From Traditional Security
Part of Risk Assessment -Holistic Review (site/environment/information systems)
Associated with IA controls: DCSD-1
Failure to conduct a risk analysis could result in not implementing an effective countermeasure to a
Checks: 1. Check that there is a Risk Assessment for the Information Technology (IT) facility/ Information System (IS) equipment and validate it is current. 2. Check to ensure it is revalidated/updated at least annually. 3. Check to ensure that the current site commander/director signed the risk assessment in conjunction with or in coordination with the DAAs for resident system(s), signifying acceptance of any residual risk. NOTE 1: While a DAA signed ATO does in fact signify acceptance of risk for specific systems, this alone does not meet the requirement for a formal risk assessment. NOTE 2: Conducting a risk analysis is not just a simple paper work drill - or at least it should not be. Often organizations take a risk analysis template and simply insert their organizations information, local environmental information, etc. - but do not do a good job of actually assessing threats, countermeasures in place (or that can be applied) to come up with an acceptable level of residual risk. A good risk assessment is a team effort (security, IA, COOP, engineers, safety, management...) and should be headed by someone with at least some training in conducting risk assessments. NOTE 3: Training is offered by the Defense Security Service (DSS) Academy in Linthicum, Md among others. NOTE 4: Time permitting the reviewer should make recommendations for improving the risk analysis process at a site since this is a critical element in any effective security management program. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where procedural documents (SOPs) should be in place. Not applicable to a field/mobile environment.
Fixes: 1. Ensure there is a Risk Assessment for the Information Technology (IT) facility/ Information System (IS) equipment and validate it is current. 2. Ensure it is revalidated/updated at least annually. 3. Ensure that the current site commander/director signed the risk assessment in conjunction with or in coordination with the DAAs for resident system(s), signifying acceptance of any residual risk. NOTE 1: While a DAA signed ATO does in fact signify acceptance of risk for specific systems, this alone does not meet the requirement for a formal risk assessment. NOTE 2: Conducting a risk analysis is not just a simple paper work drill - or at least it should not be. Often organizations take a risk analysis template and simply insert their organizations information, local environmental information, etc. - but do not do a good job of actually assessing threats, countermeasures in place (or that can be applied) to come up with an acceptable level of residual risk. A good risk assessment is a team effort (security, IA, COOP, engineers, safety, management...) and should be headed by someone with at least some training in conducting risk assessments. NOTE 3: Training is offered by the Defense Security Service (DSS) Academy in Linthicum, Md among others.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer