RISK MANAGEMENT - 5305.6
Policy: Each state entity shall create a state entity-wide information security, privacy and risk management strategy which includes a clear expression of risk tolerance for the organization, acceptable risk assessment methodologies, risk mitigation strategies, and a process for consistently evaluating risk across the organization with respect to the state entity’s risk tolerance, and approaches for monitoring risk over time.
- Risk assessments conducted at the three various levels of the risk management hierarchy, including:
- Organizational level;
- Mission/Business process level; and
- Information asset level.
- A risk assessment process to identify and assess risks associated with its information assets and define a cost-effective approach to managing such risks; including, but not limited to:
- Risk associated with introducing new information processes, systems and technology into the state entity environment;
- Accidental and deliberate acts on the part of state entity personnel and outsiders;
- Fire, flooding, and electric disturbances; and,
- Loss or disruption of data communications capabilities.
No Revisions for this item.