for example
specific mission/business processes or information resources (e.g.
information
personnel
equipment
funds
and information technology). Organizations may include information from Business Impact Analyses with regard to providing impact information for risk assessments. Table H-2 provides representative examples of types of impacts (i.e.
harm) that can be considered by organizations. Organizational assumptions about how to determine impacts and at what level of detail
inform Task 2-5. Risk Tolerance and Uncertainty Organizations determine the levels and types of risk that are acceptable. Risk tolerance is determined as part of the organizational risk management strategy to ensure consistency across the organization. Organizations also provide guidance on how to identify reasons for uncertainty when risk factors are assessed
since uncertainty in one or more factors will propagate to the resulting evaluation of level of risk
and how to compensate for incomplete
imperfect
or assumption-dependent estimates. Consideration of uncertainty is especially important when organizations consider advanced persistent threats (APT) since assessments of the likelihood of threat event occurrence can have a great degree of uncertainty. To compensate
organizations can take a variety of approaches to determine likelihood
ranging from assuming the worst-case likelihood (certain to happen sometime in the foreseeable future) to assuming that if an event has not been observed
it is unlikely to happen. Organizations also determine what levels of risk (combination of likelihood and impact) indicate that no further analysis of any risk factors is needed. Analytic Approach Risk assessments include both assessment approaches (i.e.
quantitative
qualitative
semi-quantitative) and analysis approaches (i.e.
threat-oriented
asset/impact-oriented
vulnerability-oriented). Together
the assessment and analysis approaches form the analytic approach for the risk assessment. Organizations determine the level of detail and in what form
threats are analyzed including the level of granularity to describe threat events or threat scenarios. Different analysis approaches can lead to different levels of detail in characterizing adverse events for which likelihoods are determined. For example
an adverse event could be characterized in several ways (with increasing levels of detail): (i) a threat event (for which the likelihood is determined by taking the maximum overall threat sources); (ii) a pairing of a threat event and a threat source; or (iii) a detailed threat scenario/attack tree. In general
organizations can be expected to require more detail for highly critical missions/business functions
common infrastructures
or shared services on which multiple missions or business functions depend (as common points of failure)
and information systems with high criticality or sensitivity. Mission/business owners may amplify this guidance for risk hot spots (information systems
services
or critical infrastructure components of particular concern) in mission/business segments. IDENTIFY INFORMATION SOURCES TASK 1-4: Identify the sources of descriptive
threat
vulnerability
and impact information to be used in the risk assessment. Supplemental Guidance: Descriptive information enables organizations to be able to determine the relevance of threat and vulnerability information. At Tier 1
descriptive information can include
for example
the type of risk management and information security governance structures in place within organizations and how the organization identifies and prioritizes critical missions/business functions. At Tier 2
descriptive information can include
for example
information about: (i) organizational mission/business processes
functional management processes
and information flows; (ii) enterprise architecture
information security architecture
and the technical/process flow architectures of the systems
common infrastructures
and shared services that fall within the scope of the risk assessment; and (iii) the external environments in which organizations operate including
for example
the relationships and dependencies with external providers. Such information is typically found in architectural documentation (particularly documentation of high-level operational views)
business continuity plans
and risk assessment reports for organizational information systems
common infrastructures
and shared services that fall within the scope of the risk assessment. At Tier 3
descriptive information can include
for example
information about: (i) the design of and technologies used in organizational information systems; (ii) the environment in which the systems operate; (iii) connectivity to and dependency on other information systems; and (iv) dependencies on common infrastructures or shared services. Such information is found in system documentation
contingency plans
and risk assessment reports for other information systems
infrastructures
and services. Sources of information as described in Tables D-1
E-1
F-1
H-1
and I-1 can be either internal or external to organizations. Internal sources of information that can provide insights into both threats and vulnerabilities can include
for example
risk assessment reports
incident reports
security logs
trouble tickets
and monitoring results. Note that internally
information from risk assessment reports at one tier can serve as input to risk assessments at other tiers. Mission/business owners are encouraged to identify not only common infrastructure and/or support services they depend on
but also those they might use under specific operational circumstances. External sources of threat information can include cross-community organizations (e.g.
US Computer Emergency Readiness Team [US-CERT]
sector partners (e.g.
Defense Industrial Base [DIB] using the DoD-Defense Industrial Base Collaborative Information
Menu
