Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
Risk Assessment -Holistic Review (site/environment/information systems)
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-32541 | PH-02.02.01 | SV-42878r2_rule | DCSD-1 | Medium |
| Description |
|---|
| Failure to conduct a risk analysis could result in not implementing an effective countermeasure to a vulnerability or wasting resources on ineffective measures leading to a possible loss of classified, equipment, facilities, or personnel. |
| STIG | Date |
|---|---|
| Traditional Security | 2013-07-11 |
Details
| Check Text ( C-40983r2_chk ) |
|---|
| Checks: 1. Check that there is a Risk Assessment for the Information Technology (IT) facility/ Information System (IS) equipment and validate it is current. 2. Check to ensure it is revalidated/updated at least annually. 3. Check to ensure that the current site commander/director signed the risk assessment in conjunction with or in coordination with the DAAs for resident system(s), signifying acceptance of any residual risk. NOTE 1: While a DAA signed ATO does in fact signify acceptance of risk for specific systems, this alone does not meet the requirement for a formal risk assessment. NOTE 2: Conducting a risk analysis is not just a simple paper work drill - or at least it should not be. Often organizations take a risk analysis template and simply insert their organizations information, local environmental information, etc. - but do not do a good job of actually assessing threats, countermeasures in place (or that can be applied) to come up with an acceptable level of residual risk. A good risk assessment is a team effort (security, IA, COOP, engineers, safety, management...) and should be headed by someone with at least some training in conducting risk assessments. NOTE 3: Training is offered by the Defense Security Service (DSS) Academy in Linthicum, Md among others. NOTE 4: Time permitting the reviewer should make recommendations for improving the risk analysis process at a site since this is a critical element in any effective security management program. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where procedural documents (SOPs) should be in place. Not applicable to a field/mobile environment. |
| Fix Text (F-36459r1_fix) |
|---|
| Fixes: 1. Ensure there is a Risk Assessment for the Information Technology (IT) facility/ Information System (IS) equipment and validate it is current. 2. Ensure it is revalidated/updated at least annually. 3. Ensure that the current site commander/director signed the risk assessment in conjunction with or in coordination with the DAAs for resident system(s), signifying acceptance of any residual risk. NOTE 1: While a DAA signed ATO does in fact signify acceptance of risk for specific systems, this alone does not meet the requirement for a formal risk assessment. NOTE 2: Conducting a risk analysis is not just a simple paper work drill - or at least it should not be. Often organizations take a risk analysis template and simply insert their organizations information, local environmental information, etc. - but do not do a good job of actually assessing threats, countermeasures in place (or that can be applied) to come up with an acceptable level of residual risk. A good risk assessment is a team effort (security, IA, COOP, engineers, safety, management...) and should be headed by someone with at least some training in conducting risk assessments. NOTE 3: Training is offered by the Defense Security Service (DSS) Academy in Linthicum, Md among others. |