Summary

Because of its growing reliance on information technology, the government faces the continuing challenge of addressing computer security risks. This guide is intended to help federal managers implement an ongoing information security risk-assessment process by providing case studies of practical risk-assessment procedures that have been successfully adopted by four organizations--a multinational oil company, a financial services firm, a regulatory agency, and a computer company--known for their efforts to implement good risk-assessment practices. More importantly, GAO identifies factors that are important to the success of any risk-assessment program, regardless of the methodology used.