Navigate

CCI-001048

CCI-001048 Definition

Conduct a risk assessment, including determining the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information.

Validation Procedures

Examine: [SELECT FROM: Risk assessment policy; risk assessment procedures; security and privacy planning policy and procedures; procedures addressing organizational assessments of risk; risk assessment; risk assessment results; risk assessment reviews; risk assessment updates; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with risk assessment responsibilities; organizational personnel with security and privacy responsibilities]. Test: [SELECT FROM: Organizational processes for risk assessment; mechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the risk assessment].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-001048.

Control	Description
RA-3	a: Conduct a risk assessment, including: 1: Identifying threats to and vulnerabilities in the system; 2: Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and 3: Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information; b: Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; c: Document risk assessment results in [one of "security and privacy plans"/"risk assessment report"/"{{ insert: param, ra-03_odp.02 }} "]; d: Review risk assessment results [the frequency to review risk assessment results is defined;]; e: Disseminate risk assessment results to [personnel or roles to whom risk assessment results are to be disseminated is/are defined;] ; and f: Update the risk assessment [the frequency to update the risk assessment is defined;] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

Control

Description

RA-3

a: Conduct a risk assessment, including:
- 1: Identifying threats to and vulnerabilities in the system;
- 2: Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and
- 3: Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;

b: Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;

c: Document risk assessment results in [one of "security and privacy plans"/"risk assessment report"/"{{ insert: param, ra-03_odp.02 }} "];

d: Review risk assessment results [the frequency to review risk assessment results is defined;];

e: Disseminate risk assessment results to [personnel or roles to whom risk assessment results are to be disseminated is/are defined;] ; and

f: Update the risk assessment [the frequency to update the risk assessment is defined;] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.