Clearly defined system boundaries are a prerequisite for effective risk assessments. Such risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations, organizational assets, and individuals based on the operation and use of organizational systems. Risk assessments also consider risk from external parties (e.g., service providers, contractors operating systems on behalf of the organization, individuals accessing organizational systems, outsourcing entities). Risk assessments, either formal or informal, can be conducted at the organization level, the mission or business process level, or the system level, and at any phase in the system development life cycle.  [SP 800-30] provides guidance on conducting risk assessments. 

Priority: High   

Category: Internal Audit 

Services Associated with AWS:   

  • AWS Security Hub 

Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how a Risk Management Program (RMP) is implemented
  • Administrative: supporting documentation to demonstrate risk assessment practices 
  • Administrative: supporting documentation of role-based security training being performed
  • Administrative: supporting documentation of professional competence by individual(s) performing risk management roles 

Possible Technology Considerations : 

  • Risk Management Program (RMP)
  • Risk Assessment Solution
  • Risk Register / POA&M Solution 

What needs to be answered :  

Does the company have a risk management policy? Have an initial and periodic risk assessments been conducted? Are changes in use or infrastructure documented and assessed? Is the risk assessment viewed as a living document and incorporated into the larger risk management for the system? 

  • Periodic Risk Assessment for Organizational Systems
    Description: This check focuses on the periodic assessment of risks associated with the operation of organizational systems and the processing, storage, or transmission of Controlled Unclassified Information (CUI). Risk assessments are essential to identify potential threats, vulnerabilities, and the potential impact on organizational operations, assets, and individuals.

More Details:  

Regular assessments of risk performed and policies/training updated based on assessment results.