Information Security Risk Assessment: Practices of Leading Organizations (Exposure Draft) Page: 2 of 52
This text is part of the collection entitled: Government Accountability Office Reports and was provided to UNT Digital Library by the UNT Libraries Government Documents Department.
Extracted Text
The following text was automatically extracted from the image on this page using optical character recognition software:
Managing the security risks associated with our government's growing reliance on
information technology is a continuing challenge. In particular, federal agencies, like
many private organizations, have struggled to find efficient ways to ensure that they fully
understand the information security risks affecting their operations and implement
appropriate controls to mitigate these risks.
This guide, which we are initially issuing as an exposure draft, is intended to help federal
managers implement an ongoing information security risk assessment process by
providing examples, or case studies, of practical risk assessment procedures that have
been successfully adopted by four organizations known for their efforts to implement
good risk assessment practices. More importantly, it identifies, based on the case studies,
factors that are important to the success of any risk assessment program, regardless of the
specific methodology employed.
The information provided in this document supplements guidance provided in our May
1998 executive guide Information Security Management: Learning From Leading
Organizations (GAO/AIMD-98-68). In that guide, we outlined five major elements of
risk management and 16 related information security management practices that GAO
identified during a study of organizations with superior information security programs.
One of the five elements identified encompasses assessing risk and determining risk-
reduction needs. Contributors to this supplementary guide include Jean Boltz, Ernest
During, and Michael Gilmore.1 GAO/AIMD-99-139 Information Security Risk Assessment
Upcoming Pages
Here’s what’s next.
Search Inside
This text can be searched. Note: Results may vary based on the legibility of text within the document.
Tools / Downloads
Get a copy of this page or view the extracted text.
Citing and Sharing
Basic information for referencing this web page. We also provide extended guidance on usage rights, references, copying or embedding.
Reference the current page of this Text.
United States. General Accounting Office. Information Security Risk Assessment: Practices of Leading Organizations (Exposure Draft), text, August 1, 1999; Washington D.C.. (https://digital.library.unt.edu/ark:/67531/metadc301946/m1/2/: accessed April 25, 2024), University of North Texas Libraries, UNT Digital Library, https://digital.library.unt.edu; crediting UNT Libraries Government Documents Department.