Special Publication 800-30

Guide for Conducting Risk Assessments

________________________________________________________________________________________________

APPENDIX L

SUMMARY OF TASKS
RISK ASSESSMENT TASKS AND ASSOCIATED RISK TABLES
TABLE L-1: SUMMARY OF RISK ASSESSMENT TASKS

TASK
Step 1: Prepare for Risk Assessment TASK 1-1 IDENTIFY PURPOSE
Section 3.1

TASK DESCRIPTION

Identify the purpose of the risk assessment in terms of the information that the assessment is intended to produce and the decisions the assessment is intended to support. Identify the scope of the risk assessment in terms of organizational applicability, time frame supported, and architectural/technology considerations.

TASK 1-2 IDENTIFY SCOPE

Section 3.1

TASK 1-3 IDENTIFY ASSUMPTIONS AND CONSTRAINTS

Section 3.1

Identify the specific assumptions and constraints under which the risk assessment is conducted.

TASK 1-4 IDENTIFY INFORMATION SOURCES

Section 3.1

Identify the sources of descriptive, threat, vulnerability, and impact information to be used in the risk assessment.

TASK 1-5 IDENTIFY RISK MODEL AND ANALYTIC APPROACH

Section 3.1

Identify the risk model and analytic approach to be used in the risk assessment.

Step 2: Conduct Risk Assessment TASK 2-1 IDENTIFY THREAT SOURCES

Section 3.2, Appendix D

Identify and characterize threat sources of concern, including capability, intent, and targeting characteristics for adversarial threats and range of effects for non-adversarial threats. Identify potential threat events, relevance of the events, and the threat sources that could initiate the events.

TASK 2-2 IDENTIFY THREAT EVENTS

Section 3.2, Appendix E

TASK 2-3 IDENTIFY VULNERABILITIES AND PREDISPOSING CONDITIONS

Section 3.2, Appendix F

Identify vulnerabilities and predisposing conditions that affect the likelihood that threat events of concern result in adverse impacts.

APPENDIX L

PAGE L-1

Special Publication 800-30

Guide for Conducting Risk Assessments

________________________________________________________________________________________________

TASK
TASK 2-4 DETERMINE LIKELIHOOD
Section 3.2, Appendix G

TASK DESCRIPTION
Determine the likelihood that threat events of concern result in adverse impacts, considering: (i) the characteristics of the threat sources that could initiate the events; (ii) the vulnerabilities/predisposing conditions identified; and (iii) the organizational susceptibility reflecting the safeguards/countermeasures planned or implemented to impede such events. Determine the adverse impacts from threat events of concern, considering: (i) the characteristics of the threat sources that could initiate the events; (ii) the vulnerabilities/predisposing conditions identified; and (iii) the organizational susceptibility reflecting the safeguards/countermeasures planned or implemented to impede such events. Determine the risk to the organization from threat events of concern considering: (i) the impact that would result from the events; and (ii) the likelihood of the events occurring.

TASK 2-5 DETERMINE IMPACT

Section 3.2, Appendix H

TASK 2-6 DETERMINE RISK

Section 3.2, Appendix I

Step 3: Communicate and Share Risk Assessment Results TASK 3-1 COMMUNICATE RISK ASSESSMENT RESULTS
Section 3.3, Appendix K

Communicate risk assessment results to organizational decision makers to support risk responses.

TASK 3-2 SHARE RISK-RELATED INFORMATION

Section 3.3

Share risk-related information produced during the risk assessment with appropriate organizational personnel.

Step 4: Maintain Risk Assessment TASK 4-1 MONITOR RISK FACTORS

Section 3.4

Conduct ongoing monitoring of the risk factors that contribute to changes in risk to organizational operations and assets, individuals, other organizations, or the Nation.

TASK 4-2 UPDATE RISK ASSESSMENT

Section 3.4

Update existing risk assessment using the results from ongoing monitoring of risk factors.

APPENDIX L

PAGE L-2