2. Conduct research as needed to obtain information and support.
3. Complete the Executive Summary section of your report according to the Risk Assessment Reports Template guidelines.
Template Name: ______________
Risk Assessment Reports
This risk assessment report, adapted from NIST’s Special Publication 800-30, provides the essential elements of information that organizations can use to communicate the results of risk assessments. Risk assessment results provide decision makers with an understanding of the information security risk to organizational operations and assets, individuals, other organizations, or the Nation that derive from the operation and use of organizational information systems and the environments in which those systems operate.
The essential elements of information in a risk assessment can be described in three sections of the risk assessment report (or whatever vehicle is chosen by organizations to convey the results of the assessment): (i) an executive summary; (ii) the main body containing detailed risk assessment results; and (iii) supporting appendices.
NIST 800-30 Guide for Conducting Risk Assessments
as you complete this report, paying special attention to
Section 2.4 Application of Risk Assessments
*Your report should focus on either Tier 1, Tier 2 or Tier 3.
Tip: Search for “Tier 1” or “Tier 2” or “Tier 3” throughout the NIST 800-30 document for references to these Tiers.
Include the following:
List the date of the risk assessment.
· Summarize the purpose of the risk assessment.
· Describe the scope of the risk assessment.
· For Tier 1 and Tier 2 risk assessments, identify: organizational governance structures or processes associated with the assessment (e.g., risk executive [function], budget process, acquisition process, systems engineering process, enterprise architecture, information security architecture, organizational missions/business functions, mission/business processes, information systems supporting the mission/business processes).
· For Tier 3 risk assessments, identify: the information system name and location(s), security categorization, and information system (i.e., authorization) boundary.
· State whether this is an initial or subsequent risk assessment. If a subsequent risk assessment, describe the circumstances that prompted the update and include a reference to the previous Risk Assessment Report.
· Describe the overall level of risk (e.g., Very Low, Low, Moderate, High, or Very High).
· List the number of risks identified for each level of risk (e.g., Very Low, Low, Moderate, High, or Very High).
2. Body of the Report: Part 1
Include the following:
Describe the purpose of the risk assessment, including questions to be answered by the assessment. For example:
· How the use of a specific information technology would potentially change the risk to organizational missions/business functions if employed in information systems supporting those missions/business functions; or
· How the risk assessment results are to be used in the context of the RMF (e.g., an initial risk assessment to be used in tailoring security control baselines and/or to guide and inform other decisions and serve as a starting point for subsequent risk assessments; subsequent risk assessment to incorporate results of security control assessments and inform authorization decisions; subsequent risk assessment to support the analysis of alternative courses of action for risk responses; subsequent risk assessment based on risk monitoring to identify new threats or vulnerabilities; subsequent risk assessments to incorporate knowledge gained from incidents or attacks).
· Identify assumptions and constraints.
· Describe risk tolerance inputs to the risk assessment (including the range of consequences to be considered).
· Identify and describe the risk model and analytic approach; provide a reference or include as an appendix, identifying risk factors, value scales, and algorithms for combining values.
· Provide a rationale for any risk-related decisions during the risk assessment process.
· Describe the uncertainties within the risk assessment process and how those uncertainties influence decisions.
3. Body of the Report: Part 2
Include the following:
· If the risk assessment includes organizational missions/business functions, describe the missions/functions (e.g., mission/business processes supporting the missions/functions, interconnections and dependencies among related missions/business functions, and information technology that supports the missions/business functions).
· If the risk assessment includes organizational information systems, describe the systems (e.g., missions/business functions the system is supporting, information flows to/from the systems, and dependencies on other systems, shared services, or common infrastructures).
· Summarize risk assessment results (e.g., using tables or graphs), in a form that enables decision makers to quickly understand the risk (e.g., number of threat events for different combinations of likelihood and impact, the relative proportion of threat events at different risk levels).
· Identify the time frame for which the risk assessment is valid (i.e., time frame for which the assessment is intended to support decisions).
· List the risks due to adversarial threats (see
Table F-1 in Appendix F
· List the risks due to non-adversarial threats (see
Table F-2 in Appendix F
Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.
You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.Read more
Each paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.Read more
Thanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.Read more
Your email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.Read more
By sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.Read more
Our specialists are always online to help you! We are available 24/7 via live chat, WhatsApp, and phone to answer questions, correct mistakes, or just address your academic fears.See our T&Cs