Level 2


Clearly defined system boundaries are a prerequisite for effective risk assessments. Such risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations, organizational assets, and individuals based on the operation and use of organizational systems. Risk assessments also consider risk from external parties (e.g., service providers, contractors operating systems on behalf of the organization, individuals accessing organizational systems, outsourcing entities). Risk assessments, either formal or informal, can be conducted at the organization level, the mission or business process level, or the system level, and at any phase in the system development life cycle.  [SP 800-30] provides guidance on conducting risk assessments.

Priority: High   


Category: Internal Audit 

Services Associated with AWS:   

  • AWS Security Hub 

Services Associated with Azure: 

  • Azure Sentinel 
  • Azure Active Directory (Azure AD) 
  • Azure Policy 
  • Azure Security Center

Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how a Risk Management Program (RMP) is implemented
  • Administrative: supporting documentation to demonstrate risk assessment practices 
  • Administrative: supporting documentation of role-based security training being performed
  • Administrative: supporting documentation of professional competence by individual(s) performing risk management roles 

Possible Technology Considerations : 

  • Risk Management Program (RMP)
  • Risk Assessment Solution
  • Risk Register / POA&M Solution     

What needs to be answered :  

Does the company have a risk management policy? Have an initial and periodic risk assessments been conducted? Are changes in use or infrastructure documented and assessed? Is the risk assessment viewed as a living document and incorporated into the larger risk management for the system? 

Checks for AWS 

  • Periodic Risk Assessment for Organizational Systems
    Description: This check focuses on the periodic assessment of risks associated with the operation of organizational systems and the processing, storage, or transmission of Controlled Unclassified Information (CUI). Risk assessments are essential to identify potential threats, vulnerabilities, and the potential impact on organizational operations, assets, and individuals.

Checks for Azure 

  • Periodic Risk Assessment for Organizational Systems
    Description: This policy check ensures that the company conducts regular and periodic risk assessments for their organizational systems. The risk assessments should consider threats, vulnerabilities, likelihood, and potential impacts to the organization's operations, assets, and individuals. The assessments should be based on the use and operation of the organizational systems. Conducting these assessments helps in identifying and mitigating potential risks associated with the processing, storage, or transmission of sensitive information (such as Controlled Unclassified Information - CUI) within the Azure environment.
  • Documentation of Changes in Use or Infrastructure
    Description: This policy check verifies whether changes in the use or infrastructure of Azure services are properly documented and assessed for potential risks. Changes to the cloud environment, such as new services, configurations, or network settings, can introduce new security challenges. By documenting and assessing these changes, the organization can understand the potential risks and ensure that necessary security measures are in place to address them effectively.
  • Integration of Risk Assessment into the Risk Management Process
    Description: This policy check ensures that risk assessments conducted for Azure services are viewed as living documents and are appropriately incorporated into the larger risk management process of the organization. Risk assessments are dynamic and should be continuously updated to reflect the evolving threat landscape and changes in the organization's infrastructure and operations. Integrating risk assessments into the overall risk management process helps in ensuring that security measures and controls are aligned with the identified risks.
  • Compliance with Role-Based Security Training
    Description: This policy check validates whether the organization has proper documentation to demonstrate that role-based security training is performed for individuals involved in risk management roles within the Azure environment. Adequate security training is crucial to ensure that personnel responsible for risk assessment and management are equipped with the necessary knowledge and skills to identify and address potential security risks effectively.
  • Demonstrated Professional Competence of Risk Management Roles
    Description: This policy check ensures that there is documentation to demonstrate the professional competence of individuals performing risk management roles within the Azure environment. It is essential to have qualified and experienced personnel involved in risk assessment and management to ensure the accuracy and effectiveness of the risk assessment process.

More Details:  

Regular assessments of risk performed and policies/training updated based on assessment results.