RA-03-727 Risk Assessment

Risk Assessment

Control ID

RA-03-727

Control Name

Risk Assessment

Control Category

Risk Assessment

Functional Areas

Identify

Sub-Areas

Security Assessment and Authorization / Technology Risk Assessments

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

February 15, 2018

Agency Implementation

All information resources shall be assessed for risk initially prior to entering production, and thereafter based on the inherent risk. High risk systems shall be assessed annually, moderate risk systems shall be assessed biennially, and low risk systems shall be assessed triennially.

Risk Statement

Information around risks and related control options are not presented to management before management decisions are made.

Control Description

The organization: a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]]; c. Reviews risk assessment results [Assignment: organization-defined frequency]; d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.

Control Example

a. The organization has policies and supporting processes that define triggers for when information security related risk assessments should be conducted, as well as the criteria for risk assessment (e.g., likelihood and impact. b. Information security risk assessments are conducted at least annually.

State Implementation

A risk assessment of information resources shall be performed and documented. The risk assessment shall be updated based on the inherent risk. The inherent risk and frequency of the risk assessment will be ranked, at a minimum, as either “High,” “Moderate,” or “Low.” Risk assessment results, vulnerability reports, and similar information shall be documented and presented to the state organization head or his or her designated representative(s). The state organization head or his or her designated representative(s) shall make the final risk management decisions to either accept exposures or protect the data according to its value/sensitivity. The state organization head or his or her designated representative(s) shall approve the security risk management plan. This information may be exempt from disclosure under §2054.077(c), Government Code.

Testing Procedures

Obtain risk assessment policy; security planning policy and procedures; procedures addressing organizational assessments of risk; risk assessment; NIST Special Publication 800-30; other relevant documents or records and ascertain if : (I)the organization assesses the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support its operations and assets (including information and information systems managed/operated by external parties). (ii)the risk assessment is consistent with the NIST Special Publication 800-30.