Identifying risk for an IT system requires an understanding of the system’s processing environment. Therefore, the risk assessor must first collect system-related information, which is usually classified as follows:
- System interfaces (e.g., internal and external connectivity)
- Data and information
- Persons who support and use the IT system
- System mission (e.g., the processes performed by the IT system)
- System and data criticality (e.g., the system’s value or importance to an organization)
- System and data sensitivity
The use of information technology poses a wide variety of risks. Obviously, there is the risk of malicious attack from hackers, but certain other risks are often overlooked. User error can destroy or leak data, or take down a system. Adverse events such as fires, floods, and other natural disasters can wreak havoc in any business environment.
The adverse impact of a security event can be described in terms of loss or degradation of any, or a combination, of the following three security goals: integrity, availability, and confidentiality. The following list provides a brief description of each security goal and the consequence (or impact) of it not being met:
- Loss of Integrity. System and data integrity refers to the requirement that information be protected from improper modification. Integrity is lost if unauthorized changes are made to the data or IT system by either intentional or accidental acts. If the loss of system or data integrity is not corrected, continued use of the contaminated system or corrupted data could result in inaccuracy, fraud, or erroneous decisions. Also, violation of integrity may be the first step in a successful attack against system availability or confidentiality. For all these reasons, loss of integrity reduces the assurance of an IT system.
- Loss of Availability. If a mission-critical IT system is unavailable to its end users, the organization’s mission may be affected. Loss of system functionality and operational effectiveness, for example, may result in loss of productive time, thus impending the end users’ performance of their functions in supporting the organization’s mission.
- Loss of Confidentiality. System and data confidentiality refers to the protection of information from unauthorized disclosure. The impact of unauthorized disclosure of confidential information can range from the jeopardizing of national security to the disclosure of Privacy Act data. Unauthorized, unanticipated, or unintentional disclosure could result in loss of public confidence, embarrassment, or legal action against the organization.