To ensure success when performing risk assessments, several steps can be taken. The following list identifies best practices for performing risk assessments:

• Ensuring systems are fully described—The description includes both the operational characteristics and the mission of the system. Ensuring that the data is current is important because IT systems change as they are upgraded and improved. If current documentation isn’t used, resources are wasted.
• Reviewing past audits—If audits have been performed, ensure the results are reviewed. Audits identify vulnerabilities and often include specific recommendations. These recommendations should be either in place or planned.
• Reviewing past risk assessments—If a previous risk assessment was performed, it should be reviewed. Some systems are assessed on a regular basis, such as every year or every three years. This information can be reviewed and compared with recent activity. For example, new threats or vulnerabilities may have resulted in outages that weren’t previously addressed.
• Matching the risk assessment to the management structure—The risk assessment should be performed based on the ownership or responsibility of the system. When the risk assessment crosses management lines, implementing the controls becomes harder than when there is only one owner.
• Identifying assets within the risk assessment boundaries—When identifying assets, ensure that only assets within the scope of the risk assessment are included. This will help eliminate scope creep.
• Identifying and evaluating relevant threats—Only relevant threats should be evaluated. Historical data can be reviewed to determine what threats have caused problems in the past. Threat modeling can also be used to identify threats.
• Identifying and evaluating relevant vulnerabilities—Many weaknesses exist, but not all of them should be included, only those that are relevant to the risk assessment.
• Identifying and evaluating controls—Ensure that all controls are directly related to at least one threat/vulnerability pair and that the CBA justifies the cost of the control.
• Tracking the results—Document the results of the risk assessment and the approved recommendations, and create a POAM to track the implementation of the recommendations.