OVERVIEW (RA-1)

This policy document provides risk assessment policy statements and commitment to develop, implement, and maintain a Risk Assessment Policy, conduct annual risk and security assessments on the information systems to help understand and identify all current threats, vulnerabilities and gaps within process that may create critical risks availability, confidentiality and integrity for information systems and data.

SECURITY CATEGORIZATION (RA-2)

Security categories for system and data are based on the guidelines set forth in NIST SP 800-60. The FedRAMP System Security Plan (SSP) also documents the security categories.

RISK ASSESSMENT (RA-3)

A risk assessment report (RA001) is to be conducted on an annual basis or when there is a significant change to the information system. The report shall include likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits. Any items that need to be remediated will be managed through the Change Management Process.

Review of the risk assessment report is included in the Management Review (in the next review after the assessment report is generated). The leadership team shall be notified as soon as the report is completed.

VULNERABILITY SCANNING (RA-5)

Vulnerability scans shall be conducted on an monthly basis, when there is a significant change to the information system or when new vulnerabilities potentially affecting the system/applications are identified and reported.

Third party experts shall be used to perform the vulnerability scans using industry standard tools.

Vulnerability Scan Report (RA002) shall be reviewed by the IT Management team. Any items that need to be remediated will be managed through the Change Management Process.

The following guidelines shall be used for vulnerability remediation:

  • High-risk vulnerabilities mitigated within thirty (30) days from date of discovery
  • Moderate risk vulnerabilities mitigated within ninety (90) days from date of discovery
  • Low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery

AUDIT

  • Quarterly Management Review (MR001) includes assessment of last RA001 (if un-reviewed)
  • Annual Management Review (MR002) includes review of this policy and assessment of RA001
  • Monthly Management Review (MR003) includes assessment of RA002