Free IT risk assessment template download and best practices
Here’s a structured, step-by step IT risk assessment template for effective risk management and foolproof disaster-recovery readiness.
For disaster recovery (DR) planning, the IT risk assessment phase is a critical segment of risk management. Risk management encompasses three processes: risk assessment, risk mitigation, and evaluation. Risk management helps protect business-critical IT systems and data, thus deriving operational as well as economic benefits. A structured IT risk assessment template helps risk mitigation by providing the inputs to enforce controls, thus ensuring the organization is well prepared in case of a disaster.
Risk is a function of the likelihood of a given threat-source exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. Here is a step-by-step instruction set on how to go about effective IT risk assessment, right from getting started with the exercise on to actually preparing the risk assessment, complete with a downloadable copy of a sample IT risk assessment template.
IT risk assessment methodology encompasses the following primary steps:
- System characterization
- Threat identification
- Vulnerability identification
- Control analysis
- Likelihood determination
- Impact analysis
- Risk determination
- Control recommendations and results documentation
System characterization
This step defines the scope of the IT risk assessment effort. IT delineates the operational authorization boundaries and provides information about hardware, software, system connectivity, and personnel responsible for defining the risk.
As detailed in the IT risk assessment template, develop and deploy appropriate questionnaires to obtain and document all possible information about the systems, including physical infrastructure and topology, people and processes, security and backup policies, criticalities, sensitivities, and controls for environmental factors such as temperature, humidity, water, pollution and chemicals.
Threat identification
Next, identify and document the threats to the system, tabulating them as threat sources and corresponding threat actions, as shown in the accompanying IT risk assessment template.
Threat sources are varied, ranging from hackers, crackers, terrorists and espionage agents to insiders (employees who are poorly trained, disgruntled, malicious, negligent, dishonest, or terminated). Sources could also be environmental or natural threats.
The actions emanating from threat sources are also varied, and range from hacking, social engineering and system intrusion, to information warfare, data theft, fraud, malicious code, sabotage, power outages, pollution, floods, earthquakes, landslides, and so on.
Vulnerability identification
Once threats are identified and documented, it is time to identify the vulnerabilities present in the system that can increase the probability of the aforementioned threats. The threat-to-vulnerability mapping is shown in the downloadable IT risk assessment template. Here are some examples:
| Vulnerability | Threat source | Threat action |
| Terminated employees’ IDs not removed from system | Terminated employees | Terminated employees access company proprietary data |
| Company firewall allows inbound telnet; guest ID is enabled on XYZ server | Unauthorized internal or external users | Using telnet to XYZ server and browsing system files with guest ID |
| Security patches provided by vendor not applied to the system | Hackers and other unauthorized users | Unauthorized access to sensitive files based on known system vulnerabilities |
| Data center fitted with sprinklers, but protective covering for equipment not in place | Fire, negligent persons | Water sprinklers being turned on in the data center |
Control analysis
The goal of this step in IT risk assessment is to analyze the controls that have been implemented, or are planned for implementation, to minimize or eliminate the likelihood of a threat exercising a system vulnerability. Document the procedures in place to counter threats, such as antivirus policies and security policies.
Likelihood determination
The likelihood that a potential vulnerability could be exercised by a given threat-source should be classified as high, medium or low. High or medium likelihood indicates a highly motivated and sufficiently capable threat source against which controls are ineffective (high) or only partly effective (medium). Low likelihood indicates a threat source lacking in motivation or capability and against which controls are in place to prevent or impede the vulnerability from being exercised.
Impact analysis
Document the impact of a vulnerability exposure to the organization, classifying it as high, medium or low, as detailed in the downloadable IT risk assessment template.
One has to consider the degree of the impact resulting from exercise of a vulnerability in terms of the following:
- Loss of major tangible assets or resources.
- Harm or hindrance to the organization’s mission, reputation, or interests.
- Occurrence of human death or serious injury.
Risk determination
The purpose of this step in IT risk assessment is to assess the level of risk to the IT system. The determination of risk for a particular threat/vulnerability pair can be expressed as a function of:
- The likelihood of a threat-source attempting to exercise a given vulnerability.
- The magnitude of the impact should a threat-source successfully exercise the vulnerability.
- The adequacy of planned or existing security controls for reducing or eliminating risk.
The Risk-Level Matrix defined by the National Institute of Standards and Technology can be used to categorize the risk as high, medium or low:
Control analysis
The goal of this step in IT risk assessment is to analyze the controls that have been implemented, or are planned for implementation, to minimize or eliminate the likelihood of a threat exercising a system vulnerability. Document the procedures in place to counter threats, such as antivirus policies and security policies.
Likelihood determination
The likelihood that a potential vulnerability could be exercised by a given threat-source should be classified as high, medium or low. High or medium likelihood indicates a highly motivated and sufficiently capable threat source against which controls are ineffective (high) or only partly effective (medium). Low likelihood indicates a threat source lacking in motivation or capability and against which controls are in place to prevent or impede the vulnerability from being exercised.
Impact analysis
Document the impact of a vulnerability exposure to the organization, classifying it as high, medium or low, as detailed in the downloadable IT risk assessment template.
One has to consider the degree of the impact resulting from exercise of a vulnerability in terms of the following:
- Loss of major tangible assets or resources.
- Harm or hindrance to the organization’s mission, reputation, or interests.
- Occurrence of human death or serious injury.
Risk determination
The purpose of this step in IT risk assessment is to assess the level of risk to the IT system. The determination of risk for a particular threat/vulnerability pair can be expressed as a function of:
- The likelihood of a threat-source attempting to exercise a given vulnerability.
- The magnitude of the impact should a threat-source successfully exercise the vulnerability.
- The adequacy of planned or existing security controls for reducing or eliminating risk.
The Risk-Level Matrix defined by the National Institute of Standards and Technology can be used to categorize the risk as high, medium or low:
| Likelihood | Impact | ||
| Low (10) | Medium(50) | High (100) | |
| High (1.0) | Low 10 X 1.0 = 10 | Medium 50 X 1.0 = 50 | High 100 X 1.0 = 100 |
| Medium(0.5) | Low 10 X 0.5 = 5 | Medium 50 X 0.5 = 25 | Medium 100 X 0.5 = 50 |
| Low(0.1) | Low 10 X 0.1 = 1 | Low 50 X 0.1 = 5 | Low 100 X 0.1 = 10 |
Risk Scale: High ( >50 to 100); Medium ( >10 to 50); Low (1 to 10)
The scale for analyzing the risk vulnerability is as follows:
Risk scale and necessary actions
| Risk Level | Risk description and necessary actions |
| High
|
Strong need for corrective measures. An existing system may continue to operate, but corrective action plan must be put in place as soon as possible. |
| Medium
|
Corrective actions need to be planned and incorporated within a reasonable period of time. |
| Low
|
The system’s DAA must determine whether corrective actions are required or whether the risk is tolerable. |
Control recommendations and results documentation
Document the recommendations corresponding to the results obtained above. The goal of the recommended controls is to reduce the level of risk to the IT system and its data to an acceptable level. The results documentation will act as an input to the risk mitigation phase. If risk assessment and risk mitigation are performed correctly, the organization would be well prepared should a disaster occur. IT risk assessment is an iterative process that an organization carries out periodically, enforcing new controls as and when required.
Download the sample IT risk assessment template (includes results after analyzing the gathered information)
About the author: Anuj Sharma is an EMC Certified and NetApp accredited professional. Sharma has experience in handling implementation projects related to SAN, NAS and BURA. He also has to his credit several research papers published globally on SAN and BURA technologies.
