Managing Software Deliverables: A Software Development Management Methodology

The Risk Assessment assesses the system’s use of resources and controls (either implemented or planned) to eliminate or manage vulnerabilities that are exploitable by threats to the organization. It will also identify any of the following possible vulnerabilities:

• Risks associated with the system operational configuration

• System’s safeguards, threats, and vulnerabilities

• New threats and risks that might exist and, therefore, will need to be addressed after the current system is replaced

• Conformance with operational Security Policy

The risk assessment is a determination of vulnerabilities that, if exploited, could result in the following:

• Unauthorized disclosure of sensitive information

• Unauthorized modification of the system or its data

• Denial of system service or access to data to authorized users

The following is a sample layout of the recommended table of contents for a risk assessment. The Core Team–appointed Risk Officer is responsible for completing this document.

Risk Assessment Executive Summary

1.0 Background 2.0 Purpose 3.0 Scope 4.0 Assumptions 5.0 Description of System 5.1 System Attributes 5.2 System Sensitivity 6.0 System Security 6.1 Administrative Security 6.2 Physical Security 6.3 Technical Security 6.4 Software Security

6.5 Telecommunication Security 6.6 Personnel Security 7.0 System Vulnerabilities 7.1 Technical Vulnerability 7.2 Personnel Vulnerability 7.3 Telecommunication Vulnerability 7.4 Software Vulnerability 7.5 Environmental Vulnerability 7.6 Physical Vulnerability 8.0 Glossary of Terms 9.0 Acronyms Appendix A: Information Flow Diagram Appendix B: Hardware Configuration