Risk Assessment -Holistic Review (site/environment/information systems)

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32541	PH-02.02.01	SV-42878r2_rule	DCSD-1	Medium

Description
Failure to conduct a risk analysis could result in not implementing an effective countermeasure to a vulnerability or wasting resources on ineffective measures leading to a possible loss of classified, equipment, facilities, or personnel.

STIG	Date
Traditional Security	2013-07-11

Details

Check Text ( C-40983r2_chk )
Checks: 1. Check that there is a Risk Assessment for the Information Technology (IT) facility/ Information System (IS) equipment and validate it is current. 2. Check to ensure it is revalidated/updated at least annually. 3. Check to ensure that the current site commander/director signed the risk assessment in conjunction with or in coordination with the DAAs for resident system(s), signifying acceptance of any residual risk. NOTE 1: While a DAA signed ATO does in fact signify acceptance of risk for specific systems, this alone does not meet the requirement for a formal risk assessment. NOTE 2: Conducting a risk analysis is not just a simple paper work drill - or at least it should not be. Often organizations take a risk analysis template and simply insert their organizations information, local environmental information, etc. - but do not do a good job of actually assessing threats, countermeasures in place (or that can be applied) to come up with an acceptable level of residual risk. A good risk assessment is a team effort (security, IA, COOP, engineers, safety, management...) and should be headed by someone with at least some training in conducting risk assessments. NOTE 3: Training is offered by the Defense Security Service (DSS) Academy in Linthicum, Md among others. NOTE 4: Time permitting the reviewer should make recommendations for improving the risk analysis process at a site since this is a critical element in any effective security management program. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where procedural documents (SOPs) should be in place. Not applicable to a field/mobile environment.

Check Text ( C-40983r2_chk )

Checks:

1. Check that there is a Risk Assessment for the Information Technology (IT) facility/ Information System (IS) equipment and validate it is current.

2. Check to ensure it is revalidated/updated at least annually.

3. Check to ensure that the current site commander/director signed the risk assessment in conjunction with or in coordination with the DAAs for resident system(s), signifying acceptance of any residual risk.

NOTE 1: While a DAA signed ATO does in fact signify acceptance of risk for specific systems, this alone does not meet the requirement for a formal risk assessment.

NOTE 2: Conducting a risk analysis is not just a simple paper work drill - or at least it should not be. Often organizations take a risk analysis template and simply insert their organizations information, local environmental information, etc. - but do not do a good job of actually assessing threats, countermeasures in place (or that can be applied) to come up with an acceptable level of residual risk. A good risk assessment is a team effort (security, IA, COOP, engineers, safety, management...) and should be headed by someone with at least some training in conducting risk assessments.

NOTE 3: Training is offered by the Defense Security Service (DSS) Academy in Linthicum, Md among others.

NOTE 4: Time permitting the reviewer should make recommendations for improving the risk analysis process at a site since this is a critical element in any effective security management program.

TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where procedural documents (SOPs) should be in place. Not applicable to a field/mobile environment.

Fix Text (F-36459r1_fix)
Fixes: 1. Ensure there is a Risk Assessment for the Information Technology (IT) facility/ Information System (IS) equipment and validate it is current. 2. Ensure it is revalidated/updated at least annually. 3. Ensure that the current site commander/director signed the risk assessment in conjunction with or in coordination with the DAAs for resident system(s), signifying acceptance of any residual risk. NOTE 1: While a DAA signed ATO does in fact signify acceptance of risk for specific systems, this alone does not meet the requirement for a formal risk assessment. NOTE 2: Conducting a risk analysis is not just a simple paper work drill - or at least it should not be. Often organizations take a risk analysis template and simply insert their organizations information, local environmental information, etc. - but do not do a good job of actually assessing threats, countermeasures in place (or that can be applied) to come up with an acceptable level of residual risk. A good risk assessment is a team effort (security, IA, COOP, engineers, safety, management...) and should be headed by someone with at least some training in conducting risk assessments. NOTE 3: Training is offered by the Defense Security Service (DSS) Academy in Linthicum, Md among others.

Fix Text (F-36459r1_fix)

Fixes:

1. Ensure there is a Risk Assessment for the Information Technology (IT) facility/ Information System (IS) equipment and validate it is current.

2. Ensure it is revalidated/updated at least annually.

3. Ensure that the current site commander/director signed the risk assessment in conjunction with or in coordination with the DAAs for resident system(s), signifying acceptance of any residual risk.

NOTE 1: While a DAA signed ATO does in fact signify acceptance of risk for specific systems, this alone does not meet the requirement for a formal risk assessment.

NOTE 2: Conducting a risk analysis is not just a simple paper work drill - or at least it should not be. Often organizations take a risk analysis template and simply insert their organizations information, local environmental information, etc. - but do not do a good job of actually assessing threats, countermeasures in place (or that can be applied) to come up with an acceptable level of residual risk. A good risk assessment is a team effort (security, IA, COOP, engineers, safety, management...) and should be headed by someone with at least some training in conducting risk assessments.

NOTE 3: Training is offered by the Defense Security Service (DSS) Academy in Linthicum, Md among others.