4-3 Information Resource Risk Management

A risk assessment must be completed for all information resources. The risk assessment must address the following areas:

  1. Identify the assets at risk and their value to the organization.
  2. Identify the threats.
  3. Identify the weaknesses and vulnerabilities.
  4. Evaluate threats and vulnerabilities to determine the risks that threaten loss of value.
  5. Identify possible safeguards (e.g., controls and countermeasures).
  6. Analyze the costs and benefits of the safeguards in reducing the risks.
  7. Complete the information resource risk assessment report.

The risk assessment must be completed in conjunction with system development. Additional risks may be identified in each of the life-cycle phases as development progresses through requirements definition, design, coding, testing, and production. The risks must be re-assessed and the risk assessment report updated as follows:

  1. Every year for a payment card industry information resource.
  2. After a significant audit finding.
  3. Whenever the information resource experiences significant enhancement or modification, including changes to the infrastructure, operating system, or hardware platform.
  4. After an information security incident that violates an explicit or implied security policy and compromises the integrity, availability, or confidentiality of an information resource.
  5. Every 2 years for sensitive-enhance, sensitive, critical high and moderate, and externally facing information resources as part of the recertification process unless an earlier re-assessment is warranted.
  6. Every 3 years for nonsensitive and noncritical information resources as part of the recertification process unless an earlier re-assessment is warranted.

Risks categorized as high or medium must be mitigated by using a continuous process that reduces risk by implementing cost-effective security measures. The risk mitigation process consists of the following:

  1. Selecting the appropriate safeguards (or countermeasures) that will reduce exposure to the risk.
  2. Assigning a priority ranking to the implementation of the safeguards.
  3. Assigning financial and technical responsibility for implementing the safeguards.
  4. Implementing and documenting the safeguards.
  5. Maintaining the continued effectiveness of the mitigation strategy by reassessing the threats, vulnerabilities, effectiveness of the safeguards, and the residual risk.

If the level of residual risk is not acceptable, then further safeguards and security controls should be implemented to reduce exposure to acceptable levels. The vice president of the functional business area is responsible for accepting (and the vice president, Information Technology Solutions is responsible for acknowledging), in writing, the residual risks inherent with using that information resource or initiating steps to further mitigate the residual risk.

All information resource risk management documentation must be treated as “restricted information” delivered to and retained by the executive sponsor and a copy sent to the Corporate Information Security Office.