Introduction

The System Risk Assessment focuses on risks to systems, applications, and facilities. The same risk exposure principles that you learned in Chapter 14 apply also to systems, networks, and applications. In Chapter 14, I mentioned that a System Risk Assessment can be thought of as an extension of the Bu siness Risk Assessment. However, instead of thinking about the business mission, in a System Risk Assessment you take into consideration the systems and applications that churn the gears that drive the business.

When performing a System Risk Assessment, consider both technical and natural threats to applications, systems, or networks. Technical threats are for the most part invoked by people who act as a threat agent sometimes intentionally, and sometimes unintentionally. (One could argue that some computer programs act as threat agents; however, for understanding C&A, it s not really necessary to debate that here.) Since natural disasters are always unintentional, we think about them in a different light. We don t have to take into consideration that a hurricane, flood, or tornado can be intentionally created. Though natural disasters are not technical, they do pose risks to your systems.

Your System Risk Assessment can be based on either qualitative or quantitative methods, or some of both. Later in this chapter I ll be explaining the differences between the two risk assessment methodologies. Whatever methodology...