Risk Assessment (from NIST)
This risk assessment control list and description are meant to tie Risk assessment to an activity or behavior. For NIST's descriptions, see NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems.
- Risk assessment policy and procedures - The organization should have a risk assessment policy. The policy should define when risk assessments should be performed and when they should be repeated. It should define expected risk assessment deliverables, who should be involved in the risk assessment process, and the general method of risk assessments and scope. The risk assessment policy should define acceptable risk and action plans related to risk assessment that should be created. (low)
- Security categorization - Both the data and systems used by the organization have their data categorized into levels of categories such as high, moderate, and low for needs of confidentiality, integrity, and availability. This will help determine required security controls and backup systems. (low)
- Risk assessment - The possible risk and damage due to destruction or unauthorized disclosure, modification, or loss of access to data or information systems is assessed and a plan is implemented to reduce or mitigate this risk according to the organization's risk assessment policy and procedures. (low)
- Risk assessment update - Risk assessments are updated periodically or when system change requires it according to the organization's risk assessment policy and procedures. (low)
- Vulnerability scanning - Vulnerability scanning is performed against information systems in the organization according to the set scanning policy using approved tools. The information gathered using the scan is shared with appropriate departments so they can remediate vulnerabilities. Staff performing vulnerability scanning should have appropriate network tools. (moderate)