Information Security Risk Assessment: Practices of Leading Organizations
(Exposure Draft) (Guidance, 08/01/1999, GAO/AIMD-99-139).

GAO published a guide to aid federal managers in implementing an ongoing
information security risk assessment process. GAO provided case studies
of practical risk assessment procedures that have been successfully
adopted by four organizations known for their efforts to implement good
risk assessment practices.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  AIMD-99-139
     TITLE:  Information Security Risk Assessment: Practices of Leading
             Organizations (Exposure Draft)
      DATE:  08/01/1999
   SUBJECT:  Information resources management
             Private sector practices
             Computer security
             Internal controls
             Confidential communication
             Data integrity
             Information systems
             Hackers
             Risk management

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  This text was extracted from a PDF file.        **
** Delineations within the text indicating chapter titles,      **
** headings, and bullets have not been preserved, and in some   **
** cases heading text has been incorrectly merged into          **
** body text in the adjacent column.  Graphic images have       **
** not been reproduced, but figure captions are included.       **
** Tables are included, but column deliniations have not been   **
** preserved.                                                   **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************

ai99139

GAO/AIMD-99-139
 United States General Accounting Office
ai99139   GAO/AIMD-99-139  United States General Accounting Office

GAO Accounting and Information Management Division

August 1999 Information Security Risk Assessment

Practices of Leading Organizations

Exposure Draft

GAO/AIMD-99-139 Information Security Risk Assessment 1 Managing
the security risks associated with our government's growing
reliance on

information technology is a continuing challenge. In particular,
federal agencies, like many private organizations, have struggled
to find efficient ways to ensure that they fully understand the
information security risks affecting their operations and
implement appropriate controls to mitigate these risks.

This guide, which we are initially issuing as an exposure draft,
is intended to help federal managers implement an ongoing
information security risk assessment process by providing
examples, or case studies, of practical risk assessment procedures
that have been successfully adopted by four organizations known
for their efforts to implement good risk assessment practices.
More importantly, it identifies, based on the case studies,
factors that are important to the success of any risk assessment
program, regardless of the specific methodology employed.

The information provided in this document supplements guidance
provided in our May 1998 executive guide Information Security
Management: Learning From Leading Organizations (GAO/AIMD-98-68).
In that guide, we outlined five major elements of risk management
and 16 related information security management practices that GAO
identified during a study of organizations with superior
information security programs. One of the five elements identified
encompasses assessing risk and determining riskreduction needs.
Contributors to this supplementary guide include Jean Boltz,
Ernest Dring, and Michael Gilmore.

Preface

2 GAO/AIMD-99-139 Information Security Risk Assessment You may
submit comments before September 30, 1999, by phone, e- mail, or
regular mail

to Jean Boltz at the following: Phone: (202) 512- 5247 E- mail:
boltzj. aimd@ gao. gov Mail: Jean Boltz, AIMD

U. S. General Accounting Office Room 4T21 441 G Street, NW
Washington, D. C. 20548

Jack L. Brock, Jr. Director, Governmentwide and Defense

Information Systems

GAO/AIMD-99-139 Information Security Risk Assessment 3

Contents

____________________________________________________________
Introduction 5

Federal Guidance 5 Risk Assessment Is an Essential Element of Risk
Management 6 Basic Elements of the Risk Assessment Process 7
Challenges Associated With Assessing Information Security Risks 8

__________________________________________________________________
_____ Overview of Case Study Findings 10

Critical Success Factors 12 Tools 16 Benefits 17

__________________________________________________________________
_____ Case Study 1: Multinational Oil Company 19

Distinguishing Characteristics Initiating a Risk Assessment
Conducting and Documenting the Assessment Reporting and Ensuring
that Agreed Upon Actions are Taken

19 21 21 25

Case Study 2: Financial Services Company

Distinguishing Characteristics Initiating a Risk Assessment
Conducting and Documenting the Assessment

27

27 29 29

Case Study 3: Regulatory Organization

Distinguishing Characteristics Initiating a Risk Assessment
Conducting and Documenting the Assessment Reporting and Ensuring
that Agreed Upon Actions are Taken

35

35 37 37 41

4 GAO/AIMD-99-139 Information Security Risk Assessment

Case Study 4: Computer Hardware and Software Company

Distinguishing Characteristics Initiating a Risk Assessment
Conducting and Documenting the Assessment Reporting and Ensuring
that Agreed Upon Actions are Taken

42

42 44 44 49

__________________________________________________________________
_____ Appendix I - Objectives and Methodology 50

____________________________________________________________
Tables

Table 1: Risk Assessment Matrix Table 2: Risk Assessment Table

39 40

__________________________________________________________________
_____

Figures

Figure 1: Risk Management Cycle Figure 2: Risk Assessment
Practices and Related Benefits Figure 3: Risk Assessment Process
Diagram 1 Figure 4: Risk Assessment Matrix Figure 5: Risk
Assessment Process Diagram 2 Figure 6: Abbreviated Example of
Standardized Questionnaire Figure 7: Risk Assessment Process
Diagram 3 Figure 8: Elements Considered in Ranking Risk Figure 9:
Risk Assessment Process Diagram 4 Figure 10: Questionnaire Items
Related to Authorization Figure 11: Example of Five Strength
Levels for Security Training

7 11 20 25 28 31 36 38 43 46 48

__________________________________________________________________
_____

Abbreviations

GAO General Accounting Office NIST National Institute of Standards
and Technology OMB Office of Management and Budget

GAO/AIMD-99-139 Information Security Risk Assessment 5 The federal
government is increasingly reliant on automated and interconnected
systems

to perform functions essential to the national welfare, such as
national defense, federal payments, and tax collection. The
benefits of such activities include improved government
information processing and communication. However, the factors
that benefit government operations speed of processing and access
to information also increase the risks of computer intrusion,
fraud, and disruption.

Information systems have long been at some risk from malicious
actions or inadvertent user errors and from natural and man- made
disasters. In recent years, systems have become more susceptible
to these threats because computers have become more interconnected
and, thus, more interdependent and accessible to a larger number
of individuals. In addition, the number of individuals with
computer skills is increasing, and intrusion, or  hacking,
techniques are becoming more widely known via the Internet and
other media.

Numerous government reports published over the last few years
indicate that federal automated operations and electronic data are
inadequately protected against these risks. These reports show
that poor security program management is one of the major
underlying problems. A principal challenge many agencies face is
in identifying and ranking the information security risks to their
operations, which is the first step in developing and managing an
effective security program. Taking this step helps ensure that
organizations identify the most significant risks and determine
what actions are appropriate to mitigate them.

Federal Guidance The Office of Management and Budget (OMB), as
part of Circular A- 130, Appendix III,  Security of Federal
Automated Information Resources, requires federal agencies to
consider risk when deciding what security controls to implement.
It states that a riskbased approach is required to determine
adequate security, and it encourages agencies to consider major
risk factors, such as the value of the system or application,
threats, vulnerabilities, and the effectiveness of current or
proposed safeguards. The OMB Director reiterated these
responsibilities on June 23, 1999, when he issued Memorandum 99-
20,  Security of Federal Automated Information Resources,
reminding federal agencies that they must continually assess the
risk to their computer systems and maintain adequate security
commensurate with that risk. This memorandum was issued in
response to a spate of intentional disruptions of government web
sites.

Introduction

6 GAO/AIMD-99-139 Information Security Risk Assessment The
National Institute of Standards and Technology (NIST) also
recognizes the

importance of conducting risk assessments for securing computer-
based resources. NIST's guidance on risk assessment is contained
in An Introduction to Computer Security: The NIST Handbook,
Special Publication 800- 12, December 1995, and Generally Accepted
Principles and Practices for Securing Information Technology
Systems, published in September 1996.

Risk Assessment Is an Essential Element of Risk Management

As discussed in our May 1998 executive guide Information Security
Management: Learning From Leading Organizations (GAO/AIMD-98-68),
assessing risk is one element of a broader set of risk management
activities. Other elements include establishing a central
management focal point, implementing appropriate policies and
related controls, promoting awareness, and monitoring and
evaluating policy and control effectiveness.

Although all elements of the risk management cycle are important,
risk assessments provide the foundation for other elements of the
cycle. In particular, risk assessments provide a basis for
establishing appropriate policies and selecting cost- effective
techniques to implement these policies. Since risks and threats
change over time, it is important that organizations periodically
reassess risks and reconsider the appropriateness and
effectiveness of the policies and controls they have selected.
This continuing cycle of activity, including risk assessment, is
illustrated in the following depiction of the risk management
cycle.

GAO/AIMD-99-139 Information Security Risk Assessment 7

Basic Elements of the Risk Assessment Process

Risk assessments, whether they pertain to information security or
other types of risk, are a means of providing decisionmakers with
information needed to understand factors that can negatively
influence operations and outcomes and make informed judgments
concerning the extent of actions needed to reduce risk. For
example, bank officials have conducted risk assessments to manage
the risk of default associated with their loan portfolios, and
nuclear power plant engineers have conducted such assessments to
manage risks to public health and safety. As reliance on computer
systems and electronic data has grown, information security risk
has joined the array of risks that governments and businesses must
manage. Regardless of the types of risk being considered, all risk
assessments generally include the following elements.

8 GAO/AIMD-99-139 Information Security Risk Assessment

GAO/AIMD-99-139 Information Security Risk Assessment 9

10 GAO/AIMD-99-139 Information Security Risk Assessment The
organizations in our study recognized that risk assessments were
an integral part of

managing risks. They had developed various procedures and tools to
ensure that this aspect of their information security programs was
not neglected. They also recognized that the data on threat
likelihood and on the costs of risk reduction techniques were
limited, but they did not believe these limitations precluded
effectively exploring, understanding, and ranking information
security risks to their operations and assets. The procedures they
had implemented helped ensure that these risks were periodically
discussed and understood and that the most significant risks were
identified and addressed. In their view, achieving these benefits
far outweighed the costs of performing the risk assessment
procedures they had adopted.

Although all of the organizations had long considered various
risks to their business operations, their increased reliance on
networked computer systems in recent years had accentuated serious
and real vulnerabilities and prompted them to bolster their
efforts to assess information security risks. All had begun to
improve and better define their information security risk
assessment processes during the previous 2 to 4 years, and all
were continuing to refine the process as they gained experience.

Although their methods and tools varied, the organizations cited
similar practices that they considered to be essential to the
success of their risk assessment programs. They also cited similar
benefits, such as increased understanding of risks and support for
needed controls throughout the organization. The critical success
factors, methods and tools, and benefits are illustrated in the
following diagram.

Overview of Case Study Findings

GAO/AIMD-99-139 Information Security Risk Assessment 11

12 GAO/AIMD-99-139 Information Security Risk Assessment

Critical Success Factors

During our study, we identified a set of common critical success
factors that were important to the efficient and effective
implementation of the organizations' information security risk
assessment programs. These factors helped ensure that the
organizations benefited fully from the expertise and experience of
their senior managers and staff, that risk assessments were
conducted efficiently, and that the assessment results led to
appropriate remedial actions. As might be expected, several of
these factors are similar to the more general information security
management practices identified in our May 1998 executive guide.

Obtain Senior Management Support and Involvement

Senior management support was important to ensure that risk
assessments were taken seriously at lower organizational levels,
that resources were available to implement the program, and that
assessment findings resulted in implementation of appropriate
changes to policies and controls. This support extended to
participating in key aspects of the process, such as (1) assisting
in determining the assessment's scope and the participants at the
start of a new assessment and (2) approving the action plan
developed to respond to recommendations at the end. For example,
at the oil company we studied, business units were keenly aware of
the importance of conducting risk assessments due largely to the
expectations of senior executives and the related support they
provided. Security was paramount in this organization and failure
to comply with organizational risk assessment policy required
significant justification on the part of the business owner. Also,
senior managers at the unit being assessed were actively involved
in determining the scope of each assessment and in responding to
final results and recommendations.

Designate Focal Points

Groups or individuals had been designated as focal points to
oversee and guide the organizations' risk assessment processes.
These focal points facilitated the planning, performance, and
reporting associated with the organizations' risk assessment
programs and helped ensure that organizationwide issues were
appropriately addressed. All focal points were either located at
the corporate level or were members of a corporate- level
committee that coordinated the progress of the risk assessment
from an organizationwide viewpoint.

GAO/AIMD-99-139 Information Security Risk Assessment 13
experienced individual helped reduce the amount of training
required for others

involved in the process, such as those responsible for collecting
and analyzing data.

14 GAO/AIMD-99-139 Information Security Risk Assessment

GAO/AIMD-99-139 Information Security Risk Assessment 15

16 GAO/AIMD-99-139 Information Security Risk Assessment To
successfully implement this unit- by- unit approach, provisions
had to be made for

considering shared risks and risks associated with infrastructure
systems, such as electronic mail systems and other shared
resources, which supported multiple units of the organization.

GAO/AIMD-99-139 Information Security Risk Assessment 17 Such tools
had been developed in- house or adapted from those used by others,
and most

had been computerized to speed the documentation process and to
provide easy access to data and risk assessment results.
Generally, the corporate offices responsible for overseeing risk
assessment activities periodically refined the tools as experience
was gained and best practices were identified.

Most of these tools were relatively simple aids to assessment and
reporting, although one organization had automated the majority of
its analysis process.

18 GAO/AIMD-99-139 Information Security Risk Assessment sensitive
information; and be alert for suspicious events. This
understanding grew, in

part, from improved communication between business managers,
system support staff, and security specialists.

Further, risk assessments provided a mechanism for reaching a
consensus on which risks were the greatest and what steps were
appropriate for mitigating them. The processes used encouraged
discussion and generally required that disagreements be resolved.
This, in turn, made it more likely that business managers would
understand the need for agreed upon controls, feel that the
controls were aligned with the unit's business goals, and support
their effective implementation. Officials at one organization told
us that controls selected in this manner were much more likely to
be effectively adopted than controls that had been imposed by
personnel outside of the business unit.

Finally, a formal risk assessment program provided an efficient
means for communicating assessment findings and recommended
actions to business unit managers as well as to senior corporate
officials. Standard report formats and the periodic nature of the
assessments provided organizations a means of readily
understanding reported information and comparing results among
units over time.

GAO/AIMD-99-139 Information Security Risk Assessment 19

Distinguishing Characteristics

20 GAO/AIMD-99-139 Information Security Risk Assessment

GAO/AIMD-99-139 Information Security Risk Assessment 21

Initiating a Risk Assessment

The organization's policy guidelines require that risk assessments
be performed prior to any significant change in a facility or
operation, after a serious security incident, or whenever a new
significant risk factor is identified. Regardless of these
considerations, the organization's objective is to assess or
reassess risk of all critical operations at least every 3 years.

Company guidelines direct the manager of a project, facility, or
segment of operations to notify his or her respective regional
security coordinator of the need for a risk assessment.
Notification is usually in writing. The regional coordinator then
notifies the organization's central security risk management
coordinator in writing of the upcoming assessment. Business units
are mindful of the need and significance of conducting risk
assessments due largely to the strong support given by the
organization's senior executives. Although the business manager is
primarily responsible for initiating risk assessments, the central
coordinator routinely reviews internal budget and project
documents to identify operational segments that may require a risk
assessment.

Conducting and Documenting the Assessment

The risk assessment process can be divided into three distinct
areas: planning and preparation, team risk assessment activities,
and report development.

Planning and Preparation

After notification of an upcoming risk assessment, the central
coordinator, in conjunction with senior managers in the business
unit, develops a risk assessment execution plan. This plan covers
assessment objectives and methodology, team size and composition,
and information requirements for conducting the assessment.
Developing the plan is an iterative process between the central
coordinator and business unit management. According to the central
coordinator, the final plan must receive business unit management
endorsement.

The risk assessment team is multidisciplined, usually consisting
of about five to eight individuals with specialized knowledge of
the business unit's assets and operations. Team members are
usually employees; however, on occasion, the team includes outside
consultants. Senior managers of the business unit select the team
with approval from either the regional or central coordinator. To
help ensure objectivity, the risk assessment team leader is
selected from outside the unit being assessed. In addition,
security specialists from the business unit in question are
usually not part of the risk assessment team; however, they are
interviewed to obtain information on security issues.

Individuals, primarily from the business unit, are the main source
of data on all aspects of business operations and assets. For this
reason, identifying knowledgeable individuals

22 GAO/AIMD-99-139 Information Security Risk Assessment to be
interviewed and developing interview questions are critical parts
of the planning

process that require careful attention and close coordination
between the business unit manager and the regional and central
coordinators. A wide array of individuals ranging from senior
managers to security specialists and contractors are interviewed.
Organizational guidance states that midlevel managers from key
business units are to be interviewed, including individuals with
knowledge of legal, safety, personnel, and operations matters, as
well as related processes.

The list of interview questions covers many areas of information
security, including information classification; information
storage, handling, destruction, and disposal; access controls; and
transmittal of mail, data, fax, video, and voice.

To help ensure that all credible threats are considered, this
company has established a separate corporate group that develops
and maintains threat data for use by the entire company, including
risk assessment teams. This group collects threat data from
internal and external sources, including federal intelligence
agencies and emergency response centers, such as those at Carnegie
Mellon University and Lawrence Livermore National Laboratory.
Based on this information, the group develops a "baseline threat
statement" that identifies the possible threats from outsiders,
insiders (trusted employees and support personnel), and system-
induced events (faulty processes). At the time of our study, the
baseline threat statement in use was four pages long.

The central coordinator told us that the costs of risk assessments
are divided between the corporate security office and the business
unit. The corporate security office pays the central coordinator's
salary and travel costs. The coordinator's travel costs are often
the main concern, since the organization has many overseas
operations, and assessments are generally conducted in the field.
Most team members are employed by the business unit being
assessed, so the cost of their time is covered by that unit.

Prior to convening, the central coordinator provides each team
member a 10- to 15- page package of information that includes a
copy of the agreed upon execution plan, an assessment schedule, a
copy of any previous risk assessment reports for the system or
facility being assessed, threat data, a summary describing the
risk assessment methodology, and a list of suggested interview
questions. Because of his familiarity with the tools and the
reporting requirements, the coordinator helps reduce the amount of
training required for team members.

Team Risk Assessment Activities

The primary focus of this phase is collecting and analyzing data
on threats and potential vulnerabilities and recommending
corrective actions to reduce or mitigate risks. This phase usually
takes about 5 days to complete 3 days for data collection and
another 2 days for data analysis.

GAO/AIMD-99-139 Information Security Risk Assessment 23 The first
steps in this segment of the process are conducting interviews
with the

knowledgeable individuals identified during the planning stage and
reviewing related documentation. Depending on the scope, the team
conducts 20 to 40 separate interviews lasting about 1 hour each.
To maintain objectivity, team members usually do not interview
superiors or co- workers. Although the first 3 days are targeted
toward conducting interviews, the team convenes at the end of each
day to start analyzing the information collected during the
interviews and to develop scenarios of possible undesired and
damaging events. In a typical information security risk
assessment, 10 to 20 scenarios are developed.

In developing scenarios, risk assessment teams consider how
current organizational policies or procedures may compromise the
organization's information resources and ultimately damage the
company. Considerations include disclosure of information to
unauthorized individuals and organizations, loss of information,
and inability to access company information due to computer
malfunction or loss of communications. As part of this, the team
considers the baseline threat statement, to which specific local
threat data have been added.

A scenario developed as part of a recent assessment was of an
employee with personal financial problems, unknown to corporate
managers, who might independently access highly sensitive and
confidential information on company operations and sell such
information to outsiders. In this case, the threat was an employee
with a strong incentive to misuse or disclose company assets for
personal gain. The asset at risk was proprietary information of
great value to the company.

Once the scenarios are complete, the team ranks them according to
how severe the effects of their damage or loss would be. To assist
in this process, the company has adopted and modified categories
originally developed by the Department of Defense to categorize
damage and/ or loss, as follows.

Category I Death, loss of critical proprietary information, system
disruption, or severe environmental damage

Category II Severe injury, loss of proprietary information, severe
occupational illness, or major system or environmental damage

Category III Minor injury, minor occupational illness, or minor
system or environmental damage

Category IV Less than minor injury, occupational illness, or less
than minor system or environmental damage

24 GAO/AIMD-99-139 Information Security Risk Assessment The team
then ranks the probability of scenarios materializing. The
following categories

are used for this ranking. Category A Frequent - Possibility of
repeated incidents Category B Probable - Possibility of isolated
incidents Category C Occasional - Possibility of occurring
sometime Category D Remote - Not likely to occur Category E
Improbable - Practically impossible

For the scenario previously cited involving a company employee
selling proprietary data, the team concluded after consideration
of existing controls and a scenario cause- effect analysis that
such an event was probable (category B), in part because
background investigations for employees with access to highly
sensitive information were not updated frequently.

After severity and probability levels are determined for each
scenario, the team compares them to a predetermined set of four
categories that describe the company's policy on (1) which risks
are considered unacceptable and which are of less significance and
(2) the need for corrective action. Figure 4 illustrates the
matrix that the company uses to perform this analysis. The
accompanying category descriptions define the severity levels and
required action.

GAO/AIMD-99-139 Information Security Risk Assessment 25 The above
steps are facilitated by the use of an internally developed
software program,

which captures information on scenarios. The software proposes
corrective actions based on a list of security controls built into
the software and provides a related cost estimate. According to
the central coordinator, the software allows for real time,
costbenefit analysis of security investments.

For each scenario requiring risk reduction, the team identifies
one or more possible corrective actions from a list of suggested
corrective actions predetermined by the organization. The
organization has established guidance on suggested types of
corrective actions for each of the four risk categories.

The team selects for recommendation the most appropriate
corrective actions based on (1) the effectiveness of the control
in reducing either the probability or severity of a potential
scenario and (2) cost. To illustrate the effect of the recommended
corrective actions, the risk assessment team recalculates the new
level of risk that would exist if the corrective actions were
implemented.

Reporting and Ensuring that Agreed Upon Actions are Taken

After the team develops and recommends corrective actions, it
prepares an exit briefing to discuss the assessment findings with
the business unit's management. This briefing usually takes about
45 minutes. The team will highlight high- risk scenarios some of
which may require immediate action. After the briefing, the team
disbands. The central coordinator then prepares a draft report,
using a standard format, and distributes the report to team
members for comment. To ensure objectivity, each team member

26 GAO/AIMD-99-139 Information Security Risk Assessment
independently reviews the draft. The team leader considers team
input, finalizes the

report, and provides it to the business owner. The team may
provide the report to others in the organization depending on the
issues involved.

Within 2 months of receiving the risk assessment report, the
business unit is to develop an action plan for implementing the
report recommendations. In the event that the business unit
decides not to implement a recommendation associated with higher
risk scenarios, its managers must document their justification and
suggest an alternative solution for reducing the risk. If the
scenario has the potential for affecting other organizations, the
central coordinator meets with the unit manager to discuss and
approve the alternative solution. Corporate management does not
need to approve the business owner's alternative solution if the
impact is limited to the unit in question, or if the risk is at
either level 3 or 4. The action plan for addressing
recommendations and/ or new alternatives is to identify actions
planned, resource requirements, responsible personnel for each
action, and a schedule for anticipated completion dates. Senior
business unit managers document approval of the plan in writing
and send copies to both the central and regional coordinators.

The central and regional coordinators monitor the status of each
recommendation until the recommendation is fully implemented. The
central coordinator maintains records on open recommendations and
issues quarterly status reports. Once a recommendation is closed,
the business owner prepares a closeout report and submits it to
the central and regional coordinators. Regional coordinators are
also responsible for ensuring that recommendations are implemented
and that periodic updates and verification occur, usually
annually.

GAO/AIMD-99-139 Information Security Risk Assessment 27

Distinguishing Characteristics

28 GAO/AIMD-99-139 Information Security Risk Assessment

GAO/AIMD-99-139 Information Security Risk Assessment 29

Initiating a Risk Assessment

Business units initiate risk assessments based on each unit's
annually updated risk management plan. To develop a risk
management plan, a variety of information sources are used,
including prior risk plans and assessments, business plans, audit
reports, and the expertise of other business and technical
managers. The need for a risk assessment is based on a system's
criticality to business operations, the sensitivity of its
information, and the lapse of time and type of changes since the
last assessment. Generally, risk assessments are performed on
critical information systems about once a year.

In the risk management planning process, business managers are
asked to identify, based on their knowledge of the business unit's
operations, the most important systems to their business units.
Some business units have as few as five critical systems, while
others have as many as 130 critical systems. Based on this list,
business units focus their risk assessment activities on the top
10 to 20 critical systems. According to one official, performing
risk assessments for more than 10 to 20 applications would become
overwhelming, cumbersome, and strain limited resources. After the
systems are selected, the business managers classify the systems'
information as being high, medium, or low risk.

Next, the list of required assessments is further narrowed to the
most critical systems with the highest risk. The risk assessment
process for existing systems focuses on existing risks associated
with the security of the system being assessed. For new
applications, the unit attempts to build security into the systems
as they are developed so that security is a part of a system's
design from the start.

Conducting and Documenting the Assessment

The company has a standardized risk assessment process; however,
individual business units have some latitude in how assessments
are conducted. Each business unit head designates an individual,
directly under him or her, with continuing responsibility for
facilitating, coordinating, and executing the business unit's risk
assessment activities. Throughout the risk assessment process,
this focal point receives assistance from employees with expertise
in business operations and processes, information resource
management, systems use, and risk factors affecting multiple
business units. In addition, the organization's information
technology staff assists the focal point, as well as the business
unit's head, in understanding existing technical controls and
developing solutions to identified security weakness.

The time and effort taken to complete an individual assessment
varies from 1 to 2 days to several weeks, depending on the size
and complexity of the system being assessed. The system's use
across multiple business units also affects the time it takes to
complete an individual assessment. Typically, the focal point
dedicates the equivalent of one full

30 GAO/AIMD-99-139 Information Security Risk Assessment day's work
to an individual assessment, while each of the participants
dedicates no more

than the equivalent of 1 week of work.

Select System and Prepare for Assessment

Once a system is selected from those identified in a unit's risk
management plan, the focal point collects preliminary information
from the business unit's managers and from documents, such as
project initiation and definition reports, audit reports, and
functional specifications. The focal point also determines the
changes made to the system since the last assessment and
identifies from the documentation the technical components of the
system. In addition, qualitative aspects of the system are
documented, including a brief description of the system's purpose,
functionality, and location; the system's user authentication
procedures; and the procedures for establishing new user accounts
and access privileges.

Hold Meetings to Rank Information Criticality and Identify
Existing Controls

After gathering preliminary information, the focal point schedules
a meeting to reach a consensus regarding the level of risk
associated with the selected system and identify the existing
technical controls and manual processes to mitigate system risks.
Generally, the focal point selects individuals from the business
unit to participate in the meeting who have expertise in business
operations and processes, information resource management,
information technology, and system use. The focal point also
includes employees with knowledge from outside the business unit
that may affect information security risk, such as information on
political and economic conditions in specific geographic regions.

Prior to the meeting, the focal point sends the participants a
standardized questionnaire so that they have an opportunity to
informally consider the system's characteristics in comparison to
the company's control requirements. The questionnaire serves as a
tool for documenting the selected system's compliance or
noncompliance with specific control techniques established in the
company's security standards for operating systems, networks, data
stores, and applications. The questionnaire organizes specific
control techniques under nine control elements-- authentication,
access control, environmental integrity, information integrity,
confidentiality, availability, audit, nonrepudiation, and
administration. The control techniques are further divided into
either mandatory or optional requirements. The mandatory
requirements are the minimum set of information security controls
that is required for all operations and represent the
organization's "target information security environment." The
optional requirements are additional security controls that may be
required for certain higher risk operations. These risk levels and
the classification of the system's information are factors
established during the risk

GAO/AIMD-99-139 Information Security Risk Assessment 31 management
planning step. The optional requirements provide greater control
over

systems or information that is especially important to the
business unit or perceived to be at especially high risk. An
abbreviated example of the questionnaire follows.

Figure 6: Abbreviated Example of Standardized Questionnaire

Standards

Operating system

Network Data store Application

Control elements Complies Discuss Complies Discuss Complies
Discuss Complies Discuss

1. Authentication

-- The identity of all users currently logged onto the system must
be internally maintained

32 GAO/AIMD-99-139 Information Security Risk Assessment these
evaluations, the participants determine the level of threat to the
system. According

to one organization official, any greater refinement of the
analysis is not valuable. The focal point documents the decisions
made during the meeting. Most of this documentation is
subsequently maintained in a database, where it is available to
other business units. Although use of the database varies across
the business units, it is especially valuable for providing
information on assessments done on systems used by multiple
business units.

In addition, the focal point determines and documents the system's
minimum- security requirements based on the final results of the
questionnaire and the level of threat to the system established
during the meeting. The focal point's decisions are not formally
approved by anyone, but they are summarized in quarterly reports
that also describe the status of the systems in their business
units using a simple red, yellow, and green scheme to show the
level of risk to the system. The company's chief information risk
officer and his staff carefully review these scorecards and ask
for justification regarding questionable decisions.

A risk assessment is stopped at this point if it is discovered
that the system being assessed has low criticality and
sensitivity. Typically, the only time that a low- risk system
would be assessed is when external connectivity is an issue, for
example, if a business unit wanted to provide network access to a
third- party vendor.

Compare Controls with Mandatory and Optional Requirements to
Identify Security Exposures

During this step, the focal point analyzes the system's compliance
with the minimumsecurity requirements, as established in the
previous step, and determines the acceptable level of risk
exposure for the system. When unacceptable exposures are found
because there is a difference between the system's minimum-
security requirements and the controls in place, there are two
possible courses of action. First, if there are solutions or
compensating controls that are feasible and can be implemented in
a reasonable time, then the focal point can develop preliminary
recommendations for addressing those exposures. Otherwise, the
business unit manager must accept the risk exposure and a risk
acceptance statement is created, as discussed later. During this
step, the information technology staff and system users are
consulted to assist in the identification of security solutions
and recommendations.

Recommend Solutions to Mitigate Exposures

If feasible solutions or compensating controls exist for the
information security exposure( s) identified in the previous step,
the focal point and the business unit's information manager
develop an action plan that documents the business unit's

GAO/AIMD-99-139 Information Security Risk Assessment 33
recommendations to mitigate the exposure by implementing new or
strengthened

controls. The action plan includes the steps to be taken, the time
frame for completion, and the responsible groups within the
business unit. The length of the action plan varies, though
according to one focal point, the plan should be concise and focus
on a few key recommendations. The business unit head makes the
final decision in regard to what actions are taken to correct the
exposure( s) and is responsible for executing those actions. After
the recommendations have been implemented, the focal point
initiates another analysis to ensure that the controls have been
properly implemented and the exposure no longer exists or the risk
has been reduced.

Develop Risk Acceptance Statement for Remaining Exposures

If the security solution or compensating control in regard to the
identified exposure( s) is not feasible or can not be implemented
promptly, the business unit head is informed about the exposure
and its potential impact on the business unit's operations. If the
risk exposure is exclusively related to the business unit's
systems or operation, then the business unit head is responsible
for deciding if the risk should be accepted. If the risk exposure
affects multiple business units or the corporation's overall
network, the responsibility for the accepting the risk escalates
to higher management levels, typically the chief information
officer, for a decision.

If the responsible manager is willing to accept the risk, a risk
acceptance statement is prepared that explains why an exception to
a mandatory or appropriate optional requirement is necessary. In
addition, the statement includes details about the risk and
exposure, compensating controls to be put in place, loss
potential, expiration date of the exception, and review
procedures. To ensure accountability, the statement is generally
prepared by the focal point and signed by the business unit head
or equivalent. Typically, risk acceptance statements are required
for all instances of noncompliance with standards that represent
material risks to the systems. Areas that are low risk and common
vulnerabilities that are generally known to exist typically do not
require a risk acceptance statement. If the business unit head is
unwilling to accept the risk, recommendations to reduce or
eliminate the exposure( s) are developed, as discussed previously.

Approve the Risk Acceptance Statement

After the risk acceptance statement is completed and signed by the
responsible manager, it is submitted for review and approval to
the corporate information risk group, global information risk
coordinator, relevant audit staff, and other interested parties.
In cases where the accepted risks could impact the corporate
network, a committee made up of representatives from all of the
business units also reviews the statement.

34 GAO/AIMD-99-139 Information Security Risk Assessment The
corporate information risk group grants the exception to the
security requirement if

there is concurrence by all of the reviewing parties that there
would be no detrimental affect on the other business units. If it
is determined that an exception will affect other business units,
the request is escalated to higher management levels, typically to
the chief information officer, for approval. Generally, a
consensus is reached that accommodates the exception, but entails
additional compensating controls to reduce the exposure.

An approved exception is typically good for 6 to 12 months,
depending on the circumstance. When the exception expires, the
decision is re- evaluated by the corporate information risk group.
During the re- evaluation, the group determines if the exposure
still exists, what progress has been made to mitigate the
exposure, and if the acceptance of the exposure is still
appropriate. If the group decides that acceptance of the exposure
is still appropriate, the exception is extended. If not, the
business unit's manager and focal point must develop means to
eliminate or further mitigate the exposure.

Document Results

All information risk assessments are documented in a database, as
previously mentioned. Even when no corrective actions are needed,
the documentation may be useful in subsequent analyses and as
input for future risk management plans and risk assessments. Paper
copies of the risk acceptance statements are maintained so that
the chief information risk officer's staff can monitor expiration
dates and related actions underway by business units.

Additional documentation that is provided to corporate- level and
business unit management consists of risk assessment reports, the
status of summary databases, and the business unit's external
connectivity status. The internal auditors also use the
documentation to review the decisions made by the focal points and
other participants during the risk assessment process. According
to one official, the internal audit reviews provide a valuable
service regarding the quality of the risk management decision-
making process.

GAO/AIMD-99-139 Information Security Risk Assessment 35

Distinguishing Characteristics

36 GAO/AIMD-99-139 Information Security Risk Assessment

GAO/AIMD-99-139 Information Security Risk Assessment 37

Initiating a Risk Assessment

The organization's policy guidelines require business units to
conduct risk assessments at least once a year. Assessments are
also required when a new business operation is established or when
significant operational changes occur. Responsibility for
initiating the assessment lies with the business unit manager. The
regional audit department reviews compliance with the
organization's risk assessment requirements through annual audits
and reports any noncompliance to business unit management.

After identifying the need for a risk assessment, the business
unit manager determines the scope of the assessment and
establishes a risk assessment team. The assessment can cover an
entire unit or a specific segment of operations depending on how
information is accessed, processed, or disseminated. The
assessment team usually comprises five to seven individuals with
expert knowledge of the business unit's assets and operations, and
members from the region's information security office and audit
department. After the team convenes, a representative from the
region's information security office briefs team members on the
risk assessment process and provides them with organizational
guidance on conducting assessments.

Conducting and Documenting the Assessment

Risk assessment teams use predefined categories developed by the
central office for ranking risk assessments. The categories cover
specific elements that must be addressed for each assessment.
These elements include five areas of potential vulnerabilities,
four types of damage, and three possible consequences, as shown in
the following diagram. The purpose of predefined categories is to
ensure a consistent approach throughout the organization.

38 GAO/AIMD-99-139 Information Security Risk Assessment The
central office has incorporated these elements into a set of
detailed guidelines for

conducting information security risk assessments. The office has
also prepared a complementary training manual elaborating on the
guidelines and providing more detailed step- by- step procedures.

Determining Risk Level

The team's first step is to evaluate possible threats to
information security that may affect the unit's operations and,
based on its knowledge of the operation being assessed, consider
the likelihood and consequences of the threat occurring.

The team assigns a risk level of high, moderate, or low for each
area of vulnerability to show the possible effect of damage if the
threat were to occur. In completing this step, the risk assessment
team assumes that no controls are in place. (Later in the
assessment, existing controls are compared to a comprehensive set
of control requirements to identify shortfalls.) The team uses a
matrix to assist in its analysis of risk as shown in the following
table:

Figure 8: Elements Considered in Ranking Risk

Areas of vulnerability

GAO/AIMD-99-139 Information Security Risk Assessment 39

Table 1: Risk Assessment Matrix

Areas of vulnerability and possible effects of damage Risk of
monetary loss

Risk of productivity loss

Risk of loss of customer confidence

H M L H M L H M L

Personnel

Unauthorized disclosure, modification, or destruction of
information

Inadvertent modification or destruction of information Nondelivery
or misdelivery of service Denial or degradation of service

Facilities and equipment

Unauthorized disclosure, modification, or destruction of
information

Inadvertent modification or destruction of information Nondelivery
or misdelivery of service Denial or degradation of service

Applications

Unauthorized disclosure, modification, or destruction of
information

Inadvertent modification or destruction of information Nondelivery
or misdelivery of service Denial or degradation of service

Communications

Unauthorized disclosure, modification, or destruction of
information

Inadvertent modification or destruction of information Nondelivery
or misdelivery of service Denial or degradation of service

Software and operating systems

Unauthorized disclosure, modification, or destruction of
information

Inadvertent modification or destruction of information Nondelivery
or misdelivery of service Denial or degradation of service

40 GAO/AIMD-99-139 Information Security Risk Assessment After
completing the matrix, the team summarizes its findings by
assigning a composite

risk level to each of the five areas of vulnerability on the
matrix. The team does this by considering the four potential types
of damage identified under each area of vulnerability and
judgmentally assigning a risk level of high, medium, or low to
each area. The team then agrees on an overall risk level for each
vulnerability in the last column of the table marked "Overall
risk." Table 2 is used to record this step.

Table 2: Risk Assessment Table

Risk category Areas of vulnerability

Monetary loss

Productivity loss

Loss of customer confidence

Overall risk

Personnel Facilities and equipment Applications Communications
Software and operating systems

Identifying Needed Controls Based on Predetermined Requirements

After determining the overall risk level for each area of
vulnerability, the team identifies the minimum applicable controls
that are prescribed in its organizational guidelines. The
guidelines describe minimum requirements for each of three levels
of risk high, medium, and low. Guidelines require that each higher
risk category incorporate the controls of lower risk categories.
For example, a high risk level incorporates controls from each of
the three levels of risk high, medium, and low. Similarly, medium
risk includes controls for both medium and low risk levels.

GAO/AIMD-99-139 Information Security Risk Assessment 41

Reporting and Ensuring that Agreed Upon Actions are Taken

After determining the minimum set of controls, the team compares
those required controls with controls already in place and
identifies any gaps. The team prepares a short statement
summarizing the outcome and documenting its decisions and
decisionmaking process. It then provides the regional office a
copy of the risk assessment table. Guidelines require the business
unit being assessed to retain the completed matrix and
documentation supporting the outcome, such as major threats
considered, and major decision points, such as the team's
rationale used in arriving at the appropriate level of risk.

If there are areas where additional controls are needed to meet
minimum requirements, the business unit manager develops an action
plan and submits it to the regional office. The plan includes
those controls the business unit manager believes would provide
the

level of protection appropriate for the risk associated with the
asset. Factors considered are security exposures, the level of
risk associated with the business function or activity, the costs
of implementing the controls, and the impact of noncompliance on
other business units or operations within the organization.

If the business unit believes that the time needed to implement
controls is too lengthy or the steps required are too costly, the
business unit manager may request a waiver. The business unit
manager must describe the rational for the waiver and what
compensating controls the unit has or will implement. The regional
office has a standing committee to approve or deny requests for
waivers; however, the central office must approve or deny requests
that may impact the entire organization or multiple regional
offices. If a waiver is approved, it is usually approved for a
period not to exceed 1 year.

In early 1997, the regional information security office began
using an internally developed software program to monitor
compliance with applicable policies and safeguards. Regional
officials said that use of this program facilitates preparing
reports to high- level officials and provides easy access to
individuals with a need to know. The tracking system contains
information on the regional office's business units, such as
operations descriptions, risk assessment results, and associated
policy and safeguard compliance. The system keeps this information
in a central database with distributed access to business unit
personnel responsible for ensuring compliance and to the regional
security office.

42 GAO/AIMD-99-139 Information Security Risk Assessment This
organization uses a defined risk assessment process to ensure that
information

security controls in place comply with established requirements.
The risk assessment process was initiated due to the company's
efforts to pursue more secure electronic commerce and increased
integration of information systems within the company and with its
customers, suppliers, and stockholders. Using a combination of
qualitative and quantitative methods, the process is designed to
take advantage of the company's expert knowledge of its
applications and related security requirements, scale results in
such a way as to minimize unreasonable recommendations, and
establish the minimum adequate amount of security across the
company. The execution of the process identifies and documents the
current security controls in place for the operations under
assessment, identifies the current risks to the systems, and
identifies additional controls needed to provide an appropriate
level of risk mitigation.

As a hardware/ software company, the organization provides its
customers with network hardware and software, support services,
and consulting services. The company conducts business in over 110
countries and operates its network in over 68 of those countries.
It uses thousands of systems to execute the day- to- day functions
of the company, including numerous network connections to
customers, suppliers, and partners. Protecting the information
resources that support these operations is especially challenging
at this company because its engineering culture thrives on
openness and sharing of data.

The key steps of the process are shown in the following diagram
and discussed in greater detail in subsequent pages.

Case Study 4: Computer Hardware and Software Company

Distinguishing Characteristics

GAO/AIMD-99-139 Information Security Risk Assessment 43

44 GAO/AIMD-99-139 Information Security Risk Assessment

Initiating a Risk Assessment

At this company, organizational policy requires the corporate
information security group to initiate risk assessments based on
the importance of the operations and the time lapse from the last
assessment. Business unit managers assist in determining what the
most important operations are within their business units. The
general expectation is that risk assessments are to be performed
on important operations annually. In instances where the operation
is extremely critical or has changed significantly, risk
assessments could be performed more often. In addition, at any
time, business unit managers can request that a risk assessment be
performed.

The risk assessments are associated with three types of activity(
1) development of new computer systems, (2) procurement of
production systems from other vendors, or (3) improvement of
legacy system security features and, generally, are limited in
scope to a primary business process and supporting systems. The
supporting systems include the software, databases, and the
hardware and network technology supporting the software, as well
as the people who use and rely on these resources. Business unit
managers are responsible for executing the risk assessments
associated with their unit's computer- based operations, and such
responsibilities are generally documented in their performance
expectations.

Once a decision is made to perform a risk assessment, the business
unit manager forms a team of information technology and business
experts to conduct the first part of the assessment, which entails
collecting data. The size of the team depends on the number of
business and technical people involved in the operation being
assessed. Often 12 to 14 people are part of the team, but the
number can vary. In addition, the organization uses a cadre of
other individuals to perform risk assessment tasks, including
performing quality reviews, analyzing the results using a software
tool, and facilitating the process across the organization.

Conducting and Documenting the Assessment

The organization's risk assessment process involves (1) using a
questionnaire to compile information on the value of critical
operations and assets, policies and controls in place, and other
system attributes and (2) comparing this information with
predetermined policy and control requirements. The company has
developed a software program that automatically performs this
comparison. When the analysis identifies an area that does not
meet the established control requirements, the software program
automatically accesses a database of suggested control solutions
that has been developed by company experts. These control
solutions form the basis of recommendations generated by the
analysis.

GAO/AIMD-99-139 Information Security Risk Assessment 45

Data Gathering Phase

During this phase, the team completes a questionnaire, developed
by the organization for the risk assessment process, to determine
what controls are currently in place over the operations being
assessed. An individual experienced in applying the questionnaire
assists the team and helps ensure greater quality and consistency
of the answers and greater certainty that the team members provide
accurate answers.

At the time of our study, the questionnaire, which is continually
subject to change, had 260 multiple choice questions divided into
the following categories:

The multiple choice questions have been designed to precisely
capture a description of existing operations and controls.
Examples of the types of questions included are shown in the
following box.

46 GAO/AIMD-99-139 Information Security Risk Assessment

Figure 10: Questionnaire Items Related to Authorization

1. Estimate the percentage of user population accessing this
application regularly from the following sites. From those sites
with access, enter the percentage value for the appropriate site.
(Total of all answers may exceed 100%.) a. from primary
organization campuses, b. from private homes, c. from kiosks, d.
from contractor, partner, or supplier sites with whom there is a
written contract to manage

info- security, e. from customer sites, f. from sites with nomadic
accounts, g. from executive suites, h. from anywhere, i. from
contractor, partner, or supplier site without info- security
contract, and/ or j. unknown.

2. Estimate the number of administrators and other key staff
listed below for this application system. [Comment: The purpose of
this question is to determine the number of people who are in key
positions to effect the security of the system. Please be sure to
count the number of staff associated with this application from
all organizations involved.] a. database administrators, b.
application administrators, c. system administrators, d. access
control and account administrators, e. technical support
operations, f. security administrators or coordinators, g. IT
developers, and/ or h. unknown.

The company treats the  valuation of the operation section of the
questionnaire as a separate phase of the risk assessment. During
this phase, the team determines (1) what consequences need to be
protected against, assuming an attack or other damaging event
occurs and (2) what the likely damage to the company would be as a
result of such events. Because these valuations are considered
very subjective, the team relies on the assistance of additional
experts with specific finance related knowledge, who are typically
from the company controller's office. The information developed
during this phase is critical to determining the significance of
any control deficiencies that may be identified later in the
analysis.

The team first determines what consequences could occur. The
company has defined potential damage as including fraud,
operational outage, embezzlement, extortion, theft of intellectual
properties, regulatory violations, or diminishment of the
organization's

GAO/AIMD-99-139 Information Security Risk Assessment 47 image.
Although the questionnaire is intended to be comprehensive, the
company

recognizes that additional types of damage may need to be
considered. Once it is determined what consequences apply to the
operations under assessment, the team estimates the level of
damage that could result from these consequences by considering
the potential costs of restoration and recovery, as well as
secondary effects, such as embarrassment and loss of credibility.
Estimating the cost of secondary effects is especially difficult
because of the uncertainty associated with the ultimate impact on
such intangible factors. For example, the cost of restoring a
damaged web site is much easier to estimate than the cost of
recovering from the embarrassment and loss of credibility from
such damage.

Usually, the team can complete the entire questionnaire in 1 to 2
hours. In cases where the team members are less familiar with the
application, it can take up to 12 hours or more because people
with additional expertise are contacted to assist in completing
the questions. Once the questionnaire is completed, additional
individuals perform an extensive quality review that analyzes the
answers for completeness, reasonableness and consistency. Often,
it takes as many as five reviews to attain the required quality.
The time taken to complete the quality review varies by assessment
from a few hours to several days to even weeks in rarchmod: /diskb/logs/retr1099.log: Not owner
e cases. The
quality review benefits the process by ensuring that (1) the data
used are complete and the best available and (2) the questions are
consistently applied and interpreted. Redundancy is also built
into the questions to help the quality review determine if the
team thoroughly considered the questions.

Analysis Phase

After the quality review is completed, the analysis group inputs
the information about the current controls, as derived from the
questionnaire's answers, into a software program. The software
program compares these controls to control requirements documented
in the company's information security policies. The database of
over 400 information security control requirements, which is
referred to as a  policy library by the organization, represents a
consensus of the experience and best judgment of a broad group of
business and information technology experts organizationwide. The
analysis performed by the software identifies instances where
existing controls do not meet the company's suggested control
requirements.

Using the results of this comparison, additional information from
the questionnaire, and a defined list of 180 control techniques,
the software automatically proposes control techniques to achieve
compliance with the control objectives. Each control technique, or
countermeasure, can have up to five different strength levels,
which generally depend on the specific type of control technique
chosen and the rigor of associated enforcement efforts. Examples
of strength levels for information security training are shown in
the following box.

48 GAO/AIMD-99-139 Information Security Risk Assessment Next, the
analysis group reviews and further refines the proposed
recommendations

using a software tool that considers a number of factors, such as
the number of users, number of access paths, and effects on other
systems. The organization has also designed the software tool to
consider detailed requirements for individual circumstances. For
example, systems with more than 150 users require more rigid
account management procedures to be in place than do systems with
fewer users. According to this company's policy, the attributes of
these procedures for systems with over 150 users should include:

GAO/AIMD-99-139 Information Security Risk Assessment 49

Reporting and Ensuring Agreed Upon Actions are Taken

A series of standardized reports are produced from the risk
assessment process, including a detailed risk analysis report, a
report describing the application's current level of conformance
to requirements, and recommendations for specific security
engineering design review. One of the key reports graphically
shows, for each major application, the deviation between the
current controls and the controls suggested by the company's
information security policy. In addition, the reports estimate the
costs for each recommended countermeasure, including costs for
licenses, training, development, implementation, and recurring
support.

The business unit head considers the information in these reports
when deciding what new controls to implement. If the business unit
head believes that certain recommendations are not cost-
effective, he or she can discuss the concerns with the company's
information security managers and negotiate alternative actions.

Because business and information technology managers are being
held accountable for making information security improvements, the
organization has developed a number of management tools to assist
them. There are over 12 management reports used to gauge the
organization's progress in achieving established information
security goals. In addition, the organization has instituted audit
and measurement procedures to ensure the effectiveness of actions
taken and that these actions have not adversely affected system
operations. Company officials emphasized the importance of
managing the changes resulting from the information security risk
assessments. They stressed that this requires instituting methods
for monitoring the progress being made because changes can be
expensive and managers are usually reluctant to implement them
especially when changes could adversely effect their business.

50 GAO/AIMD-99-139 Information Security Risk Assessment

APPENDIX I APPENDIX I

Objectives and Methodology The objectives of our study were to
identify and describe (1) information security risk assessment
methods and (2) related critical success factors that could be
considered by federal agencies to improve their own processes.
While recognizing that the methods described here may not be
suitable for all federal operations, our study was intended to
help provide ideas and options for agency officials to consider.

To identify organizations that had adopted successful methods, we
solicited suggestions from a variety of sources, including the
National Institute of Standards and Technology, Office of
Management and Budget, private consulting firms, professional
associations, a risk assessment software developer, and GAO
auditors who were familiar with agency information security
practices. These sources recommended over 30 private and public
sector organizations that were known to have strong security
programs or be actively pursuing improved risk assessment
practices.

After initial discussions with a number of these organizations, we
narrowed our focus to four organizations that most closely met our
criteria of having implemented organizationwide information
security risk assessment procedures that they considered to be
practical and useful and had been in place for at least a year.
The organizations selected included a multinational oil company, a
regulatory organization, a financial services company, and a
computer hardware and software company.

To obtain an understanding of their risk assessment procedures, we
visited each of these organizations where we met with senior
security officials to discuss and review the various manual and
software tools they had adopted. We also obtained and reviewed
each organization's written policies, procedures, and other
material related to assessing information security risks. To
verify our understanding of each organization's practices we
conducted numerous follow- up inquiries and asked each
organization to review our written summaries for accuracy. We
conducted our study from April 1998 through June 1999.

*** End of document. ***