Security Assessment and Authorization / Technology Risk Assessments
LOW, MOD, HIGH
P1
Yes
May 20, 2016
Information resource owners, in consultation with the chief information security officer where necessary, shall categorize all information and information resources under their control.
All information resources shall be assessed for risk initially prior to entering production, and thereafter based on the inherent risk. High risk systems shall be assessed annually, moderate risk systems shall be assessed biennially, and low risk systems shall be assessed triennially.
Information resources that are centrally administered by Network & Information Systems and are compliant with an approved configuration baseline may be rolled up under the common risk assessment. Any information resources that deviate from the approved configuration baseline, to include systems with custom software installation or local administrative access, must be individually risk assessed by the information resource owner or custodian.
At the conclusion of the risk assessment period, the chief information security officer shall present risk assessment results to the Agency director.
Management is unable to identify potential events with negative impact and events representing opportunities to be pursued which may lead to unmanageable IT risks.
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and
b. Reviews and updates the current:
1. Risk assessment policy [Assignment: organization-defined frequency]; and
2. Risk assessment procedures [Assignment: organization-defined frequency].
Written, documented risk assessment policies and procedures are in place.
The state organization has a risk assessment policy which includes process of identifying, evaluating, and documenting the level of impact that may result from the operation of an information system on an organization’s mission, functions, image, reputation, assets, or individuals.
Obtain risk assessment policy and procedures; other relevant documents or records and ascertain if :
(I)the organization develops and documents risk assessment policy and procedures.
(ii)the organization disseminates risk assessment policy and procedures to appropriate elements within the organization.
(iii)responsible parties within the organization periodically review risk assessment policy and procedures.
(iv)the organization updates risk assessment policy and procedures when organizational review indicates updates are required.
(v)the risk assessment policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance
(vi)the risk assessment policy is consistent with the organization’s mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance.
(vii)the risk assessment procedures address all areas identified in the risk assessment policy and address achieving policy-compliant implementations of all associated risk assessment controls.
