《风险评估模板》由会员分享,可在线阅读,更多相关《风险评估模板(29页珍藏版)》请在金锄头文库上搜索。
1、RISK ASSESSMENT REPORT TEMPLATEInformation Technology Risk AssessmentForRisk Assessment Annual Document Review HistoryThe Risk Assessment is reviewed, at least annually, and the date and reviewer recorded on the table below.Review DateReviewerTABLE OF CONTENTS1INTRODUCTION 错误 ! 未定义书签。2IT SYSTEM CHAR
2、ACTERIZATION 错误 ! 未定义书签。3RISK IDENTIFICATION 错误!未定义书签。4CONTROL ANALYSIS 错误!未定义书签。5RISK LIKELIHOOD DETERMINATION 错误 ! 未定义书签。6IMPACT ANALYSIS 错误!未定义书签。7RISK DETERMINATION 错误!未定义书签。8RECOMMENDATIONS 错误 ! 未定义书签。9RESULTS DOCUMENTATION 错误!未定义书签。LIST OF EXHIBITSEXHIBIT 1: RISK ASSESSMENT MATRIX 错误!未定义书签。LIS
3、T OF FIGURESFigure 1 - IT System Boundary Diagram错误!未定义书签。Figure 2 -【nformation flow diagram 错误!未定义书签。LiST OF TABLESTABLE A:RiSK CLASSiFiCATiONS错误!未定义书签。TABLE B:iT SYSTEM iNVENTORY ANDDEFiNiTiON2TABLE C:THREATS IDENTIFIED 4TABLE D:VULNERABILITIES, THREATS, ANDRISKS 5TABLE E:SECURITY CONTROLS 6TABLE
4、F:RISKS-CONTROLS-FACTORS CORRELATION 8TABLE G:RISK LIKELIHOOD DEFINITIONS 9TABLE H:RISK LIKELIHOOD RATINGS 9TABLE I:RISK IMPACT RATING DEFINITIONS 错误!未定义书签。TABLE J:RISK IMPACT ANALYSIS 错误!未定义书签。TABLE K:OVERALL RISK RATING MATRIX 错误!未定义书签。TABLE L:OVERALL RISK RATINGS TABLE 错误!未定义书签。TABLE M:RECOMMENDA
5、TIONS 错误!未定义书签。1 INTRODUCTIONRisk assessment participants:Participant roles in the risk assessment in relation assigned agencyresponsibilities:Risk assessment techniques used:Table A: Risk ClassificationsRisk LevelRisk Description & Necessary ActionsHighThe loss of confidentiality, integrity, or ava
6、ilability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets or individuals.ModerateThe loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organization
7、al assets or individuals.Risk LevelRisk Description & Necessary ActionsLowThe loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets or individuals.2 IT SYSTEM CHARACTERIZATION2 IT SYSTEM CHARACTERIZA
8、TIONTable B: IT System Inventory and DefinitionIT System Inventory and Definition DocumentI. IT System Identification and OwnershipIT System IDIT System CommonNameOwned ByPhysicalLocationMajor BusinessFunctionSystem OwnerPhone NumberSystem Administrator(s)Phone NumberData Owner(s)Phone Number(s)Data
9、 Custodian(s)Phone Number(s)Other RelevantInformationII. IT System Boundary and ComponentsIT SystemDescription andComponentsIT SystemInterfacesIT SystemBoundaryIII. IT System Interconnections (add additional lines, as needed)Agency orOrganizationIT System NameIT SystemIDIT System OwnerInterconnectio
10、n SecurityAgreement StatusTable B: IT System Inventory and Definition (continued)Overall ITSystemSensitivityRating andClassificationOverall IT System Sensitivity RatingMust be high” if sensitivity of any data type is rated high” on any criterionHighModerateLowIT System ClassificationMust be Sensitiv
11、e” if overall sensitivity is high”; consider asSensitive” if overall sensitivity is moderate”Sensitivenon-sensitiveDescription or diagram of the system and network architecture, including all components of the system and communications links connecting the components of the system, associated data c
12、ommunications and networks:Figure 1 - IT System Boundary DiagramDescription or a diagram depicting the flow of information to and from the IT system, including inputs and outputs to the IT system and any other interfaces that exist to the system:Figure 2 - Information Flow Diagram3 RISK IDENTIFICATI
13、ONIdentification of VulnerabilitiesVulnerabilities were identified by:Identification of ThreatsThreats were identified by:The threats identified are listed in Table C.Identification of RisksRisks were identified by:The way vulnerabilities combine with credible threats to create risks is identified T
14、able D.Table D: Vulnerabilities, Threats, and Risks4 CONTROL ANALYSISTable E documents the IT security controls in place and planned for the IT system.Table E: Security ControlsControl AreaIn-Place/PlannedDescription of Controls1 Risk ManagementIT Security Roles&ResponsibilitieBusiness ImpactAnalysisIT System & DataSensitivityClassificationIT SystemInventory &DefinitionRisk AssessmentIT Security Audits2 IT Contingency PlanningContinuity ofOperationsPlanningIT DisasterRecoveryPlanningIT System & DataBackup &RestorationControl AreaIn-Place/PlannedDescription of Controls3 IT Systems Security
