IT/IS Risk Management
IT/IS Risk Management is formally defined as the total process of identifying, controlling, and managing the impact of uncertain harmful events, commensurate with the value of the protected assets, to avoid risk or reduce it to acceptable levels. This process includes both the identification and assessment of risk through risk assessment, analysis, and the initiation and monitoring of appropriate practices in response to that analysis through a risk management program. The USG CISO shall develop and maintain an IT/IS risk management standard, processes and procedures for support of risk management across the USG and support of activities between participant organizations. He/she shall maintain IT/IS risk management implementation standards that the individual USG participant organizations must consider in the development of their individualized IT/IS risk management plans.