Policies Section
  1. Controls List
  2. Access Controls
  3. Training controls
  4. Audit Controls
  5. Certification
  6. Configuration Management
  7. Contingency Planning
  8. Authentication
  9. Incident Response
  10. Maintenance Controls
  11. Media Protection
  12. Physical Controls
  13. Security Planning
  14. Personnel Security
  15. Risk Assessment
  16. Acquisition
  17. Protection
  18. Integrity
  19. Actions and Controls
Policies Section

Risk Assessment (from NIST)

This risk assessment control list and description are meant to tie Risk assessment to an activity or behavior. For NIST's descriptions, see NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems.

  • Risk assessment policy and procedures - The organization should have a risk assessment policy. The policy should define when risk assessments should be performed and when they should be repeated. It should define expected risk assessment deliverables, who should be involved in the risk assessment process, and the general method of risk assessments and scope. The risk assessment policy should define acceptable risk and action plans related to risk assessment that should be created. (low)
  • Security categorization - Both the data and systems used by the organization have their data categorized into levels of categories such as high, moderate, and low for needs of confidentiality, integrity, and availability. This will help determine required security controls and backup systems. (low)
  • Risk assessment - The possible risk and damage due to destruction or unauthorized disclosure, modification, or loss of access to data or information systems is assessed and a plan is implemented to reduce or mitigate this risk according to the organization's risk assessment policy and procedures. (low)
  • Risk assessment update - Risk assessments are updated periodically or when system change requires it according to the organization's risk assessment policy and procedures. (low)
  • Vulnerability scanning - Vulnerability scanning is performed against information systems in the organization according to the set scanning policy using approved tools. The information gathered using the scan is shared with appropriate departments so they can remediate vulnerabilities. Staff performing vulnerability scanning should have appropriate network tools. (moderate)