Specifically for IA Analysts working with Department of Defense IA issues, the information Assurance Risk Assessment (IARA) facilitates rigorous, operationally focused, defend-able and repeatable IA risk assessments. The methodology is focused specifically on assessing IA risks for DoD systems using the Department of Defense’s Information Assurance Certification and Accreditation Process (DIACAP) regulations. However, the IARA methodology is equally useful in to assessing any Government or commercial system.
For a copy of Sentar’s Information Assurance Risk Assessment Process for Military Systems white paper, click here.
The IARA Process leverages the analysts’ understanding of the operational and administrative environment that the system operates within the computing/networked architecture of the system and the relationship of the identified vulnerability/deficiency to the trusted computing path critical to the system’s operational mission. With this knowledge, IARA guides the analyst through a series of determinations that form a two-factored assessment of both the likelihood and consequence of the possible exploit of the identified vulnerability or deficiency. The independently derived likelihood and consequence determinations are then factored together into a risk determination of the deficiency/vulnerability being assessed. The end-result of the IARA process when applied to a set of IA issues within a particular system is a risk-prioritized ranking of the issues that facilities well-grounded decision surrounding mitigation efforts.
An Excel tool designed to assist the analyst with IARA assessments is available free of charge by contacting iara@sentar.com