ICT-Governance-Framework-Application

Risk Assessment Plan

Metadata

Purpose

Define comprehensive quantitative risk assessment approach using FAIR (Factor Analysis of Information Risk) methodology for all ICT domains, enabling data-driven risk management decisions and business-aligned risk tolerance.

Scope

All technology assets, services, and initiatives across the six ICT domains:

🖥️ Infrastructure (Networks, servers, cloud resources, endpoint devices)
🔐 Security (Identity management, access controls, threat protection, Zero Trust)
💻 Applications (Enterprise applications, custom software, SaaS solutions)
📊 Data (Structured and unstructured data, analytics platforms)
📱 End-user Computing (Productivity tools, collaboration platforms, mobile devices)
🔄 Integration (APIs, middleware, data exchange mechanisms)

Methods

Primary Method: FAIR-Based Quantitative Risk Assessment

Risk Equation: Risk = Loss Event Frequency (LEF) × Loss Magnitude (LM)
LEF Calculation: Threat Event Frequency (TEF) × Vulnerability (V)
LM Calculation: Primary Loss (PL) + Secondary Loss (SL)
Domain-Specific Implementation: Tailored FAIR application for each ICT domain

Supplementary Methods

Qualitative Assessment: Likelihood/Impact scaling for initial screening
Scenario Analysis: Multiple risk scenario evaluation and comparison
Sensitivity Analysis: Testing assumptions and uncertainty ranges
Monte Carlo Simulation: For complex risk interactions and portfolio analysis

FAIR Assessment Process

Phase 1: Risk Identification and Scoping (Days 1-3)

Domain Scope Definition: Identify specific ICT domain areas for assessment
Asset and Process Inventory: Catalog relevant assets, processes, and dependencies
Stakeholder Engagement: Involve domain owners and subject matter experts
Risk Scenario Development: Define specific risk scenarios for assessment

Phase 2: Threat and Vulnerability Analysis (Days 4-10)

Threat Intelligence Gathering: Collect relevant threat data and industry intelligence
Vulnerability Assessment: Evaluate technical and operational vulnerabilities
Control Effectiveness Analysis: Assess current control performance
Historical Data Analysis: Review past incidents and near-misses

Phase 3: FAIR Quantification (Days 11-15)

Loss Event Frequency Calculation: Quantify TEF and Vulnerability factors
Loss Magnitude Assessment: Calculate Primary and Secondary Loss impacts
Risk Calculation: Apply FAIR methodology to determine risk exposure
Sensitivity Analysis: Test assumptions and assess uncertainty ranges

Phase 4: Risk Evaluation and Reporting (Days 16-21)

Risk Tolerance Comparison: Compare calculated risk to organizational risk appetite
Risk Prioritization: Rank risks by exposure and business impact
Mitigation Analysis: Evaluate risk treatment options and cost-effectiveness
Executive Reporting: Present findings and recommendations to governance council

Metrics

FAIR-Specific Metrics

Total Risk Exposure: Aggregate quantified risk across all ICT domains (<$2M annually)
Risk Assessment Coverage: Percentage of assets with completed FAIR assessments (>95%)
Risk Assessment Timeliness: Average time to complete risk assessments (<21 days)
Risk Prediction Accuracy: Accuracy rate for FAIR risk predictions vs. actual incidents (>85%)
Domain Risk Distribution: Risk exposure breakdown across six ICT domains

Process Metrics

Assessment Completion Rate: Percentage of scheduled assessments completed on time (>95%)
Stakeholder Engagement: Participation rate of domain experts in assessments (>90%)
Risk Model Calibration: Frequency of model updates based on new data (Quarterly)
Risk Treatment Effectiveness: Reduction in risk exposure from implemented controls (>80%)

Standards Crosswalk

Version History

| Version | Date | Author | Notes | |—|—|—|—| | 1.0 | 2025-08-08 | Risk Manager | Initial draft |

This site is open source. Improve this page.