Court Risk Analysis and Assessment Overview

Risk analysis and assessment assists an entity in determining what information systems, data, and associated assets (facilities, equipment, personnel) constitute a critical information infrastructure. In order to conduct a risk analysis and assessment the following steps shall be performed:

Inventory all assets – information assets, associated assets (facilities, equipment, personnel), and interdependencies.
Risk Analysis - involves determining and documenting the vulnerabilities in critical information assets. Pinpointing these vulnerabilities may be a time-consuming task that will require the assistance of experts in the hardware and software used (operating systems, telecommunications, and applications). Briefly, the analysis process examines the adequacy of current court areas of control to measure the organization’s effectiveness in protecting critical asset elements. This comparison analysis results in the identification of areas of potential compromise, which serve as categories for a comprehensive list of vulnerabilities and risks for which additional security measures, disaster recovery plans, modifications to security policy, and/or acceptance of risk may be necessary.
Risk Assessment - risk management assessment shall be applied to the entire list of vulnerabilities and risks associated with their critical assets and infrastructure dependencies. Security enhancement costs often exceed available resources. Improvements, therefore, normally must be made according to a number of risk management assessment factors.

Court Risk Analysis and Assessment Standards

Minimum Security Option

Description

Benefits

Disadvantages

Perform vulnerability assessment focusing on existing environment without regard to value of assets.

Low cost (requires only vulnerability assessment).

Does not consider value of assets being protected.

1. All courts shall perform an annual vulnerability assessment. The level of detail required will vary depending on the complexity of the IT environment. At a minimum the vulnerability assessment will identify potential threats to IT security and mitigating controls in place. Vulnerabilities shall be identified by reviewing network diagrams, interviews, and through the use of automated tools. Security vulnerabilities are to be documented and discussed with management.

Optimum Security Option

Description	Benefits	Disadvantages
Require annual formal risk assessment including inventory of assets, risk analysis, and risk assessment.	Performs analysis required to ensure that critical assets have appropriate controls.	More costly than a vulnerability assessment. Also, annual costs incurred.

1. All courts shall perform an annual risk analysis and assessment. The level of detail required will vary depending on the complexity of the IT environment. At a minimum the risk analysis and assessment will include:

Critical asset inventory – information assets, associated assets (facilities, equipment, personnel), and interdependencies shall be identified and documented.
Risk analysis - the vulnerabilities in critical information assets shall be identified and documented. Vulnerabilities will be identified by reviewing network diagrams, interviews, and through the use of automated tools. The analysis process examines the adequacy of current court areas of control to measure the organization’s effectiveness in protecting critical asset elements. This comparison analysis results in the identification of areas of potential compromise.
Risk assessment - management shall review the vulnerability assessment and determine whether the vulnerabilities are acceptable based on their environment. For any unacceptable risk, appropriate mitigating controls will be identified and implemented. Factors to consider include:

o Cost of control;

o Effectiveness of control; and

o Whether the control costs are commensurate with asset’s value?

2. If the analysis and assessment are to be performed by an external entity, such as a consultant, then a pre-assessment meeting shall be held to communicate what information is critical to the court, the court’s IT environment, and to reach agreement about the expected results.

Maximum Security Option

Description	Benefits	Disadvantages
Require formal risk assessment including inventory of assets, risk analysis, and risk assessment. Update risk assessment quarterly.	Risk assessment is frequently updated in order to adequately address concerns.	Even higher costs associated with performing quarterly risk assessments.

In addition to the Optimum Security Option, a risk analysis and assessment shall be performed on a quarterly basis.