not mobile

Information Technology Handbook

5.5 Risk Management

Print friendly Version date February 22, 2013

Risk Management is formally defined as the total process to identifying, controlling, and managing the impact of uncertain harmful events, commensurate with the value of the protected assets, to avoid risk or reduce it to acceptable levels. This process includes both the identification and assessment of risk through risk assessment, analysis, and the initiation and monitoring of appropriate practices in response to that analysis through a risk management program.

The USG CISO shall develop and maintain a risk management organization and architecture for support of risk management across the USG and support of activities between participant organizations. He/she shall maintain risk management implementation standards that the individual USG participant organizations must consider in the development of their individualized risk management plans.

5.5.1 Institution, USO, and GPLS Responsibilities

All USG institutions, the USO, and the GPLS must ensure the integrity of computerized information resources by protecting them from unauthorized access, modification, destruction, or disclosure and to ensure the physical security of these resources. USG institutions, the USO, and the GPLS shall also ensure that users, contractors, and third parties having access to state or USG computerized information resources are informed of and abide by this standard and the institution, USO, and/or GPLS security plan, and are informed of applicable local, state, and federal policies, laws, regulations, and/or codes related to computerized information resources.

USG institutions, the USO, and the GPLS employing information technology must establish a risk management process to identify, assess, and respond to the risks associated with its information assets. The unauthorized modification, deletion, or disclosure of information included in institution, USO, and GPLS files and databases can compromise the integrity of state and USG programs, violate individual right to privacy, and constitute a criminal act.

return to top


5.5.2 Risk Assessment and Analysis

Once the level of sensitivity of the information resources has been identified through an impact analysis, in which IT-related assets (e.g., information, people, software, hardware, facilities, etc.) are identified and which of those assets are determined to be most critical to protect, the threats to which they are subject must be identified and evaluated. This process is referred to as a risk assessment; i.e., the probability of each threat event occurring and the resultant impact of that event on the information resources should be assessed during this process.

For a given IT asset, an estimate should be made of the largest potential business impact, based on failures of confidentiality, integrity, and availability. The relative business impact of these three types of failure events should then be estimated as high, medium, or low. For example, if a system is estimated as having a low requirement for confidentiality, a medium requirement for data integrity, and a high requirement for service availability, then that IT asset is treated as having a high requirement for attention.

The organization needs to decide if, and when a residual level of risk may be acceptable. It is then senior management’s choice of one of the following activities pertaining to each of the identified risks to determine an appropriate risk response:

  1. Mitigate the risk by implementing controls and countermeasures, or safeguards;
  2. Accept the risk;
  3. Avoid the risk; or,
  4. Pass the risk on.

return to top


5.5.3 Institution, USO, and GPLS Risk Management Programs

The practice of information security risk management within the USG institution, the USO, and the GPLS must be based upon the results of the organization’s risk analysis process. Based on the impact analysis and the risk assessment, the organization should determine what types of safeguards are appropriate to address their defined risks. In this manner, the safeguards deployed reflect the true importance of the investment in the information resources used to accomplish the organization’s mission.

A risk management plan must then be developed documenting the actions, safeguards, or countermeasures that can be taken to reduce the identified risks based on available resources. While it is not required that this plan be on file with USG Information Security & ePrivacy, it must be made available upon request.

A focus on the USG and organization missions is vital. The IT organization cannot – and is not expected to – mitigate every risk, but must prioritize based on the threat to the mission and available resources.

Obtaining resources for risk management is subject to the same technical, programmatic, and budgetary justification and review processes required for any information technology program. The risk management practices implemented by the USG organization will vary depending upon the nature of the organization’s information assets.

return to top


5.5.4 USG Risk Management Policy

Risk management is the process of taking actions to avoid or reduce risk to acceptable levels.

5.5.4.1 Purpose

Risk management is an aggregation of three processes; risk assessment, risk mitigation, and controls evaluation and measurement that help an entity ensure that information security management processes are integrated with that entity’s strategic and operational planning processes. Managing risk safeguards the mission, goals and provides an on-going evaluation and assessment of IT and IS related mission risks.

USG institutions, the USO, and the GPLS must ensure the confidentiality, integrity and availability of information and information systems resources and assets by protecting them from unauthorized access, modification, destruction, or disclosure and ensure the physical security of IT resources and assets.

5.5.4.2 Policy Statement

Risk management is the process of taking actions to avoid or reduce risk to acceptable levels. This process includes both the identification and assessment of risk through risk analysis and the initiation and monitoring of appropriate practices in response to that analysis through the institution’s risk management program.

USG institutions, the USO, and the GPLS need to ensure the integrity of computerized information resources by protecting them from unauthorized access, modification, destruction, or disclosure and to ensure the physical security of these resources. USG institutions, the USO, and the GPLS shall also ensure that users, contractors, and third parties having access to institution computerized information resources are informed of and abide by this policy and the institution security plan, and are informed of applicable federal laws and state statutes related to computerized information resources.

Each USG participant organization that employs information technology must establish risk management and disaster recovery planning processes for identifying, assessing, and responding to the risks associated with its information assets. The USG’s information assets (its data processing capabilities, information technology infrastructure and data) are an essential resource and asset. For many organizations, program operations would effectively cease in the absence of key computer systems. In some cases, public health and safety would be immediately jeopardized by the failure or disruption of a system. Furthermore, the unauthorized modification, deletion, or disclosure of information included in institution files and databases can compromise the integrity of USG programs, violate individual right to privacy, and constitute a criminal act.

5.5.4.3 Scope, Enforcement, Authority, Exceptions

5.5.4.4 References

  • USG Risk Management Standard
  • ISO/IEC 27002:2005 (formerly ISO/IEC 17799:2005) Federal Information Processing Standards (FIPS)
  • Risk Management Guide for Information Technology Systems (NIST, SP 800-30)

return to top


5.5.5 USG Risk Management Standard

Federal information technology regulations require USG information resources to undergo an Information Security Risk Management process to identify the risks associated with their operation and to take steps to reduce, and maintain that risk to an acceptable level. Risk Management is integral to the development and operation of information resources.

5.5.5.1 Standard

The practice of information technology and information security risk management within a USG participant organization must be based upon the results of its risk analysis process. Obtaining resources for risk management is subject to the same technical, programmatic, and budgetary justification and review processes required for any IT program.

The risk management practices implemented will vary depending upon the nature of the participant organization’s information assets. Among the practices that must be included in each organization’s risk management program are:

  1. Categorize the information system (criticality/sensitivity)
  2. Select and tailor baseline (minimum) security controls
  3. Supplement the security controls based on risk assessment
  4. Document security controls in system security plan
  5. Implement the security controls in the information system
  6. Assess the security controls for effectiveness
  7. Authorize information system operation based on mission risk
  8. Monitor security controls on a continuous basis

It is then senior management’s choice of one of the following activities pertaining to each of the identified risks:

  1. Mitigate the risk by implementing the recommended countermeasure
  2. Accept the risk
  3. Avoid the risk
  4. Pass the risk on

5.5.5.2 Specific Guidelines for Risk Management

  • FIPS Publication 199 (Security Categorization)
  • FIPS Publication 200 (Minimum Security Requirements)
  • NIST Special Publication 800-18 (Security Planning)
  • NIST Special Publication 800-30 (Risk Management)
  • NIST Special Publication 800-37 (Certification & Accreditation)
  • NIST Special Publication 800-53 (Recommended Security Controls)
  • NIST Special Publication 800-53A (Security Control Assessment)
  • NIST Special Publication 800-59 (National Security Systems)
  • NIST Special Publication 800-60 (Security Category Mapping)
  • ISO 27005 Information Security Risk Management (ISRM)

return to top