Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
2. Assessment & Planning<br />
These Assessment and Planning Non-Mandatory Baselines support the Enterprise Security<br />
<strong>Policy</strong> (ITEC 7230 Rev 1).<br />
2<br />
Mandatory<br />
Non-Mandatory<br />
Procedures Baselines Procedures Baselines<br />
2. Assessment & Security Planning <br />
2.1. Risk and Privacy Assessment<br />
2.1.1. Perform Risk Assessment (7 sets) (3 sets)<br />
2.1.2. Perform Privacy Assessment (7 sets) (3 sets)<br />
2.2. Security Planning<br />
2.2.1. Create a Security Plan (5 sets) (3 sets)<br />
2.3. Maintain Records <br />
2.1. Risk and Privacy Assessment<br />
The following are the Non-Mandatory Baselines that support the Risk and Privacy<br />
Assessment section <strong>of</strong> the Default Security Requirements:<br />
2.1.1. Perform Risk Assessment<br />
Agencies should determine the amount and nature <strong>of</strong> risk to which a system is<br />
exposed to establish the amount <strong>of</strong> risk to be mitigated and to better define<br />
the appropriate security controls required to mitigate that risk:<br />
2.1.1.a Threat Likelihood Classification Scheme<br />
• High likelihood indicates the threat-source is motivated and<br />
capable and controls are insufficient or ineffective.<br />
• Medium likelihood indicates the threat-source is motivated<br />
and capable but that controls may be sufficient and effective.<br />
• Low likelihood indicates the threats-source is motivated and<br />
capable but that controls are sufficient and effective OR the<br />
threat-source is unmotivated or incapable.<br />
2.1.1.b Threat Impact Classification Scheme<br />
• High impact indicates significant loss <strong>of</strong> assets or resources,<br />
significant damage to the organizational mission, or serious<br />
human injury or death.<br />
• Medium impact indicates moderate loss <strong>of</strong> assets or<br />
resources, moderate damage to the organizational mission, or<br />
human injury.<br />
• Low impact indicates minimal loss <strong>of</strong> assets or resources, or<br />
minimal damage to the organizational mission.<br />
2.1.1.c Risk Classification Scheme<br />
• Very High risk constitutes high likelihood and high impact.<br />
Risks <strong>of</strong> this nature have the strongest need for corrective<br />
action and resolution should be considered an emergency<br />
action.