Risk Assessment Policy
|Version: 1.00||Issue Date: 1/20/2015|
This Risk Assessment Policy specifies how and when risk assessments will be done and who will be responsible for them.
This Risk Assessment Policy specifies when risk assessments should be performed, identifies staff members who are authorized and responsible for conducting risk assessments, and identifies security policies and procedures that should be enforced to remediate vulnerabilities and risk.
This Risk Assessment Policy is intended to specify how to identify risk in order to remediate it. Risk assessments are conducted under the authority of the organizational Chief Security Officer. The organizational Chief Security Officer appoints staff to conduct risk assessments. All those involved with a risk assessment must fully cooperate with the organizational members conducting the assessment. Cooperation must be complete for both the risk assessment and the remediation process since this is a critical business function.
This Risk Assessment Policy applies to all systems and data on the organizational network, owned by the organization, or operated on behalf of the organization. This policy is effective as of the issue date and does not expire unless superceded by another policy.
Risk assessments should look at services offered by projects such as web sites with specific project functionality or business functionality along with infrastructure such as computer networks, buildings and other infrastructure. The risk assessment should include security risk and risk due to natural disasters to both infrastructure, equipment, data, loss of productivity, loss of revenue, and personnel. Although many risk assessments are specific to systems, the overall risk to the organization should be considered. Also a general risk assessment of organizational functions should be periodically evaluated such as risks to the organizational network considering its structure and state of security in the world, physical security, risks of natural disasters, risks of man made disasters, etc.
Hazard - Something that can cause harm, injury, sickness, or loss to an individual or an organization.
Risk - The chance that a threat or hazard will have an undesirable outcome combined with the amount of harm that may occur.
Risk Assessment - An examination of all possible risk along with implemented and non-implemented solutions to reduce, eliminate, or manage the risk.
Threat - A potential incident or activity which may be deliberate, accidental, or caused by nature which may cause physical or financial harm to a person or organization.
Safeguard Options - Different sets of safeguards put in place to mitigate high risk threat scenarios.
5.0 When Risk Assessments are Conducted
Risk assessments may be conducted at any time the organizational Chief Security Officer determines it is required but are typically conducted under one or more of the following circumstances:
If a risk assessment of any systems or applications has never been done.
Anytime a new system is being developed. The risk assessment is done both at the start and the end of the project as a minimum. This means it is done before major design work is complete and done during the testing phase just prior to production.
Anytime a currently operating system is being upgraded with significant new features. This includes when the project or application(s) associated with the project are modified enough to add, remove, or modify data such that the sensitivity and security requirements may change. The risk assessment should be done early prior to major design and again prior to changes being implemented in production.
A new system is being purchased from a vendor or will be operated through a vendor.
A risk is percieved that has not been previously assessed.
When the security classification of the data used on the system is changed.
A risk assessment is required when data associated with a project is stored on a different computer than when the last security assessment was performed. This assessment will consider the change in risk due to the change in the storage location for the data and will only need to point out the differences from the last assessment unless the last assessment is inaccurate or out of date.
- Risk assessments may be used to assess all risks to the organization.
- A risk assessment should be done or reviewed on systems and applications no less than every two years. Risk assessments should look at services offered by projects such as web sites with specific project functionality or business functionality along with infrastructure such as computer networks, buildings and other infrastructure. The risk assessment should include security risk and risk due to natural disasters to both infrastructure, equipment, data, loss of productivity, loss of revenue, and personnel.
6.0 Staff Qualifications
Staff members conducting risk assessments must be trained in computer security and trained in how to conduct risk assessments. Staff members conducting risk assessments must have proper security clearance.
It is up to the IT management and key stakeholders to determine the specific skills and possible testing for skills that the members of the risk assessment team should possess. The risk assessment leader should be the security officer or one of their staff members. The leader of the risk assessment team should have a minimum of 2 years computer security experience preferably in risk assessment. The other team members should have a minimum of 3 months computer security training and/or 1 year computer security experience.
Business owners and technical support staff that provide information for the risk assessment do not need to be experienced in either risk assessments nor computer security.
7.0 Risk Assessment Steps
Management defines scope of risk assessment and creates the risk assessment team with a focal point person to guide the process.
If risk assessment procedures are not defined, the team should define them. The proper time and method of communicating the selected risk treatment options to the affected IT and business management should be included.
Evaluate the system - Determine if the system is critical to the organization's business processes and determine the data classification and security needs of the data on the system according to the Data Classification Policy considering conficentiality, integrity, and availability needs.
List the threats - List possible threat sources such as an exploitation of a vulnerability
Evaluate security controls
Quantify damage (impact) - Categorize the damage and possibly place a dollar amount on the damage where possible. This will help when looking at cost of controls to reduce the risk
Determine risk level - Use likelihood times impact to quantify the amount of risk.
Evaluate and recommend controls to reduce or eliminate risk - Identify existing controls and those that may further reduce probabilities or mitigate specific vulnerabilities. List specific vulnerabilities for the system and threat to help identify mitigating controls.
Create the risk assessment report.
The method of communicating the selected risk treatment options to the affected IT and business management and staff should be followed.
Take recommended risk mitigation actions.
Monitor the effectiveness of risk mitigation actions and document the results.
8.0 Risk Assessment Requirements
A risk assessment should be done early enough in the project cycle to allow for a baseline of risks to be defined so the project team can plan solutions early.
Risks should be classified by shared characteristics such as denial of service, automated worm attacks, attacks from hackers, and other similar characteristics.
Base the likelihood of incident occurance on all reasonable combinations of judgement of experts, historical evidence, statistical analysis, and scenario analysis. Degrees of confidence should be provided for the estimated risk occurance probabilities. Perform a sensitivity analysis on the results of the occurance probability to determine the effects of changes in assumptions or data. This will help determine the effects of inaccuracies of incident occurance estimates.
The report should list case scenarios of attack types utilizing vulnerabilities. It should list causes and consequences including loss and damage. Interrelationships to the organization and other systems should be considered and listed since a compromise of one system can affect others.
Each element or subcomponent of the project should be considered and a logical methodology should be developed to assess risks to each project element. A list of events that may affect any project element should be developed. The methodology and risk assessment framework should prevent overlooking significant risks.
Risks should be ranked so the highest risks can be addressed first. The risks should be ranked using a criteria set up by the risk assessment team.
The risk assessment team working with management must design the risk assessment approach that is flexible enough to allow the review team to select the best method or risk assessment for various types of risks for various considerations and environments.
9.0 Risk Assessment Findings
Risk assessment reports and findings are confidential.
Risk assessment report results and expected actions taken should be defined by management and the stakeholders.
10.0 Risk Assessment Vulnerabilities
All identified vulnerabilities will be assessed for impact and criticality. Vulnerabilities that are serious and unnecessary must be remediated as soon as possible as mandated by the Chief Security Officer or their empowered staff.
Existing procedures, system controls, and management controls must first be identified and employed to control risk before adding new controls.
11.0 Risk Assessment Method
The risk assessment method is defined by the risk assessment process. The risk assessment process will be updated as required due to results of audits and incidents. The risk assessment process must be driven by the business need and business managers have control over some parts of the risk assessment. Value of mitigation should be able to be estimated in the risk assessment report. The risk assessment approach should be cost effective without any significant compromise to organizational security.
12.0 Accountable Parties
Senior management is responsible for developing a risk assessment framework which can assess, remediate, and manage risk. A specific executive should sponsor risk management and work to communicate its value. The management must be representative of IT and the business functions performed by the organization. Management must buy into the risk assessment and management process, communicate it clearly, and require it to be enforced.
A team or unit in the organization should have an enterprise wide responsibility for promoting good risk management practices. This group would normally conduct the risk assessments and must be trained in risk management. The manager of the risk management group has access to all levels of management in the organization. The risk management group manager maintains contact with external risk management and security specialists including those in government and commercial areas. The risk management group manager keeps current on security threats, technologies, and mitigation methods.
Staff members are expected to cooperate with other staff members who are conducting a risk assessment regarding equipment or systems they are responsible for. Remediation measures taken are the joint responsibilities the security officer and the business owner of the systems involved. Staff members that maintain or developed the system may be expected to work with the risk assessment staff to develop a risk mediatiation plan. Where security issues or risk extends beyond the system of the business owner, the judgement of the security officer will take priority.
The agency or organizational security officer is responsible for ensuring that risk assessments are performed in a timely manner. The security officer has authority to shut down services if serious risks caused by the services warrant a shutdown or due to seriously critical lack of cooperation by the service provider to provide required information. The security officer shall notify the provider of the service of a shutdown at least two weeks prior to a shutdown except in cases of emergencies.
The security officer will require both technical and business information to conduct a security assessment. The owner of the service and those who maintain the service will be responsible for providing required information to the security officer or staff within a two week time period from the date of the request.
The security officer or staff will be responsible for providing an information request to the business owners or maintainers of the service. The information request should list required items for the risk assessment and be properly dated and signed by the security officer or authorized representative.
Once the risk assessment report is complete, responsible parties must tape appropriate remediation actions specified in the report within the specified time period. Someone must be assigned the task of remediation. An auditor or security officer does a follow up to be sure appropriate remediation steps were taken in a timely manner.
13.0 Acceptable Risks
When determining acceptable risks, the risks and their mitigation costs must be compared in light of what is affordable by the organization
When the probability of threat materialization times maximum damage amount is less than $1000 annually, the risk is acceptable. For higher amounts, on a yearly basis, acceptance of the risk will depend on the cost of implementing measures to reduce the risk. If the risk cannot be reduced and the amount per year is greater than $50,000, the risk should be transferred by purchasing insurance.
14.0 Risk Mitigation
Options for mitigating risk shall be provided by the risk assessment including the following possibilities:
Reducing the chance of an occurrence of an event.
Reducing the damage due to an occurrence.
Avoiding the risk.
Transferring the risk by taking action such as purchasing insurance.
Costs of implementing each control is considered and compared to the benefits, both cost and intangable, of implementing each control.
Cost and benefit analysis is done to evaluate proposed controls versus risks. When the controls are evaluated, the benefits, costs, and cost savings of applying the controls both individually and in combination should be determined. Performance measures for determining the effectiveness of the new controls are created.
Risks shall be ranked and the controls to be implemented are selected and a plan is created to implement the controls. Responsibilities for implementing the controls are determined and communicated. Budgeting and schedules are set and the expected outcome from mitigating the risks with the controls are documented. Residual risk after full implementation is considered.
Decisions regarding residual risk are made whether to accept the risk, transfer the risk, or take other action including adding additional controls.
Safeguard options for addressing high risk scenarios must be considered and utilized appropriately while the extent of risk reduction and benefits are considered. Cost and benefit analysis is done to evaluate safeguard options.
If the cost of safeguard options or recommended risk controls is above the ability of the budget to cover the cost, the options and controls are prioritized to reduce as much risk as possible within the allowable budget.
The method of communicating the selected risk treatment options to the affected IT and business management and staff shall be followed when the risk assessment report is completed.
Since risk assessment is an important part of protecting data and systems for the organization, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.
16.0 Other Requirements
Additional security, reliability requirements and control measures for systems that store, transmit, or receive sensitive (confidential, secret, or top secret) data should be established. Logical and physical access should be considered.
Protection measures for all data must be communicated to stakeholders and users. The measures cover confidentiality, integrity, and availability of data in each sensitivity classification.
Each system and project should have a plan to protect data through the lifecycle of the system and project to ensure the data is adequately protected from when it is created to when it is destroyed.
A systematic risk assessment process must be developed. Skilled risk assessors and management must be a part of this process. Risk Assessment and the risk assessment process is discussed at Risk Assessment.
The risk assessment process must be reviewed every year in the light of new risks and technologies. Skilled risk assessors must be a part of this process. Audits, inspections, and incidents that occurred over the last year are used to evaluate the effectiveness of the process. The risk assessment process must be re-issued if gaps or weaknesses are found.
A third party should check the risk assessment strategy to evaluate its effectiveness objectively. This should be done at least every two years.
Part of the risk assessment process must include a review by senior management, IT management and the business owners.
A process must be developed and communicated which can establish the owner for data and for systems and system components.
The expected results of the risk assessment report must be defined by management including the stakeholders and expected results must be agreed upon.
Implement a process for monitoring the effectiveness of risk mitigation actions and safeguards across the enterprise. The process should cover documenting and reporting the results.
For each project, a project risk log and a project issues log should be created. Management should review the logs regularly.
Approved by:__________________________ Signature:_____________________ Date:_______________