Example Risk Assessment Policy

Version: 1.00Issue Date: 3/20/2015

1.0 Purpose

This risk assessment policy documents the authority of "organization name" to conduct investigations and take actions as required to assess risks to the organization and take mitigating actions to reduce, eliminate, or manage risks. This Risk Assessment Policy specifies how and when risk assessments will be done and who will be responsible for them.

This Risk Assessment Policy is intended to specify how to identify risk in order to remediate it. Risk assessments are conducted under the authority of the organizational Chief Security Officer. The organizational Chief Security Officer appoints staff to conduct risk assessments. All those involved with a risk assessment must fully cooperate with the organizational members conducting the assessment. Cooperation must be complete for both the risk assessment and the remediation process since this is a critical business function.

2.0 Scope

This Risk Assessment Policy applies to all systems and data on the organizational network, owned by the organization, or operated on behalf of the organization. This policy is effective as of the issue date and does not expire unless superceded by another policy.

Risk assessments should look at services offered by projects such as web sites with specific project functionality or business functionality along with infrastructure such as computer networks, buildings and other infrastructure. The risk assessment should include security risk and risk due to natural disasters to both infrastructure, equipment, data, loss of productivity, loss of revenue, and personnel. Although many risk assessments are specific to systems, the overall risk to the organization should be considered. Also a general risk assessment of organizational functions should be periodically evaluated such as risks to the organizational network considering its structure and state of security in the world, physical security, risks of natural disasters, risks of man made disasters, etc.

3.0 Term Definitions

  • Hazard - Something that can cause harm, injury, sickness, or loss to an individual or an organization.
  • Risk - The chance that a threat or hazard will have an undesirable outcome combined with the amount of harm that may occur.
  • Risk Assessment - An examination of all possible risk along with implemented and non-implemented solutions to reduce, eliminate, or manage the risk.
  • Threat - A potential incident or activity which may be deliberate, accidental, or caused by nature which may cause physical harm to a person or financial harm to an organization.

4.0 Risk Assessment Participants and Skills

The staff members who perform the risk assessment should be familiar with computer technology and computer security in particular. The risk assessment leader should be the security officer or one of their staff members. The leader of the risk assessment team should have a minimum of 2 years computer security experience preferably in risk assessment. The other team members should have a minimum of 3 months computer security training and/or 1 year computer security experience.

Business owners and technical support staff that provide information for the risk assessment do not need to be experienced in either risk assessments nor computer security.

5.0 Risk Assessment Deliverables

Risk assessment deliverables include a risk assessment report with a risk reduction action plan to manage or mitigate any unacceptable risks. The action plan may be included with the risk assessment report. The action plan will be an action plan for implementing additional controls and solutions to mitigate or manage risk. The action plan may define participants and actions to be taken during the implementation of the action plan.

6.0 Risk Assessment Requirement

  • A risk assessment is required when a new project is started. This assessment will be performed within the scope of the project only and will only consider factors and equipment outside the project when it affects the risk to the project.
  • A risk assessment is required when data associated with a project is stored on a different computer than when the last security assessment was performed. This assessment will consider the change in risk due to the change in the storage location for the data and will only need to point out the differences from the last assessment unless the last assessment is inaccurate or out of date.
  • If a risk assessment of any systems or applications has never been done, a risk assessment should be done.
  • A risk assessment is required when the project or application(s) associated with the project are modified enough to add, remove, or modify data such that the sensitivity and security requirements may change.
  • Risk assessments may be used to assess all risks to the organization.
  • A risk assessment should be done or reviewed on systems or applications no less than every two years. Risk assessments should look at services offered by projects such as web sites with specific project functionality or business functionality along with infrastructure such as computer networks, buildings and other infrastructure. The risk assessment should include security risk and risk due to natural disasters to both infrastructure, equipment, data, loss of productivity, loss of revenue, and personnel.
  • A risk assessment is required when a new system is being purchased from a vendor or will be operated through a vendor.
  • A risk assessment is required when a risk is percieved that has not been previously assessed.
  • A risk assessment is required when the security classification of the data used on the system is changed.

7.0 Risk Assessment Method

The risk assessment method is defined by the risk assessment process. The risk assessment process will be updated as required due to results of audits and incidents.

8.0 Accountable Parties

Senior management is responsible for developing a risk assessment framework which can assess, remediate, and manage risk. A specific executive should sponsor risk management and work to communicate its value. The management must be representative of IT and the business functions performed by the organization. Management must buy into the risk assessment and management process, communicate it clearly, and require it to be enforced.

A team or unit in the organization should have an enterprise wide responsibility for promoting good risk management practices. This group would normally conduct the risk assessments and must be trained in risk management. The manager of the risk management group has access to all levels of management in the organization. The risk management group manager maintains contact with external risk management and security specialists including those in government and commercial areas. The risk management group manager keeps current on security threats, technologies, and mitigation methods.

Staff members are expected to cooperate with other staff members who are conducting a risk assessment regarding equipment or systems they are responsible for. Remediation measures taken are the joint responsibilities the security officer and the business owner of the systems involved. Staff members that maintain or developed the system may be expected to work with the risk assessment staff to develop a risk mediatiation plan. Where security issues or risk extends beyond the system of the business owner, the judgement of the security officer will take priority.

The agency or organizational security officer is responsible for ensuring that risk assessments are performed in a timely manner. The security officer has authority to shut down services if serious risks caused by the services warrant a shutdown or due to seriously critical lack of cooperation by the service provider to provide required information. The security officer shall notify the provider of the service of a shutdown at least two weeks prior to a shutdown except in cases of emergencies.

The security officer will require both technical and business information to conduct a security assessment. The owner of the service and those who maintain the service will be responsible for providing required information to the security officer or staff within a two week time period from the date of the request.

The security officer or staff will be responsible for providing an information request to the business owners or maintainers of the service. The information request should list required items for the risk assessment and be properly dated and signed by the security officer or authorized representative.

Once the risk assessment report is complete, responsible parties must tape appropriate remediation actions specified in the report within the specified time period. Someone must be assigned the task of remediation. An auditor or security officer does a follow up to be sure appropriate remediation steps were taken in a timely manner.

9.0 Risk Assessment Steps

  • Management defines scope of risk assessment and creates the risk assessment team with a focal point person to guide the process.
  • If risk assessment procedures are not defined, the team should define them. The proper time and method of communicating the selected risk treatment options to the affected IT and business management should be included.
  • Evaluate the system - Determine if the system is critical to the organization's business processes and determine the data classification and security needs of the data on the system according to the Data Classification Policy considering conficentiality, integrity, and availability needs.
  • List the threats - List possible threat sources such as an exploitation of a vulnerability
  • Identify vulnerabilities
  • Evaluate security controls
  • Identify probabilities
  • Quantify damage (impact) - Categorize the damage and possibly place a dollar amount on the damage where possible. This will help when looking at cost of controls to reduce the risk
  • Determine risk level - Use likelihood times impact to quantify the amount of risk.
  • Evaluate and recommend controls to reduce or eliminate risk - Identify existing controls and those that may further reduce probabilities or mitigate specific vulnerabilities. List specific vulnerabilities for the system and threat to help identify mitigating controls.
  • Create the risk assessment report.
  • The method of communicating the selected risk treatment options to the affected IT and business management and staff should be followed.
  • Take recommended risk mitigation actions.
  • Monitor the effectiveness of risk mitigation actions and document the results.

10.0 Risk Assessment Findings

  • Risk assessment reports and findings are confidential.
  • Risk assessment report results and expected actions taken should be defined by management and the stakeholders.

11.0 Risk Assessment Vulnerabilities

  • All identified vulnerabilities will be assessed for impact and criticality. Vulnerabilities that are serious and unnecessary must be remediated as soon as possible as mandated by the Chief Security Officer or their empowered staff.
  • Existing procedures, system controls, and management controls must first be identified and employed to control risk before adding new controls.

12.0 Acceptable Risks

When the probability of threat materialization times maximum damage amount is less than $1000 annually, the risk is acceptable. For higher amounts, on a yearly basis, acceptance of the risk will depend on the cost of implementing measures to reduce the risk. If the risk cannot be reduced and the amount per year is greater than $50,000, the risk should be transferred by purchasing insurance.

13.0 Risk Mitigation

  • Options for mitigating risk shall be provided by the risk assessment including the following possibilities:
    • Reducing the chance of an occurrence of an event.
    • Reducing the damage due to an occurrence.
    • Avoiding the risk.
    • Transferring the risk by taking action such as purchasing insurance.
  • Costs of implementing each control is considered and compared to the benefits, both cost and intangable, of implementing each control.
  • Cost and benefit analysis is done to evaluate proposed controls versus risks. When the controls are evaluated, the benefits, costs, and cost savings of applying the controls both individually and in combination should be determined. Performance measures for determining the effectiveness of the new controls are created.
  • Risks shall be ranked and the controls to be implemented are selected and a plan is created to implement the controls. Responsibilities for implementing the controls are determined and communicated. Budgeting and schedules are set and the expected outcome from mitigating the risks with the controls are documented. Residual risk after full implementation is considered.
  • Decisions regarding residual risk are made whether to accept the risk, transfer the risk, or take other action including adding additional controls.
  • Safeguard options for addressing high risk scenarios must be considered and utilized appropriately while the extent of risk reduction and benefits are considered. Cost and benefit analysis is done to evaluate safeguard options.
  • If the cost of safeguard options or recommended risk controls is above the ability of the budget to cover the cost, the options and controls are prioritized to reduce as much risk as possible within the allowable budget.
  • The method of communicating the selected risk treatment options to the affected IT and business management and staff shall be followed when the risk assessment report is completed.

14.0 Enforcement

Since risk assessment is an important part of protecting data and systems for the organization, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

15.0 Other Requirements

  • Additional security, reliability requirements and control measures for systems that store, transmit, or receive sensitive (confidential, secret, or top secret) data should be established. Logical and physical access should be considered.
  • Protection measures for all data must be communicated to stakeholders and users. The measures cover confidentiality, integrity, and availability of data in each sensitivity classification.
  • Each system and project should have a plan to protect data through the lifecycle of the system and project to ensure the data is adequately protected from when it is created to when it is destroyed.
  • A systematic risk assessment process must be developed. Skilled risk assessors and management must be a part of this process.
  • The risk assessment process must be reviewed every year in the light of new risks and technologies. Skilled risk assessors must be a part of this process. Audits, inspections, and incidents that occurred over the last year are used to evaluate the effectiveness of the process. The risk assessment process must be re-issued if gaps or weaknesses are found.
  • A third party should check the risk assessment strategy to evaluate its effectiveness objectively. This should be done at least every two years.
  • Part of the risk assessment process must include a review by senior management, IT management and the business owners.
  • A process must be developed and communicated which can establish the owner for data and for systems and system components.
  • The expected results of the risk assessment report must be defined by management including the stakeholders and expected results must be agreed upon.
  • Implement a process for monitoring the effectiveness of risk mitigation actions and safeguards across the enterprise. The process should cover documenting and reporting the results.
  • For each project, a project risk log and a project issues log should be created. Management should review the logs regularly.

Approval

Approved by:__________________________ Signature:_____________________ Date:_______________