not mobile

Information Technology Handbook

5.5 IT/IS Risk Management

Print friendly Version date May 16, 2014

IT/IS Risk Management is formally defined as the total process of identifying, controlling, and managing the impact of uncertain harmful events, commensurate with the value of the protected assets, to avoid risk or reduce it to acceptable levels. This process includes both the identification and assessment of risk through risk assessment, analysis, and the initiation and monitoring of appropriate practices in response to that analysis through a risk management program.

The USG CISO shall develop and maintain an IT/IS risk management standard, processes and procedures for support of risk management across the USG and support of activities between participant organizations. He/she shall maintain IT/IS risk management implementation standards that the individual USG participant organizations must consider in the development of their individualized IT/IS risk management plans.

5.5.1 Institution, USO, GPLS, and Georgia Archives Responsibilities

All USG institutions, the USO, the GPLS, and the Georgia Archives must ensure the integrity of computerized information resources by protecting them from unauthorized access, modification, destruction, or disclosure and to ensure the physical security of these resources. USG institutions, the USO, the GPLS, and the Georgia Archives shall also ensure that users, contractors, and third parties having access to state or USG computerized information resources are informed of and abide by this standard and the institution, USO, GPLS, and/or Georgia Archives security plan, and are informed of applicable local, state, and federal policies, laws, regulations, and/or codes related to computerized information resources.

USG institutions, the USO, the GPLS, and the Georgia Archives employing information technology must establish an IT/IS risk management process to identify, assess, and respond to the risks associated with its information assets. The unauthorized modification, deletion, or disclosure of information included in institution, USO, GPLS, and Georgia Archives files and databases can compromise the integrity of state and USG programs, violate individual right to privacy, and constitute a criminal act.


5.5.2 Risk Assessment and Analysis

Once the level of sensitivity of the information resources has been identified through an impact analysis, in which IT-related assets (e.g., information, people, software, hardware, facilities, etc.) are identified and which of those assets are determined to be most critical to protect, the threats to which they are subject must be identified and evaluated. This process is referred to as a risk assessment; i.e., the probability of each threat event occurring and the resultant impact of that event on the information resources should be assessed during this process.

For a given IT asset, an estimate should be made of the largest potential business impact, based on failures of confidentiality, integrity, and availability. The relative business impact of these three types of failure events should then be estimated as high, medium, or low. For example, if a system is estimated as having a low requirement for confidentiality, a medium requirement for data integrity, and a high requirement for service availability, then that IT asset is treated as having a high requirement for attention.

The organization needs to decide if and when a residual level of risk may be acceptable. It is then senior management’s choice of one of the following activities pertaining to each of the identified risks to determine an appropriate risk response:

  1. Mitigate the risk by implementing controls and countermeasures, or safeguards;
  2. Accept the risk;
  3. Avoid the risk; or,
  4. Pass the risk on.

5.5.3 Institution, USO, GPLS, and Georgia Archives Risk Management Programs

The practice of IT/IS risk management within a USG institution, the USO, the GPLS, and the Georgia Archives must be based upon the results of the organization’s risk analysis process. Based on the impact analysis and the risk assessment, the organization should determine what types of safeguards are appropriate to address their defined risks. In this manner, the safeguards deployed reflect the true importance of the investment in the information resources used to accomplish the organization’s mission.

An IT/IS risk management plan must then be developed documenting the actions, safeguards, or countermeasures that can be taken to reduce the identified risks based on available resources. While it is not required that this plan be on file with USG Information Security & ePrivacy, it must be made available upon request.

A focus on the USG and organization missions is vital. The IT organization cannot, and is not expected to, mitigate every risk, but must prioritize based on the threat to the mission and available resources.

Obtaining resources for IT/IS risk management is subject to the same technical, programmatic, and budgetary justification and review processes required for any information technology program. The IT/IS risk management practices implemented by the USG participant organization will vary depending upon the nature of the organization’s information assets.


5.5.4 USG IT/IS Risk Management Standard

IT/IS risk management is the process of taking actions to avoid or reduce risk to acceptable levels.

5.5.4.1 Purpose

IT/IS risk management is an aggregation of three processes – risk assessment, risk mitigation, and controls evaluation and measurement – that help an organization ensure that information security management processes are integrated with that organization’s strategic and operational planning processes. Managing risk safeguards the organization’s mission and goals, and provides an on-going evaluation and assessment of IT- and IS- related mission risks.

USG institutions, the USO, the GPLS, and the Georgia Archives must ensure the confidentiality, integrity, and availability of information and information systems resources and assets by protecting them from unauthorized access, modification, destruction, or disclosure, and ensure the physical security of IT resources and assets.

5.5.4.2 Standard Statement

IT/IS risk management is the process of taking actions to avoid or reduce risk to acceptable levels. This process includes both the identification and assessment of risk through risk analysis, and the initiation and monitoring of appropriate practices in response to that analysis through the organization’s IT/IS risk management program.

USG institutions, the USO, the GPLS, and the Georgia Archives need to ensure the integrity of computerized information resources by protecting them from unauthorized access, modification, destruction, or disclosure, and to ensure the physical security of these resources. USG institutions, the USO, the GPLS, and the Georgia Archives shall also ensure that users, contractors, and third parties having access to institution computerized information resources are informed of and abide by this policy and the organization security plan, and are informed of applicable federal laws and state statutes related to computerized information resources.

Each USG participant organization that employs information technology must establish IT/IS risk management and disaster recovery planning processes for identifying, assessing, and responding to the risks associated with its information assets. The USG’s information assets (its data processing capabilities, information technology infrastructure and data) are an essential resource and asset. For many organizations, program operations would effectively cease in the absence of key computer systems. In some cases, public health and safety would be immediately jeopardized by the failure or disruption of a system. Furthermore, the unauthorized modification, deletion, or disclosure of information included in institution files and databases can compromise the integrity of USG programs, violate individual right to privacy, and constitute a criminal act.


5.5.5 USG IT/IS Risk Management Process

Federal and state information technology regulations require USG information resources to undergo an Information Security Risk Management process to identify the risks associated with their operation and to take steps to reduce, and maintain that risk to an acceptable level. IT/IS Risk Management is integral to the development and operation of information resources.

5.5.5.1 Process

The practice of IT/IS risk management within a USG participant organization must be based upon the results of its risk analysis process. Obtaining resources for IT/IS risk management is subject to the same technical, programmatic, and budgetary justification and review processes required for any IT program.

The IT/IS risk management practices implemented will vary depending upon the nature of the participant organization’s information assets. Among the practices that must be included in each organization’s risk management program are:

  1. Discover endpoints and data (desktops, notebooks, servers, mobile devices, and other computer assets);
  2. Inventory endpoints and data (desktops, notebooks, servers, mobile devices, and other computer assets);
  3. Categorize the information system (impact/criticality/sensitivity);
  4. Select and tailor baseline (minimum) security controls;
  5. Supplement the security controls based on risk assessment;
  6. Document security controls in system security plan;
  7. Implement the security controls in the information system;
  8. Assess the security controls for effectiveness;
  9. Authorize information system operation based on mission risk; and,
  10. Monitor security controls on a continuous basis.

It is then senior management’s choice of one of the following activities pertaining to each of the identified risks to determine an appropriate risk response:

  1. Mitigate the risk by implementing the recommended controls and countermeasures, or safeguards;
  2. Accept the risk;
  3. Avoid the risk; or,
  4. Pass the risk on.

5.5.5.2 Specific Guidelines for IT/IS Risk Management

  • FIPS Publication 199 (Security Categorization)
  • FIPS Publication 200 (Minimum Security Requirements)
  • ISO 27005 Information Security Risk Management (ISRM)
  • NIST Special Publication 800-18 (Security Planning)
  • NIST Special Publication 800-30 (Risk Management)
  • NIST Special Publication 800-37 (Certification & Accreditation)
  • NIST Special Publication 800-53 (Recommended Security Controls)
  • NIST Special Publication 800-53A (Security Control Assessment)
  • NIST Special Publication 800-59 (National Security Systems)
  • NIST Special Publication 800-60 (Security Category Mapping)

Return to Top