Navigate

CCI-001053

CCI-001053 Definition

Defines a frequency for updating the risk assessment.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if the risk assessment is updated [RA-03_ODP[05]; the frequency to update the risk assessment is defined] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

Validation Procedures

Examine: [SELECT FROM: Risk assessment policy; risk assessment procedures; security and privacy planning policy and procedures; procedures addressing organizational assessments of risk; risk assessment; risk assessment results; risk assessment reviews; risk assessment updates; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with risk assessment responsibilities; organizational personnel with security and privacy responsibilities]. Test: [SELECT FROM: Organizational processes for risk assessment; mechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the risk assessment].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-001053.

Control	Description
RA-3	a: Conduct a risk assessment, including: 1: Identifying threats to and vulnerabilities in the system; 2: Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and 3: Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information; b: Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; c: Document risk assessment results in [one of "security and privacy plans"/"risk assessment report"/"{{ insert: param, ra-03_odp.02 }} "]; d: Review risk assessment results [the frequency to review risk assessment results is defined;]; e: Disseminate risk assessment results to [personnel or roles to whom risk assessment results are to be disseminated is/are defined;] ; and f: Update the risk assessment [the frequency to update the risk assessment is defined;] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

Control

Description

RA-3

a: Conduct a risk assessment, including:
- 1: Identifying threats to and vulnerabilities in the system;
- 2: Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and
- 3: Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;

b: Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;

c: Document risk assessment results in [one of "security and privacy plans"/"risk assessment report"/"{{ insert: param, ra-03_odp.02 }} "];

d: Review risk assessment results [the frequency to review risk assessment results is defined;];

e: Disseminate risk assessment results to [personnel or roles to whom risk assessment results are to be disseminated is/are defined;] ; and

f: Update the risk assessment [the frequency to update the risk assessment is defined;] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.