Security Assessment and Authorization / Technology Risk Assessments, Security Oversight and Governance
NOT SELECTED
P1
No
February 15, 2018
The overall Agency information resource risk management strategy is based on NIST SP 800-37. Information resources are evaluated based on mission criticality, sensitivity of the information stored and/or processed on the resource, and the confidentality, integrity, and availability requirements of the resource. The resulting evaluations inform the risk-based decisions used to adequately protect the resource.
Basic risk management activities have not been incorporated into IT-related activities (e.g., setting risk appetite, identification of risks, risk assessment, reporting criteria, etc.) and may lead to unanticipated losses or the inability to respond appro
The organization:
a. Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems;
b. Implements the risk management strategy consistently across the organization; and
c. Reviews and updates the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes.
The organization has a written, documented risk management strategy.
State implementation of this standard is incorporated into TAC 202.
Obtain Information security program policy; risk management policy; procedures addressing risk management strategy development and implementation; risk management strategy (including risk identification, assessment, mitigation, acceptance, and monitoring methodologies); other relevant documents or records and ascertain if:
(I) the organization develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems; and
(ii) the organization implements that strategy consistently across the organization.
