors to assist in conducting assessments but eventually
determined that relying on contractors deprived its own personnel of valuable
experience in exploring risk.

The oil company had established a special unit to gather information on threats from
outside sources, including federal agencies and organizations such as Carnegie Mellon
University’s Computer Emergency Response Team Coordination Center. This helped
ensure that the organization fully understood the threats that might affect its worldwide
operations and that risk assessment teams considered this information in their analyses.
Similarly, the financial services company required individuals with expertise in specific
geographic areas to provide input on pertinent political and economic risk factors.

Hold Business
Units Responsible

Responsibility for initiating and conducting risk assessments, as well as following up on
resulting recommendations, lay primarily with the individual business units. Business
units were considered to be in the best position to determine when an assessment was
needed and to ensure that recommendations for risk reduction techniques resulting from
the assessment were implemented effectively.

   At the financial services company, the business units annually developed risk
   management plans from a variety of information sources, including the results of
   prior risk assessments. These plans served as a basis for establishing priorities for
   performing risk assessments; designating individuals to facilitate, coordinate, and
   execute risk assessment activities; and determining the tolerable level of risk for a
   given operation.

   At the computer hardware and software company, business unit managers were
   responsible for assessing the risks associated with their unit's computer-based
   operations, and such responsibilities were generally documented in their
   performance expectations.

GAO/AIMD-00-33 Information Security Risk Assessment                                        13
     At the oil company, the business unit was responsible for initiating a risk assessment
     and approving an assessment execution plan. This plan, initially drafted by a
     headquarters-level facilitator, included the assessment scope, list of questions to be
     addressed during the process, and list of individuals that would participate in the

Limit Scope of Individual

Rather than conducting one large risk assessment covering all of an entity’s operations at
once, the organizations generally conducted a series of narrower assessments on various
individual segments of the business. As a result, the scope of each assessment was
limited to a particular business unit, system, or facility, or to a logically related set of

Segmenting operations into logical units generally reduced the size of each assessment,
making it more manageable to schedule and perform. In addition, segmenting operations
provided organizations a means of ranking units to determine the order in which risk
assessments would be performed and which units might merit more frequent risk

     A regional office at the regulatory organization decided that, after reviewing its
     processes, it would do two separate risk assessments—one on its administrative
     operations and one on its business-related operations. Managers decided to separate
     the assessments because the two sets of operations relied on different systems and
     were subject to somewhat different risks.

     At the computer hardware and software company, risk assessment scope was
     generally focused on each primary business process and its supporting systems,
     including the software, databases, and the hardware and network technology
     supporting the software.

To successfully implement this unit-by-unit approach, provisions had to be made for
considering shared risks and risks associated with infrastructure systems, such as
electronic mail systems and other shared resources, which supported multiple units of
the organization.

     The regulatory organization centrally evaluated the controls associated with its
     organizationwide electronic mail system and determined that the controls over this
     system were adequate to support low- and medium-risk applications. Individual units
     subsequently used this information to determine the extent to which specific
     business operations should rely on the electronic mail system.

     At the financial services company, a corporate-level group of risk assessment focal
     points met twice weekly to consider corporatewide risks and approve actions at
     individual units that might affect the entire organization.

14                                     GAO/AIMD-00-33 Information Security Risk Assessment
Document and Maintain

Risk assessment results were documented and maintained so that managers could be
held accountable for the decisions made and a permanent record established. In this
way, risk assessment records were available to serve as the starting point for subsequent
risk assessments and as a ready source of useful information for managers new to the
business unit. Documenting the process undertaken also permitted others, such as the
internal audit department, to ensure that organizational units were complying with
company policy.

All the organizations maintained databases on the results of the assessments. These
results were used as the starting point for subsequent risk assessments and to monitor
the status of any open recommendations for mitigating risks identified during the
process. For example, at the financial services company, the documentation created
during a risk assessment was used as the basis for the following year’s risk management
plan. At the regulatory organization, an internally developed software program was used
to monitor the implementation status of assessment recommendations and to report the
status to senior management.

All of the organizations we studied had developed tools to facilitate the conduct of their
risk assessments, such as tables, questionnaires, and standard report formats. These
tools helped ensure a consistent and standardized approach throughout the organization
and prevented teams from “reinventing the wheel” each time a new assessment was

Such tools had been developed in-house or adapted from those used by others, and most
had been computerized to speed the documentation process and to provide easy access
to data and risk assessment results. Generally, the corporate offices responsible for
overseeing risk assessment activities periodically refined the tools as experience was
gained and best practices were identified.

Most of these tools were relatively simple aids to assessment and reporting, although one
organization had automated the majority of its analysis process.

     The oil company used a table, in the form of a matrix, that facilitated analysis of
     information security risks to its operations and served as an effective tool for
     communicating risk assessment results to management. The matrix showed the
     combined effects of the probability of an undesirable event occurring and the
     severity of damage or loss to key organizational assets or operations if the event
     were to occur.

     The financial services company used a questionnaire to document compliance or
     noncompliance with company control objectives and the specific control techniques
     employed. The questionnaire was organized by specific control objectives, such as

GAO/AIMD-00-33 Information Security Risk Assessment                                        15
     authentication, access control, confidentiality, availability, audit, and

     The computer hardware and software company had developed relatively more
     sophisticated tools, including a detailed software program that had been designed to
     draw on large amounts of data on risk factors and automatically analyze input from
     the risk assessment team.

Tools used by the organizations we studied are described and illustrated in the case
study descriptions included in this guide.

The organizations in our study told us that institutionalizing a practical risk assessment
program was important to supporting their business activities and provided several
benefits. First, and perhaps most importantly, risk assessment programs helped ensure
that the greatest risks to business operations were identified and addressed on a
continuing basis. Such programs helped ensure that the expertise and best judgments of
their personnel were tapped to develop reasonable steps for preventing or mitigating
situations that could interfere with accomplishing the organization’s mission.

Second, risk assessments helped personnel throughout the organization better
understand risks to business operations; avoid risky practices, such as disclosing
passwords or other sensitive information; and be alert for suspicious events. This
understanding grew, in part, from improved communication between business managers,
system support staff, and security specialists.

Further, risk assessments provided a mechanism for reaching a consensus on which
risks were the greatest and what steps were appropriate for mitigating them. The
processes used encouraged discussion and generally required that disagreements be
resolved. This, in turn, made it more likely that business managers would understand the
need for agreed upon controls, feel that the controls were aligned with the unit’s
business goals, and support their effective implementation. Officials at one organization
told us that controls selected in this manner were much more likely to be effectively
adopted than controls that had been imposed by personnel outside of the business unit.

Finally, a formal risk assessment program provided an efficient means for
communicating assessment findings and recommended actions to business unit
managers as well as to senior corporate officials. Standard report formats and the
periodic nature of the assessments provided organizations a means of readily
understanding reported information and comparing results among units over time.

16                                     GAO/AIMD-00-33 Information Security Risk Assessment
 Case Study 1:
 Multinational Oil Company

Distinguishing Characteristics

   Established single corporate focal point.
   Focused on specific scenarios.
   Ensured that decisions were consensus-based.
   Built on processes developed by others.

This organization has a wide range of operations in 30 countries with varying levels of
risk. Security and safety concerns are critical factors in conducting business, and risk
assessments are a key component for addressing those concerns. Failure to comply with
organizational risk assessment policy requires significant justification on the part of the
business owner. Although risk assessments have been a part of doing business since the
mid-1980s, the organization has been striving to implement a more disciplined approach
since 1995.

At the time of our review, the company employed a relatively streamlined, mainly
qualitative methodology to assess information security risk. A headquarters-level risk
management coordinator, responsible for security risk assessments, was the focal point
for the risk assessment program. The methodology followed defined steps for analyzing
potentially damaging scenarios and involved a number of standardized tools, including
software developed in-house, to compile and analyze data and generate reports. Each
assessment consisted of three phases--planning and preparation, team risk assessment
activities, and report development. These phases generally took a total of 2 to 4 weeks to
complete. Additional time was required for the business unit to develop an action plan
for responding to recommendations resulting from the risk assessment.

The key steps of the process are shown in the following diagram and discussed in greater
detail on subsequent pages.

GAO/AIMD-00-33 Information Security Risk Assessment                                     17
 Figure 3: Risk Assessment Process Diagram 1

                            Step              Individuals Involved

                            Planning and Preparation

                   Develop project plan & select assessment team

                            Risk management coordinator
                                 & business manager

                         Team Risk Assessment Activities

                                    Gather information

                                   Team members &
                           other knowledgeable individuals

                     Identify threats         Evaluate assets and threats

                    Corporate threat                 Team members
                    assessment unit

                                    Develop scenarios

                                     Team members

                                                 Identify countermeasures
               Rank scenario risk
                                                      to mitigate risk
               Team members                          Team members &
                                                      business unit

                             Reporting and Follow-up

      Brief management              Develop report                   Develop action plan

      Team members               Risk management                     Business manager

18                                      GAO/AIMD-00-33 Information Security Risk Assessment
Initiating a Risk Assessment
The organization's policy guidelines require that risk assessments be performed prior to
any significant change in a facility or operation, after a serious security incident, or
whenever a new significant risk factor is identified. Regardless of these considerations,
the organization's objective is to assess or reassess risk of all critical operations at least
every 3 years.

Company guidelines direct the manager of a project, facility, or segment of operations to
notify his or her respective regional security coordinator of the need for a risk
assessment. Notification is usually in writing. The regional coordinator then notifies the
organization's central security risk management coordinator in writing of the upcoming
assessment. Business units are mindful of the need and significance of conducting risk
assessments due largely to the strong support given by the organization’s senior
executives. Although the business manager is primarily responsible for initiating risk
assessments, the central coordinator routinely reviews internal budget and project
documents to identify operational segments that may require a risk assessment.

Conducting and Documenting the Assessment
The risk assessment process can be divided into three distinct areas: planning and
preparation, team risk assessment activities, and report development.

Planning and Preparation

After notification of an upcoming risk assessment, the central coordinator, in
conjunction with senior managers in the business unit, develops a risk assessment
execution plan. This plan covers assessment objectives and methodology, team size and
composition, and information requirements for conducting the assessment. Developing
the plan is an iterative process between the central coordinator and business unit
management. According to the central coordinator, the final plan must receive business
unit management endorsement.

The risk assessment team is multidisciplined, usually consisting of about five to eight
individuals with specialized knowledge of the business unit's assets and operations.
Team members are usually employees; however, on occasion, the team includes outside
consultants. Senior managers of the business unit select the team with approval from
either the regional or central coordinator. To help ensure objectivity, the risk
assessment team leader is selected from outside the unit being assessed. In addition,
security specialists from the business unit in question are usually not part of the risk
assessment team; however, they are interviewed to obtain information on security issues.

Individuals, primarily from the business unit, are the main source of data on all aspects
of business operations and assets. For this reason, identifying knowledgeable individuals
to be interviewed and developing interview questions are critical parts of the planning
process that require careful attention and close coordination between the business unit
manager and the regional and central coordinators. A wide array of individuals ranging
from senior managers to security specialists and contractors are interviewed.

GAO/AIMD-00-33 Information Security Risk Assessment                                         19
Organizational guidance states that midlevel managers from key business units are to be
interviewed, including individuals with knowledge of legal, safety, personnel, and
operations matters, as well as related processes.

The list of interview questions covers many areas of information security, including
information classification; information storage, handling, destruction, and disposal;
access controls; and transmittal of mail, data, fax, video, and voice.

To help ensure that all credible threats are considered, this company has established a
separate corporate group that develops and maintains threat data for use by the entire
company, including risk assessment teams. This group collects threat data from internal
and external sources, including federal intelligence agencies and emergency response
centers, such as those at Carnegie Mellon University and Lawrence Livermore National
Laboratory. Based on this information, the group develops a "baseline threat statement"
that identifies the possible threats from outsiders, insiders (trusted employees and
support personnel), and system-induced events (faulty processes). At the time of our
study, the baseline threat statement in use was four pages long.

The central coordinator told us that the costs of risk assessments are divided between
the corporate security office and the business unit. The corporate security office pays
the central coordinator's salary and travel costs. The coordinator's travel costs are often
the main concern, since the organization has many overseas operations, and assessments
are generally conducted in the field. Most team members are employed by the business
unit being assessed, so the cost of their time is covered by that unit.

Prior to convening, the central coordinator provides each team member a 10- to 15-page
package of information that includes a copy of the agreed upon execution plan, an
assessment schedule, a copy of any previous risk assessment reports for the system or
facility being assessed, threat data, a summary describing the risk assessment
methodology, and a list of suggested interview questions. Because of his familiarity with
the tools and the reporting requirements, the coordinator helps reduce the amount of
training required for team members.

Team Risk Assessment Activities

The primary focus of this phase is collecting and analyzing data on threats and potential
vulnerabilities and recommending corrective actions to reduce or mitigate risks. This
phase usually takes about 5 days to complete—3 days for data collection and another 2
days for data analysis.

The first steps in this segment of the process are conducting interviews with the
knowledgeable individuals identified during the planning stage and reviewing related
documentation. Depending on the scope, the team conducts 20 to 40 separate interviews
lasting about 1 hour each. To maintain objectivity, team members usually do not
interview superiors or co-workers. Although the first 3 days are targeted toward
conducting interviews, the team convenes at the end of each day to start analyzing the
information collected during the interviews and to develop scenarios of possible
undesired and damaging events. In a typical information security risk assessment, 10 to
20 scenarios are developed.

20                                    GAO/AIMD-00-33 Information Security Risk Assessment
In developing scenarios, risk assessment teams consider how current organizational
procedures or technical applications may compromise the organization’s information
resources and ultimately damage the company. Considerations include disclosure of
information to unauthorized individuals and organizations, loss of information, and
inability to access company information due to computer malfunction or loss of
communications. As part of this, the team considers the baseline threat statement, to
which specific local threat data have been added.

A scenario developed as part of a recent assessment was of an employee with personal
financial problems, unknown to corporate managers, who might independently access
highly sensitive and confidential information on company operations and sell such
information to outsiders. In this case, the threat was an employee with a strong incentive
to misuse or disclose company assets for personal gain. The asset at risk was proprietary
information of great value to the company.

Once the scenarios are complete, the team ranks them according to how severe the
effects of their damage or loss would be. To assist in this process, the company has
adopted and modified categories originally developed by the Department of Defense to
categorize damage and/or loss, as follows.

 Category I    Death, loss of critical proprietary information, system disruption, or
               severe environmental damage

 Category II   Severe injury, loss of proprietary information, severe occupational illness,
               or major system or environmental damage

 Category III Minor injury, minor occupational illness, or minor system or
              environmental damage

 Category IV Less than minor injury, occupational illness, or less than minor system or
             environmental damage

For the scenario cited above, the team concluded that the severity level was a Category II
because the scenario description did not state that the exposed information was “critical
proprietary”. The team then ranks the probability of scenarios materializing. The
following categories are used for this ranking.

 Category A    Frequent - Possibility of repeated incidents

 Category B    Probable - Possibility of isolated incidents

 Category C    Occasional - Possibility of occurring sometime

 Category D    Remote - Not likely to occur

 Category E    Improbable - Practically impossible

GAO/AIMD-00-33 Information Security Risk Assessment                                     21
For the scenario previously cited involving a company employee selling proprietary data,
the team concluded—after consideration of existing controls and a scenario cause-effect
analysis—that such an event was probable (category B), in part because background
investigations for employees with access to highly sensitive information were not
updated frequently.

After severity and probability levels are determined for each scenario, the team
compares them to a predetermined set of four categories that describe the company’s
policy on (1) which risks are considered unacceptable and which are of less significance
and (2) the need for corrective action. Figure 4 illustrates the matrix that the company
uses to perform this analysis. The accompanying “risk index” descriptions define four
risk levels and required actions. In the cited scenario, the risk index was 1 based on the
IIB calculation.

Figure 4: Risk Assessment Matrix

     Severity level                                    Probability of occurrence
                       (A) Frequent   (B) Probable    (C) Occasional (D) Remote       (E) Improbable
     I (High)



     IV (Low)

           = Risk 1 (undesirable and requires immediate corrective action)
           = Risk 2 (undesirable and requires corrective action, but some management discretion allowed)
           = Risk 3 (acceptable with review by management)
           = Risk 4 (acceptable without review by management)

The above steps are facilitated by the use of an internally developed software program,
which captures information on scenarios. The software proposes corrective actions
based on a list of security controls built into the software and provides a related cost
estimate. According to the central coordinator, the software allows for real time, cost-
benefit analysis of security investments.

For each scenario requiring risk reduction, the team identifies one or more possible
corrective actions from a list of suggested corrective actions predetermined by the
organization. The organization has established guidance on suggested types of corrective
actions for each of the four risk categories.

The team selects for recommendation the most appropriate corrective actions based on
(1) the effectiveness of the control in reducing either the probability or severity of a
potential scenario and (2) cost. To illustrate the effect of the recommended corrective
actions, the risk assessment team recalculates the new level of risk that would exist if
the corrective actions were implemented. In the sample cited, a risk index of IIC, risk
level 2, would demonstrate that the team’s recalculation reduced the probability,
assuming implementation of recommendations.

22                                             GAO/AIMD-00-33 Information Security Risk Assessment
Reporting and Ensuring That Agreed Upon Actions Are Taken
After the team develops and recommends corrective actions, it prepares an exit briefing
to discuss the assessment findings with the business unit's management. This briefing
usually takes about 45 minutes. The team will highlight high-risk scenarios—some of
which may require immediate action. After the briefing, the team disbands. The central
coordinator then prepares a draft report, using a standard format, and distributes the
report to team members for comment. To ensure objectivity, each team member
independently reviews the draft. The team leader considers team input, finalizes the
report, and provides it to the business owner. The team may provide the report to others
in the organization depending on the issues involved.

Within 2 months of receiving the risk assessment report, the business unit is to develop
an action plan for implementing the report recommendations. In the event that the
business unit decides not to implement a recommendation associated with higher risk
scenarios, its managers must document their justification and suggest an alternative
solution for reducing the risk. If the scenario has the potential for affecting other
organizations, the central coordinator meets with the unit manager to discuss and
approve the alternative solution. Corporate management does not need to approve the
business owner's alternative solution if the impact is limited to the unit in question, or if
the risk is at either level 3 or 4. The action plan for addressing recommendations and/or
new alternatives is to identify actions planned, resource requirements, responsible
personnel for each action, and a schedule for anticipated completion dates. Senior
business unit managers document approval of the plan in writing and send copies to both
the central and regional coordinators.

The central and regional coordinators monitor the status of each recommendation until
the recommendation is fully implemented. The central coordinator maintains records on
open recommendations and issues quarterly status reports. Once a recommendation is
closed, the business owner prepares a closeout report and submits it to the central and
regional coordinators. Regional coordinators are also responsible for ensuring that
recommendations are implemented and that periodic updates and verification occur,
usually annually.

GAO/AIMD-00-33 Information Security Risk Assessment                                       23
 Case Study 2:
 Financial Services Company

Distinguishing Characteristics
     Used annual risk management plans as a basis for determining when risk
     assessments were needed.
     Held central focal point group meetings to discuss crosscutting risk issues.
     Established formal process for documenting acceptance of risk.

This is an established institution that handles relatively large-dollar transactions and
considers itself to be conservative and risk averse. It views the protection of the
integrity, confidentiality, and availability of its information assets and networks as a
strategic objective. Although the organization has been performing information security
risk assessments for 15 years, the information risk management program has become
more robust and formalized in recent years. The fundamental basis of the risk
assessment program is to balance the company’s security requirements with other
factors associated with doing business. The company recognizes that some risk must be
accepted to conduct business.

The program provides a practical, realistic approach to efficiently and cost-effectively
identify risks associated with the organization's information systems. The company's
assessment process helps ensure that business unit managers comply with mandatory
corporatewide security requirements and make informed decisions about the need for
additional risk-reduction measures. The process also raises the awareness of business
managers regarding the risks associated with their business unit’s reliance on automated
systems and electronic information. The process does not focus on identifying specific
threats, but rather on protecting the organization’s information regardless of the threats.

Key steps of the process are shown in the following diagram and discussed in more detail
on subsequent pages.

24                                     GAO/AIMD-00-33 Information Security Risk Assessment
Figure 5: Risk Assessment Process Diagram 2

   Select system
    & prepare for
                               Business unit       Information    Corporate-
   Focal point &                                                    level
                                managers            databases    management
business managers

                                                Document                           Approve risk
   Hold meetings to rank
                                               & disseminate
   information criticality                         results                         acceptance
    and identify existing
          controls                              Focal point                Corporate information
        Focal point,                                                         risk coordinator &
    business managers, &                                                   focal point committee
information technology staff

                                                    Are                              statement
     Compare existing
  controls with mandatory                          there
    and optional control                           gaps?

        Focal point,
   business managers, &                                Yes
information technology staff

                                                    Is it                          Develop risk
                                               feasible to fix    No
                                                                               acceptance statement
Legend:                                          the gaps?
                                                                             Business unit head,
     Process                                                                     focal point,
    Individuals                                        Yes                business managers, &
     involved                                                              focal point committee
                                                solutions to
     Decision                                  correct gaps
                                            Focal point &
                                          business managers

      GAO/AIMD-00-33 Information Security Risk Assessment                                             25
Initiating a Risk Assessment
Business units initiate risk assessments based on each unit's annually updated risk
management plan. To develop a risk management plan, a variety of information sources
are used, including prior risk plans and assessments, business plans, audit reports, and
the expertise of other business and technical managers. The need for a risk assessment
is based on a system's criticality to business operations, the sensitivity of its information,
and the lapse of time and type of changes since the last assessment. Generally, risk
assessments are performed on critical information systems about once a year.

In the risk management planning process, business managers are asked to identify, based
on their knowledge of the business unit’s operations, the most important systems to their
business units. Some business units have as few as five critical systems, while others
have as many as 130 critical systems. Based on this list, business units focus their risk
assessment activities on the top 10 to 20 critical systems. According to one official,
performing risk assessments for more than 10 to 20 applications would become
overwhelming, cumbersome, and strain limited resources. After the systems are
selected, the business managers classify the systems’ information as being high, medium,
or low risk.

Next, the list of required assessments is further narrowed to the most critical systems
with the highest risk. The risk assessment process for existing systems focuses on
existing risks associated with the security of the system being assessed. For new
applications, the unit attempts to build security into the systems as they are developed so
that security is a part of a system’s design from the start.

Conducting and Documenting the Assessment
The company has a standardized risk assessment process; however, individual business
units have some latitude in how assessments are conducted. Each business unit head
designates an individual, directly under him or her, with continuing responsibility for
facilitating, coordinating, and executing the business unit's risk assessment activities.
Throughout the risk assessment process, this focal point receives assistance from
employees with expertise in business operations and processes, information resource
management, systems use, and risk factors affecting multiple business units. In addition,
the organization's information technology staff assists the focal point, as well as the
business unit's head, in understanding existing technical controls and developing
solutions to identified security weakness.

The time and effort taken to complete an individual assessment varies from 1 to 2 days to
several weeks, depending on the size and complexity of the system being assessed. The
system’s use across multiple business units also affects the time it takes to complete an
individual assessment. Typically, the focal point dedicates the equivalent of one full
day's work to an individual assessment, while each of the participants dedicates no more
than the equivalent of 1 week of work.

26                                      GAO/AIMD-00-33 Information Security Risk Assessment
Select System and Prepare for Assessment

Once a system is selected from those identified in a unit’s risk management plan, the
focal point collects preliminary information from the business unit's managers and from
documents, such as project initiation and definition reports, audit reports, and functional
specifications. The focal point also determines the changes made to the system since the
last assessment and identifies from the documentation the technical components of the
system. In addition, qualitative aspects of the system are documented, including a brief
description of the system's purpose, functionality, and location; the system's user
authentication procedures; and the procedures for establishing new user accounts and
access privileges.

Hold Meetings to Rank Information Criticality
and Identify Existing Controls

After gathering preliminary information, the focal point schedules a meeting to reach a
consensus regarding the level of risk associated with the selected system and identify the
existing technical controls and manual processes to mitigate system risks. Generally, the
focal point selects individuals from the business unit to participate in the meeting who
have expertise in business operations and processes, information resource management,
information technology, and system use. The focal point also includes employees with
knowledge from outside the business unit that may affect information security risk, such
as information on political and economic conditions in specific geographic regions.

Prior to the meeting, the focal point sends the participants a standardized questionnaire
so that they have an opportunity to informally consider the system's characteristics in
comparison to the company's control requirements. The questionnaire serves as a tool
for documenting the selected system's compliance or noncompliance with specific
control techniques established in the company's security standards for operating
systems, networks, data stores, and applications. The questionnaire organizes specific
control techniques under nine control elements--authentication, access control,
environmental integrity, information integrity, confidentiality, availability, audit,
nonrepudiation, and administration. The control techniques are further divided into
either mandatory or optional requirements. The mandatory requirements are the
minimum set of information security controls that is required for all operations and
represent the organization's "target information security environment." The optional
requirements are additional security controls that may be required for certain higher risk
operations. These risk levels and the classification of the system’s information are
factors established during the risk management planning step. The optional
requirements provide greater control over systems or information that is especially
important to the business unit or perceived to be at especially high risk. An abbreviated
example of the questionnaire follows.

GAO/AIMD-00-33 Information Security Risk Assessment                                     27
     Figure 6: Abbreviated Example of Standardized Questionnaire

                                      Operating             Network            Data store            Application
                                    Complies   Discuss   Complies   Discuss   Complies   Discuss   Complies   Discuss
     Control elements
     1. Authentication
     -- The identity of all users
     currently logged onto the
     system must be internally

     -- All data passed through
     the network must identify
     the originator and

     2. Access control

     -- Only authorized
     authenticated users and
     remote applications may
     have access

     -- Network access must
     be based on a business


During the meeting, the focal point and the other participants use the questionnaire as a
guide for their discussions and as a tool for formally documenting the decisions made.
Additional manual tools are available to assist the participants in evaluating (1) the
system's information risk levels for both sensitivity and criticality, based on a simple low,
medium, or high ranking for each system and (2) the inherent vulnerabilities of the target
operating environment, based on a numeric system. By combining the results of these
evaluations, the participants determine the level of threat to the system. According to
one organization official, any greater refinement of the analysis is not valuable.

The focal point documents the decisions made during the meeting. Most of this
documentation is subsequently maintained in a database, where it is available to other
business units. Although use of the database varies across the business units, it is

28                                              GAO/AIMD-00-33 Information Security Risk Assessment
especially valuable for providing information on assessments done on systems used by
multiple business units.

In addition, the focal point determines and documents the system's minimum-security
requirements based on the final results of the questionnaire and the level of threat to the
system established during the meeting. The focal point’s decisions are not formally
approved by anyone, but they are summarized in quarterly reports that also describe the
status of the systems in their business units using a simple red, yellow, and green scheme
to show the level of risk to the system. The company’s chief information risk officer and
his staff carefully review these scorecards and ask for justification regarding
questionable decisions.

A risk assessment is stopped at this point if it is discovered that the system being
assessed has low criticality and sensitivity. Typically, the only time that a low-risk
system would be assessed is when external connectivity is an issue, for example, if a
business unit wanted to provide network access to a third-party vendor.

Compare Controls With Mandatory and Optional Requirements
to Identify Security Exposures

During this step, the focal point analyzes the system's compliance with the minimum-
security requirements, as established in the previous step, and determines the acceptable
level of risk exposure for the system. When unacceptable exposures are found because
there is a difference between the system's minimum-security requirements and the
controls in place, there are two possible courses of action. First, if there are solutions or
compensating controls that are feasible and can be implemented in a reasonable time,
then the focal point can develop preliminary recommendations for addressing those
exposures. Otherwise, the business unit manager must accept the risk exposure and a
risk acceptance statement is created, as discussed later. During this step, the
information technology staff and system users are consulted to assist in the identification
of security solutions and recommendations.

Recommend Solutions to Mitigate Exposures

If feasible solutions or compensating controls exist for the information security
exposure(s) identified in the previous step, the focal point and the business unit's
information manager develop an action plan that documents the business unit's
recommendations to mitigate the exposure by implementing new or strengthened
controls. The action plan includes the steps to be taken, the time frame for completion,
and the responsible groups within the business unit. The length of the action plan varies,
though according to one focal point, the plan should be concise and focus on a few key
recommendations. The business unit head makes the final decision in regard to what
actions are taken to correct the exposure(s) and is responsible for executing those
actions. After the recommendations have been implemented, the focal point initiates
another analysis to ensure that the controls have been properly implemented and the
exposure no longer exists or the risk has been reduced.

GAO/AIMD-00-33 Information Security Risk Assessment                                       29
Develop Risk Acceptance Statement for Remaining Exposures

If the security solution or compensating control in regard to the identified exposure(s) is
not feasible or can not be implemented promptly, the business unit head is informed
about the exposure and its potential impact on the business unit's operations. If the risk
exposure is exclusively related to the business unit’s systems or operation, then the
business unit head is responsible for deciding if the risk should be accepted. If the risk
exposure affects multiple business units or the corporation’s overall network, the
responsibility for the accepting the risk escalates to higher management levels, typically
the chief information officer, for a decision.

If the responsible manager is willing to accept the risk, a risk acceptance statement is
prepared that explains why an exception to a mandatory or appropriate optional
requirement is necessary. In addition, the statement includes details about the risk and
exposure, compensating controls to be put in place, loss potential, expiration date of the
exception, and review procedures. To ensure accountability, the statement is generally
prepared by the focal point and signed by the business unit head or equivalent. Typically,
risk acceptance statements are required for all instances of noncompliance with
standards that represent material risks to the systems. Areas that are low risk and
common vulnerabilities that are generally known to exist typically do not require a risk
acceptance statement. If the business unit head is unwilling to accept the risk,
recommendations to reduce or eliminate the exposure(s) are developed, as discussed

Approve the Risk Acceptance Statement

After the risk acceptance statement is completed and signed by the responsible manager,
it is submitted for review and approval to the corporate information risk group, global
information risk coordinator, relevant audit staff, and other interested parties. In cases
where the accepted risks could impact the corporate network, a committee made up of
representatives from all of the business units also reviews the statement.

The corporate information risk group grants the exception to the security requirement if
there is concurrence by all of the reviewing parties that there would be no detrimental
affect on the other business units. If it is determined that an exception will affect other
business units, the request is escalated to higher management levels, typically to the
chief information officer, for approval. Generally, a consensus is reached that
accommodates the exception, but entails additional compensating controls to reduce the

An approved exception is typically good for 6 to 12 months, depending on the
circumstance. When the exception expires, the decision is re-evaluated by the corporate
information risk group. During the re-evaluation, the group determines if the exposure
still exists, what progress has been made to mitigate the exposure, and if the acceptance
of the exposure is still appropriate. If the group decides that acceptance of the exposure
is still appropriate, the exception is extended. If not, the business unit's manager and
focal point must develop means to eliminate or further mitigate the exposure.

30                                    GAO/AIMD-00-33 Information Security Risk Assessment
Document Results

All information risk assessments are documented in a database, as previously mentioned.
Even when no corrective actions are needed, the documentation may be useful in
subsequent analyses and as input for future risk management plans and risk assessments.
 Paper copies of the risk acceptance statements are maintained so that the chief
information risk officer’s staff can monitor expiration dates and related actions
underway by business units.

Additional documentation that is provided to corporate-level and business unit
management consists of risk assessment reports, the status of summary databases, and
the business unit’s external connectivity status. The internal auditors also use the
documentation to review the decisions made by the focal points and other participants
during the risk assessment process. According to one official, the internal audit reviews
provide a valuable service regarding the quality of the risk management decision-making

GAO/AIMD-00-33 Information Security Risk Assessment                                    31
 Case Study 3:
 Regulatory Organization

Distinguishing Characteristics
     Emphasized exploring and ranking risk to business operations.
     Applied a predefined set of minimum control requirements for each of three risk
     levels (high, medium, low).

This organization considers itself to be risk averse and is particularly concerned with
loss of customer confidence, as well as monetary and productivity losses. As such, the
organization has developed a detailed set of minimum mandatory control requirements
over all operations.

Although risk assessments have always been a part of doing business, the organization
implemented a more standardized approach in 1995 to ensure a more common
understanding and to provide a systematic approach that reduces the risk of overlooking
issues. The objective of the risk assessment is to determine the level of risk associated
with a business function or process in order to determine the applicable security
controls. This is done by determining which of a predefined set of controls is
appropriate for individual business operations and comparing what is appropriate to
controls already in place in order to identify and address gaps.

The organization consists of a central office and regional offices throughout the United
States, with each unit having its own area of responsibility for the assessment. The
central office issues organizationwide information security risk assessment guidelines
and establishes minimum control requirements; the regional office oversees and
facilitates the process in its geographic area; and individual business units are
responsible for conducting the assessments.

The key steps of the process are shown on the following diagram and discussed in
greater detail on subsequent pages.

32                                    GAO/AIMD-00-33 Information Security Risk Assessment
Figure 7: Risk Assessment Process Diagram 3

                                Step             Individuals Involved

                    Determine risk assessment scope and establish team

                                  Business unit manager

                                       Evaluate threats

                                       Team members

        Rank impact of damage               Assign risk level to each area of vulnerability

            Team members                                   Team members

        Compare actual controls in place with minimum requirements and identity gaps

                                       Team members

                           Prepare statement summarizing results

                                       Team members

                                           Initiating a Risk Assessment
   The organization’s  policyaction
                    Develop   guidelines
                                    plan requireRequest
                                                           units to conduct   risk assessments
                                                                     (if necessary)
   at least once a year. Assessments are also required when a new business operation is
   established or when      members
                         significant                 Business unit manager
                                      operational changes

    GAO/AIMD-00-33 Information Security Risk Assessment                                       33
Initiating a Risk Assessment
The organization’s policy guidelines require business units to conduct risk assessments
at least once a year. Assessments are also required when a new business operation is
established or when significant operational changes occur. Responsibility for initiating
the assessment lies with the business unit manager. The regional audit department
reviews compliance with the organization's risk assessment requirements through annual
audits and reports any noncompliance to business unit management.

After identifying the need for a risk assessment, the business unit manager determines
the scope of the assessment and establishes a risk assessment team. The assessment can
cover an entire unit or a specific segment of operations depending on how information is
accessed, processed, or disseminated. The assessment team usually comprises five to
seven individuals with expert knowledge of the business unit's assets and operations,
and members from the region's information security office and audit department. After
the team convenes, a representative from the region's information security office briefs
team members on the risk assessment process and provides them with organizational
guidance on conducting assessments.

Conducting and Documenting the Assessment
Risk assessment teams use predefined categories—developed by the central office—for
ranking risk assessments. The categories cover specific elements that must be addressed
for each assessment. These elements include five areas of potential vulnerabilities, four
types of damage, and three possible consequences, as shown in the following diagram.
The purpose of predefined categories is to ensure a consistent approach throughout the

34                                   GAO/AIMD-00-33 Information Security Risk Assessment
 Figure 8: Elements Considered in Ranking Risk

 Areas of vulnerability

  Facilities and equipment
  Software and operating systems

 Types of damage

  Unauthorized disclosure, modification, or destruction of information
  Inadvertent modification or destruction of information
  Nondelivery or misdelivery of service
  Denial or degradation of service

 Potential consequences

  Monetary loss
  Productivity loss
  Loss of customer confidence

The central office has incorporated these elements into a set of detailed guidelines for
conducting information security risk assessments. The office has also prepared a
complementary training manual elaborating on the guidelines and providing more
detailed step-by-step procedures.

Determining Risk Level

The team's first step is to evaluate possible threats to information security that may
affect the unit's operations and, based on its knowledge of the operation being assessed,
consider the likelihood and consequences of the threat occurring.

The team assigns a risk level of high, moderate, or low for each area of vulnerability to
show the possible effect of damage if the threat were to occur. In completing this step,
the risk assessment team assumes that no controls are in place. (Later in the
assessment, existing controls are compared to a comprehensive set of control
requirements to identify shortfalls.) The team uses a matrix to assist in its analysis of
risk as shown in the following table:

GAO/AIMD-00-33 Information Security Risk Assessment                                        35
 Table 1: Risk Assessment Matrix
                                                                Risk of monetary   Risk of productivity   Risk of loss of
 Areas of vulnerability and possible effects of damage
                                                                loss               loss                   customer confidence

                                                                 H     M      L     H       M       L      H       M        L

     Unauthorized disclosure, modification, or destruction of

     Inadvertent modification or destruction of information

     Nondelivery or misdelivery of service

     Denial or degradation of service

 Facilities and equipment
     Unauthorized disclosure, modification, or destruction of

     Inadvertent modification or destruction of information

     Nondelivery or misdelivery of service

     Denial or degradation of service

     Unauthorized disclosure, modification, or destruction of

     Inadvertent modification or destruction of information

     Nondelivery or misdelivery of service

     Denial or degradation of service

     Unauthorized disclosure, modification, or destruction of

     Inadvertent modification or destruction of information

     Nondelivery or misdelivery of service

     Denial or degradation of service

 Software and operating systems
     Unauthorized disclosure, modification, or destruction of

     Inadvertent modification or destruction of information

     Nondelivery or misdelivery of service

     Denial or degradation of service

36                                                               GAO/AIMD-00-33 Information Security Risk Assessment
           After completing the matrix, the team summarizes its findings by assigning a composite
           risk level to each of the five areas of vulnerability on the matrix. The team does this by
           considering the four potential types of damage identified under each area of
           vulnerability and judgmentally assigning a risk level of high, medium, or low to each
           area. The team then agrees on an overall risk level for each vulnerability in the last
           column of the table marked "Overall risk." Table 2 is used to record this step.

            Table 2: Risk Assessment Table

                                                             Risk category

                                       Monetary       Productivity   Loss of customer   Overall risk
            Areas of vulnerability       loss            loss           confidence


            Facilities and equipment



            Software and operating

           Identifying Needed Controls Based on Predetermined Requirements

           After determining the overall risk level for each area of vulnerability, the team identifies
           the minimum applicable controls that are prescribed in its organizational guidelines.
           The guidelines describe minimum requirements for each of three levels of risk—high,
           medium, and low. Guidelines require that each higher risk category incorporate the
           controls of lower risk categories. For example, a “high” risk level incorporates controls
           from each of the three levels of risk—high, medium, and low. Similarly, “medium” risk
           includes controls for both medium and low risk levels.

GAO/AIMD-00-33 Information Security Risk Assessment                                                    37
Reporting and Ensuring That Agreed Upon Actions Are Taken
After determining the minimum set of controls, the team compares those required
controls with controls already in place and identifies any gaps. The team prepares a
short statement summarizing the outcome and documenting its decisions and decision-
making process. It then provides the regional office a copy of the risk assessment table.
 Guidelines require the business unit being assessed to retain the completed matrix and
documentation supporting the outcome, such as major threats considered, and major
decision points, such as the team's rationale used in arriving at the appropriate level of

If there are areas where additional controls are needed to meet minimum requirements,
the business unit manager develops an action plan and submits it to the regional office.
The plan includes those controls the business unit manager believes would provide the
level of protection appropriate for the risk associated with the asset. Factors
considered are security exposures, the level of risk associated with the business
function or activity, the costs of implementing the controls, and the impact of
noncompliance on other business units or operations within the organization.

If the business unit believes that the time needed to implement controls is too lengthy or
the steps required are too costly, the business unit manager may request a waiver. The
business unit manager must describe the rational for the waiver and what compensating
controls the unit has or will implement. The regional office has a standing committee to
approve or deny requests for waivers; however, the central office must approve or deny
requests that may impact the entire organization or multiple regional offices. If a waiver
is approved, it is usually approved for a period not to exceed 1 year.

In early 1997, the regional information security office began using an internally
developed software program to monitor compliance with applicable policies and
safeguards. Regional officials said that use of this program facilitates preparing reports
to high-level officials and provides easy access to individuals with a need to know. The
tracking system contains information on the regional office's business units, such as
operations descriptions, risk assessment results, and associated policy and safeguard
compliance. The system keeps this information in a central database with distributed
access to business unit personnel responsible for ensuring compliance and to the
regional security office.

38                                     GAO/AIMD-00-33 Information Security Risk Assessment
 Case Study 4:
 Computer Hardware and Software Company

Distinguishing Characteristics
      Used expert system to analyze data and develop recommendations.
      Conducted extensive quality review of data.
      Included risk assessment as part of employee performance expectations.

This organization uses a defined risk assessment process to ensure that information
security controls in place comply with established requirements. The risk assessment
process was initiated due to the company’s efforts to pursue more secure electronic
commerce and increased integration of information systems within the company and
with its customers, suppliers, and stockholders. Using a combination of qualitative and
quantitative methods, the process is designed to take advantage of the company’s expert
knowledge of its applications and related security requirements, scale results in such a
way as to minimize unreasonable recommendations, and establish the minimum
adequate amount of security across the company. The execution of the process
identifies and documents the current security controls in place for the operations under
assessment, identifies the current risks to the systems, and identifies additional controls
needed to provide an appropriate level of risk mitigation.

As a hardware/software company, the organization provides its customers with network
hardware and software, support services, and consulting services. The company
conducts business in over 110 countries and operates its network in over 68 of those
countries. It uses thousands of systems to execute the day-to-day functions of the
company, including numerous network connections to customers, suppliers, and
partners. Protecting the information resources that support these operations is
especially challenging at this company because its engineering culture thrives on
openness and sharing of data.

The key steps of the process are shown in the following diagram and discussed in
greater detail in subsequent pages.

GAO/AIMD-00-33 Information Security Risk Assessment                                      39
Figure 9: Risk Assessment Process Diagram 4
                         Step             Individuals Involved

                                                                     Analysis Phase
  Data Gathering Phase
                                                                    Identify deviations
   Determine controls                                            between current controls
    currently in place                                            & established control
    Identify business                                            Determine the adequacy
  concerns & potential
                                                                  of the current controls
                                                                  recommendations for
Information technology
                                                                    additional controls
    & business team
                                                                  Quantify gap between
                                                                    current controls
                                                                    & desired policy
                                Perform quality                      Create security
                                    review                           specifications
                                                                  Software program
                           Quality review team



                                                                 Decide what actions to
                                                                   take to close gap

                                                                 Business unit manager
                                                                    & information
                                                                  Technology manager

                                                                      Register plan

      40                                  GAO/AIMD-00-33 Information Security Risk Assessment
Initiating a Risk Assessment
At this company, organizational policy requires the corporate information security group
to initiate risk assessments based on the importance of the operations and the time
lapse from the last assessment. Business unit managers assist in determining what the
most important operations are within their business units. The general expectation is
that risk assessments are to be performed on important operations annually. In
instances where the operation is extremely critical or has changed significantly, risk
assessments could be performed more often. In addition, at any time, business unit
managers can request that a risk assessment be performed.

The risk assessments are associated with three types of activity—(1) development of
new computer systems, (2) procurement of production systems from other vendors, or
(3) improvement of legacy system security features—and, generally, are limited in scope
to a primary business process and supporting systems. The supporting systems include
the software, databases, and the hardware and network technology supporting the
software, as well as the people who use and rely on these resources. Business unit
managers are responsible for executing the risk assessments associated with their unit's
computer-based operations, and such responsibilities are generally documented in their
performance expectations.

Once a decision is made to perform a risk assessment, the business unit manager forms
a team of information technology and business experts to conduct the first part of the
assessment, which entails collecting data. The size of the team depends on the number
of business and technical people involved in the operation being assessed. Often 12 to
14 people are part of the team, but the number can vary. In addition, the organization
uses a cadre of other individuals to perform risk assessment tasks, including performing
quality reviews, analyzing the results using a software tool, and facilitating the process
across the organization.

Conducting and Documenting the Assessment
The organization's risk assessment process involves (1) using a questionnaire to compile
information on the value of critical operations and assets, policies and controls in place,
and other system attributes and (2) comparing this information with predetermined
policy and control requirements. The company has developed a software program that
automatically performs this comparison. When the analysis identifies an area that does
not meet the established control requirements, the software program automatically
accesses a database of suggested control solutions that has been developed by company
experts. These control solutions form the basis of recommendations generated by the

GAO/AIMD-00-33 Information Security Risk Assessment                                      41
Data Gathering Phase

During this phase, the team completes a questionnaire, developed by the organization
for the risk assessment process, to determine what controls are currently in place over
the operations being assessed. An individual experienced in applying the questionnaire
assists the team and helps ensure greater quality and consistency of the answers and
greater certainty that the team members provide accurate answers.

At the time of our study, the questionnaire, which is continually subject to change, had
260 multiple choice questions divided into the following categories:

     valuation of the operation,
     policy implementation,
     authorization process,
     authentication process,
     identification process,
     disaster recovery,
     physical security,
     incident response,
     configuration criteria,
     configuration management, and
     graphical inventory of the systems architecture

The multiple choice questions have been designed to precisely capture a description of
existing operations and controls. Examples of the types of questions included are
shown in the following box.

42                                    GAO/AIMD-00-33 Information Security Risk Assessment
 Figure 10: Questionnaire Items Related to Authorization

 1. Estimate the percentage of user population accessing this application regularly
    from the following sites. From those sites with access, enter the percentage
    value for the appropriate site. (Total of all answers may exceed 100%.)
     a.   from primary organization campuses,
     b.   from private homes,
     c.   from kiosks,
     d.   from contractor, partner, or supplier sites with whom there is a written contract to
          manage info-security,
     e.   from customer sites,
     f.   from sites with nomadic accounts,
     g.   from executive suites,
     h.   from anywhere,
     i.   from contractor, partner, or supplier site without info-security contract, and/or
     j.   unknown.

 2. Estimate the number of administrators and other key staff listed below for this
    application system. [Comment: The purpose of this question is to determine the
    number of people who are in key positions to effect the security of the system.
    Please be sure to count the number of staff associated with this application from
    all organizations involved.]
     a.   database administrators,
     b.   application administrators,
     c.   system administrators,
     d.   access control and account administrators,
     e.   technical support operations,
     f.   security administrators or coordinators,
     g.   IT developers, and/or
     h.   unknown.

The company treats the “valuation of the operation” section of the questionnaire as a
separate phase of the risk assessment. During this phase, the team determines (1) what
consequences need to be protected against, assuming an attack or other damaging event
occurs and (2) what the likely damage to the company would be as a result of such
events. Because these valuations are considered very subjective, the team relies on the
assistance of additional experts with specific finance related knowledge, who are
typically from the company controller’s office. The information developed during this
phase is critical to determining the significance of any control deficiencies that may be
identified later in the analysis.

The team first determines what consequences could occur. The company has defined
potential damage as including fraud, operational outage, embezzlement, extortion, theft
of intellectual properties, regulatory violations, or diminishment of the organization's

GAO/AIMD-00-33 Information Security Risk Assessment                                              43
image. Although the questionnaire is intended to be comprehensive, the company
recognizes that additional types of damage may need to be considered.

Once it is determined what consequences apply to the operations under assessment, the
team estimates the level of damage that could result from these consequences by
considering the potential costs of restoration and recovery, as well as secondary effects,
such as embarrassment and loss of credibility. Estimating the cost of secondary effects
is especially difficult because of the uncertainty associated with the ultimate impact on
such intangible factors. For example, the cost of restoring a damaged web site is much
easier to estimate than the cost of recovering from the embarrassment and loss of
credibility from such damage.

Usually, the team can complete the entire questionnaire in 1 to 2 hours. In cases where
the team members are less familiar with the application, it can take up to 12 hours or
more because people with additional expertise are contacted to assist in completing the
questions. Once the questionnaire is completed, additional individuals perform an
extensive quality review that analyzes the answers for completeness, reasonableness
and consistency. Often, it takes as many as five reviews to attain the required quality.
The time taken to complete the quality review varies by assessment from a few hours to
several days to even weeks in rare cases. The quality review benefits the process by
ensuring that (1) the data used are complete and the best available and (2) the questions
are consistently applied and interpreted. Redundancy is also built into the questions to
help the quality review determine if the team thoroughly considered the questions.

Analysis Phase

After the quality review is completed, the analysis group inputs the information about
the current controls, as derived from the questionnaire’s answers, into a software
program. The software program compares these controls to control requirements
documented in the company’s information security policies. The database of over 400
information security control requirements, which is referred to as a “policy library” by
the organization, represents a consensus of the experience and best judgment of a broad
group of business and information technology experts organizationwide. The analysis
performed by the software identifies instances where existing controls do not meet the
company’s suggested control requirements.

Using the results of this comparison, additional information from the questionnaire, and
a defined list of 180 control techniques, the software automatically proposes control
techniques to achieve compliance with the control objectives. Each control technique,
or countermeasure, can have up to five different strength levels, which generally depend
on the specific type of control technique chosen and the rigor of associated enforcement
efforts. Examples of strength levels for information security training are shown in the
following box.

44                                    GAO/AIMD-00-33 Information Security Risk Assessment
 Figure 11: Example of Five Strength Levels for Security Training

 Level 1     No specific training requirement exists, so compliance with the requirements
             is not measured.

 Level 2     Security training requirements exist, and business unit managers record
             completion of the training, but compliance is not independently verified.

 Level 3     Security training requirements exist, and the business unit managers
             determine in advance the required percentage of compliance among the
             individuals involved in that operation. During the periodic risk assessment, a
             comparison is done to assure compliance with the
             established percentage.

 Level 4     Same as Level 3.

 Level 5     Security training requirements exist, and the business unit manager is
             responsible for tracking and verifying that all individuals involved in
             the operation are compliant.

Next, the analysis group reviews and further refines the proposed recommendations
using a software tool that considers a number of factors, such as the number of users,
number of access paths, and effects on other systems. The organization has also
designed the software tool to consider detailed requirements for individual
circumstances. For example, systems with more than 150 users require more rigid
account management procedures to be in place than do systems with fewer users.
According to this company's policy, the attributes of these procedures for systems with
over 150 users should include:

       formal procedures for revocation or modification of terminated or inactive
       centrally assigned and monitored passwords;
       a unique password for each user, with 90-day mandatory password changing; and
       screening of new passwords for suitability prior to being accepted by system.

Based on the determinations made during the analysis, the analysis group finalizes the
recommendations. When necessary, systems engineers are brought into the process
from the information technology area of the business unit to perform an engineering
review of the assessment’s output and recommendations. The purpose of this review is
to determine the feasibility of the recommendations and to resolve any open issues
identified, such as the need for a detailed design review. The precise technical method
of implementing the recommended improvement is left to the judgment of personnel in
the business unit.

GAO/AIMD-00-33 Information Security Risk Assessment                                           45
Reporting and Ensuring That Agreed Upon Actions Are Taken

A series of standardized reports are produced from the risk assessment process,
including a detailed risk analysis report, a report describing the application's current
level of conformance to requirements, and recommendations for specific security
engineering design review. One of the key reports graphically shows, for each major
application, the deviation between the current controls and the controls suggested by
the company’s information security policy. In addition, the reports estimate the costs
for each recommended countermeasure, including costs for licenses, training,
development, implementation, and recurring support.

The business unit head considers the information in these reports when deciding what
new controls to implement. If the business unit head believes that certain
recommendations are not cost-effective, he or she can discuss the concerns with the
company’s information security managers and negotiate alternative actions.

Because business and information technology managers are being held accountable for
making information security improvements, the organization has developed a number of
management tools to assist them. There are over 12 management reports used to gauge
the organization’s progress in achieving established information security goals. In
addition, the organization has instituted audit and measurement procedures to ensure
the effectiveness of actions taken and that these actions have not adversely affected
system operations. Company officials emphasized the importance of managing the
changes resulting from the information security risk assessments. They stressed that
this requires instituting methods for monitoring the progress being made because
changes can be expensive and managers are usually reluctant to implement them—
especially when changes could adversely affect their business.

46                                     GAO/AIMD-00-33 Information Security Risk Assessment
  Appendix I

GAO Guides on Information Technology Management

Executive Guide: Information Security Management: Learning From Leading
Organizations (GAO/AIMD-98-68, May 1998).

Executive Guide: Measuring Performance and Demonstrating Results of
Information Technology Investments (GAO/AIMD-98-89, March 1998).

Business Process Reengineering Assessment Guide (GAO/AIMD-10.1.15, April
1997, Version 3).

Assessing Risks and Returns: A Guide for Evaluating Federal Agencies’ IT
Investment Decision-making (GAO/AIMD-10.1.13, February 1997, Version 1).

Executive Guide: Improving Mission Performance Through Strategic Information
Management and Technology (GAO/AIMD-94-115, May 1994).

GAO/AIMD-00-33 Information Security Risk Assessment                        47
 Appendix II

Objectives and Methodology
The objectives of our study were to identify and describe (1) information security risk
assessment methods and (2) related critical success factors that could be considered by
federal agencies to improve their own processes. While recognizing that the methods
described here may not be suitable for all federal operations, our study was intended to
help provide ideas and options for agency officials to consider.

To identify organizations that had adopted successful methods, we solicited suggestions
from a variety of sources, including the National Institute of Standards and Technology,
Office of Management and Budget, private consulting firms, professional associations, a
risk assessment software developer, and GAO auditors who were familiar with agency
information security practices. These sources recommended over 30 private and public
sector organizations that were known to have strong security programs or be actively
pursuing improved risk assessment practices.

After initial discussions with a number of these organizations, we narrowed our focus to
four organizations that most closely met our criteria of having implemented
organizationwide information security risk assessment procedures that they considered
to be practical and useful and had been in place for at least a year. The organizations
selected included a multinational oil company, a regulatory organization, a financial
services company, and a computer hardware and software company.

To obtain an understanding of their risk assessment procedures, we visited each of
these organizations where we met with senior security officials to discuss and review
the various manual and software tools they had adopted. We also obtained and reviewed
each organization’s written policies, procedures, and other material related to assessing
information security risks. To verify our understanding of each organization’s practices
we conducted numerous follow-up inquiries and asked each organization to review our
written summaries for accuracy. We conducted our study from April 1998 through June

In August 1999, we issued an exposure draft of the guide and distributed it to federal
chief information officers and other senior federal officials. In addition, we made the
draft available for review by the general public through our web site. The comments we
received were generally favorable, and a few included suggestions for improvements.
We analyzed these suggestions and, where appropriate, made related modifications to
the guide.


48                                    GAO/AIMD-00-33 Information Security Risk Assessment
Ordering Information                                                   Leter

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order made
out to the Superintendent of Documents, when necessary, VISA and
MasterCard credit cards are accepted, also.

Orders for 100 or more copies to be mailed to a single address are
discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any list
from the past 30 days, please call (202) 512-6000 using a touchtone
phone. A recorded menu will provide information on how to obtain
these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with “info” in the body to:


or visit GAO’s World Wide Web Home Page at: