b. Risk management offers a disciplined approach to identifying, measuring, and controlling certain events to minimize loss. Its application can, at the same time, assist in optimizing the security return for each dollar invested. The cost potential of broadly applied, marginally effective security features is enormous, underlining the need for effective site risk management. Federal Information Processing Standards (FIPS) Publications 31 and 65 contain additional information; however, these publications provide only basic data for conducting a risk analysis. They should be used only to develop natural disaster type information. Information concerning the local environment, processing procedures, personnel, and other system components that affect security must be developed using appropriate risk assessment methods.
c. The objective or risk management is to achieve the most effective safeguards against deliberate or inadvertent-
(2) Denial of service or use.
(3) Unauthorized manipulation of information.
(4) Unauthorized use.
d. The risk analysis will be used to support the expenditure of resources and to determine the most cost-effective safeguards.
(2) Management decision to implement security countermeasures and to accept residual risk.
(3) Implementation of countermeasures.
(4) Effectiveness review.
b. Each of these phases should be applied to the areas of software, hardware, procedures, communications, emanations, personnel (the highest risk), and physical security. In addition, the relative risks within each area should be analyzed. Whenever possible, specialists or risk management software will be used to enhance the process.
c. Since risk assessment involves estimating expected loss based upon probabilities, using mathematical tools and statistical analysis would be logical. However, experience shows that attempts to develop absolute models, performance simulators, or descriptive algorithms have been only marginally successful. These techniques should be employed only when economically feasible and when their value has been established. In many cases, qualitative or subjective techniques will be more applicable to risk assessments performed for TAIS.
b. A threat means any agent that could reduce or neutralize the effectiveness of a system, thereby limiting or negating mission accomplishment. Threat identification must account for both known and reliably postulated threats. Evidence of threat agent activity is usually lacking, since system penetration is difficult to detect with current audit procedures. Threat or threat agents include-
(2) Man-made or natural disaster.
(3) Deliberate or inadvertent error by authorized or unauthorized users.
c. System vulnerability is the total of susceptibilities to specific threats.
(b) Classification of data in the TAIS versus security clearance of users.
(c) The sensitivity and amount of material being handled.
(d) Overall criticality of the mission or operation.
(2) The more complex the operation, the more susceptible the site. For example, local batch operations usually are less vulnerable than networked computers with sophisticated communications links.
(3) Vulnerabilities identified either by inspection or notification and not corrected must be identified in all future risk assessments. This will include, for example, reports of The Inspector General, provost marshal, management review teams, AISSAP evaluation teams, or OPSEC evaluations.
d. Managers and commanders determine relative risk. Risk is most accurately judged when specific vulnerabilities are matched to known threats. This type of assessment usually produces more reliable information with which to qualitatively describe risk. If no known threat exists, the vulnerability must still be evaluated for the potential opportunity it may offer a hostile agent. Management must be prepared to react to the increased possibility of threat. The risk assessment process must assume that hostile agents are prepared to take advantage of significant system vulnerabilities.
b. Selecting which security controls to implement must include a consideration of possible degradation of operational efficiency. In almost all cases, security requirements will cause significant disruption of managerial, operational, and administrative procedures, as well as increased cost, attributable to these requirements. Only the commander or DAA can properly judge and promote toleration of this disruption as acceptable relative to the increase in security. This requires that commanders and top-level management completely understand organizational dependence upon automation support and its importance to mission accomplishment. The commander or DAA must resolve any perceived conflict between operational and security considerations.
c. If existing risks are unacceptable and required security impractical or impossible to implement, the commander or DAA may terminate the operation of the system.
An effectively applied risk analysis must lead to a series of interrelated countermeasures to be implemented according to a plan approved by the commander or DAA. Because of the potential risk resulting from growing dependence upon TAIS, the commander or DAA must always participate in this process.
Organizational and operational dynamics demand continuing review of the effectiveness of security controls. Because of the diversity of TAIS environments, and the relative newness of the ISS discipline, commanders must be assured that controls are providing the desired results. This is an important process in documenting security techniques and ensuring that a technique has not created a more serious vulnerability or risk. The collective effectiveness of applied countermeasures is the basis for future security actions, and assists in identifying problem areas and additional security requirements.
b. The risk analysis will be used in support of AIS accreditation. Additionally, the process will be used to support applying cost-effective security measures to the operations of all TAIS.