IT/IS Risk Management is formally defined as the total process of identifying, controlling, and managing the impact of uncertain harmful events, commensurate with the value of the protected assets, to avoid risk or reduce it to acceptable levels. This process includes both the identification and assessment of risk through risk assessment, analysis, and the initiation and monitoring of appropriate practices in response to that analysis through a risk management program.
The USG CISO shall develop and maintain an IT/IS risk management standard, processes and procedures for support of risk management across the USG and support of activities between participant organizations. He/she shall maintain IT/IS risk management implementation standards that the individual USG participant organizations must consider in the development of their individualized IT/IS risk management plans.
5.5.1 Institution, USO, GPLS, and Georgia Archives Responsibilities
All USG institutions, the USO, the GPLS, and the Georgia Archives must ensure the integrity of computerized information resources by protecting them from unauthorized access, modification, destruction, or disclosure and to ensure the physical security of these resources. USG institutions, the USO, the GPLS, and the Georgia Archives shall also ensure that users, contractors, and third parties having access to state or USG computerized information resources are informed of and abide by this standard and the institution, USO, GPLS, and/or Georgia Archives security plan, and are informed of applicable local, state, and federal policies, laws, regulations, and/or codes related to computerized information resources.
USG institutions, the USO, the GPLS, and the Georgia Archives employing information technology must establish an IT/IS risk management process to identify, assess, and respond to the risks associated with its information assets. The unauthorized modification, deletion, or disclosure of information included in institution, USO, GPLS, and Georgia Archives files and databases can compromise the integrity of state and USG programs, violate individual right to privacy, and constitute a criminal act.
5.5.2 Risk Assessment and Analysis
Once the level of sensitivity of the information resources has been identified through an impact analysis, in which IT-related assets (e.g., information, people, software, hardware, facilities, etc.) are identified and which of those assets are determined to be most critical to protect, the threats to which they are subject must be identified and evaluated. This process is referred to as a risk assessment; i.e., the probability of each threat event occurring and the resultant impact of that event on the information resources should be assessed during this process.
For a given IT asset, an estimate should be made of the largest potential business impact, based on failures of confidentiality, integrity, and availability. The relative business impact of these three types of failure events should then be estimated as high, medium, or low. For example, if a system is estimated as having a low requirement for confidentiality, a medium requirement for data integrity, and a high requirement for service availability, then that IT asset is treated as having a high requirement for attention.
The organization needs to decide if and when a residual level of risk may be acceptable. It is then senior management’s choice of one of the following activities pertaining to each of the identified risks to determine an appropriate risk response:
- Mitigate the risk by implementing controls and countermeasures, or safeguards;
- Accept the risk;
- Avoid the risk; or,
- Pass the risk on.
5.5.3 Institution, USO, GPLS, and Georgia Archives Risk Management Programs
The practice of IT/IS risk management within a USG institution, the USO, the GPLS, and the Georgia Archives must be based upon the results of the organization’s risk analysis process. Based on the impact analysis and the risk assessment, the organization should determine what types of safeguards are appropriate to address their defined risks. In this manner, the safeguards deployed reflect the true importance of the investment in the information resources used to accomplish the organization’s mission.
An IT/IS risk management plan must then be developed documenting the actions, safeguards, or countermeasures that can be taken to reduce the identified risks based on available resources. While it is not required that this plan be on file with USG Information Security & ePrivacy, it must be made available upon request.
A focus on the USG and organization missions is vital. The IT organization cannot, and is not expected to, mitigate every risk, but must prioritize based on the threat to the mission and available resources.
Obtaining resources for IT/IS risk management is subject to the same technical, programmatic, and budgetary justification and review processes required for any information technology program. The IT/IS risk management practices implemented by the USG participant organization will vary depending upon the nature of the organization’s information assets.
5.5.4 USG IT/IS Risk Management Standard
Information Technology/Information Security (IT/IS) risk management is a strategic business discipline that supports the achievement of an organization’s objectives and goals by addressing the full spectrum of its risks and managing the combined impact of those risks.
IT/IS risk management is an aggregation of three processes – risk assessment, risk mitigation, and controls evaluation and measurement – that help an organization ensure that IT/IS processes are integrated with strategic and operational planning processes. Managing risk safeguards the organization’s mission and goals, and requires an ongoing evaluation and assessment of IT/IS operations and processes.
USG information assets (e.g., data processing capabilities, information technology infrastructure and data) are an essential resource and asset. For many organizations, program operations would effectively cease in the absence of key computer systems. In some cases, public health and safety would be immediately jeopardized by the failure or disruption of a system. Furthermore, the unauthorized modification, deletion, or disclosure of information included in institution files and databases can compromise the integrity of USG programs, violate individual right to privacy, and constitute a criminal act.
USG organizations must ensure the integrity of computerized information resources by protecting them from unauthorized access, modification, destruction, or disclosure, and to ensure the physical security of these resources. USG organizations must ensure that users, contractors, and third parties that access the organization’s computerized information resources are informed of and abide by this standard, all applicable organization IT/IS policies, standards and procedures, and applicable federal and state laws related to computerized information resources.
USG organizations that employ information technology, must establish IT/IS risk management and disaster recovery planning processes for identifying, assessing, and responding to the risks associated with its information assets.
Federal and state information technology regulations require USG information resources to undergo an Information Security Risk Management process to identify the risks associated with their operation and to take steps to reduce and maintain risk at an acceptable level.
5.5.5 USG IT/IS Risk Management Process
Federal and state information technology regulations require USG information resources to undergo an Information Security Risk Management process to identify the risks associated with their operation and to take steps to reduce, and maintain that risk to an acceptable level. IT/IS Risk Management is integral to the development and operation of information resources.
IT/IS Risk Management planners must communicate and collaborate with the USG organization’s Enterprise Risk Management (ERM) coordinator, at least annually.
IT/IS risk management practices implemented will vary depending upon the nature of the participant organization’s information assets. Practices that must be included in each organization’s risk management program are:
- Discover endpoints and data (desktops, notebooks, servers, mobile devices, and other computer assets);
- Inventory endpoints and data (desktops, notebooks, servers, mobile devices, and other computer assets);
- Categorize the information system (impact/criticality/sensitivity);
- Select and tailor baseline (minimum) security controls;
- Supplement the security controls based on risk assessment;
- Document security controls in system security plan;
- Implement the security controls in the information system;
- Assess the security controls for effectiveness;
- Authorize information system operation based on mission risk; and,
- Monitor security controls on a continuous basis.
IT/IS risk management will also include the Information Security Program Report (ISPR) to collect and evaluate key IT components and controls and assess compliance against USG IT Handbook standards. This report and process have been established to assist each USG organization with identifying, evaluating and strengthening information security operations through reducing risks and strengthening internal controls. InfoSec will complete the following ISPR processes on an annual basis:
- (January, February) Infosec reviews ISPR reports from the previous year to determine changes that may be needed to meet the needs of the USG organization and identify areas of focus for the upcoming compliance review period. Proposed changes, as well as the selected areas of focus, will be reviewed by ITS senior staff and the Internal Audit and Compliance department. Revisions to the report, changes to the ISPR reporting process and the areas of focus for the upcoming review period are communicated to USG organizations.
- (March) InfoSec releases the ISPR survey to USG organizations. USG organizations are given a 21-day period to complete the survey.
- (April, May) InfoSec collects compiles and analyzes ISPR survey results.
- (June) Infosec prepares a final ISPR report for USG organizations and submits to the Governor’s office.
- (July, August, September) InfoSec conducts ISPR compliance reviews across USG organization units based on the selected areas of focus. Upon the conclusion of a compliance review, a report will be generated and delivered to respective USG CIOs and CISOs and USO senior staff. ISPR reporting and compliance guidelines, templates, support and training are provided to USG organizations based on areas of need and focus.
- (October) InfoSec releases the ISPR survey to USG organizations. USG organizations are given a 21-day period to complete the survey.
- (November, December) InfoSec collects compiles and analyzes ISPR survey results.
ISPR Annual Reporting Process (Diagram)
126.96.36.199 Specific Guidelines for IT/IS Risk Management
- FIPS Publication 199 (Security Categorization)
- FIPS Publication 200 (Minimum Security Requirements)
- ISO 27005 Information Security Risk Management (ISRM)
- NIST Special Publication 800-18 (Security Planning)
- NIST Special Publication 800-30 (Risk Management)
- NIST Special Publication 800-37 (Certification & Accreditation)
- NIST Special Publication 800-53 (Recommended Security Controls)
- NIST Special Publication 800-53A (Security Control Assessment)
- NIST Special Publication 800-59 (National Security Systems)
- NIST Special Publication 800-60 (Security Category Mapping)