Policy Statement: This policy establishes controls related to Risk Assessment. The
controls outlined below detail
the measures that must be implemented to protect Commonwealth information
technology systems from the likelihood of avoidable threat or risk events and
the consequences thereof. The
policy provides guidance in decision-making and practices that optimize
resources, mitigate risk, and maximize return on investment.
Definitions:
Availability: Ensuring timely and reliable
access to and use of information.
Confidentiality: Preserving authorized
restrictions on information access and disclosure, including means for
protecting personal privacy and proprietary information.
Consequence: The outcome of an event or
situation, expressed qualitatively or quantitatively, being a loss, injury,
disadvantage or gain. There may be a range of possible outcomes associated with
an event.
Integrity: Guarding
against improper information modification or destruction.
Likelihood: The
probability or frequency of something happening.
Risk: The
chance of something happening, which will have an impact upon objectives. It is
measured in terms of consequence and likelihood.
Risk
Assessment: The overall process of risk analysis and risk
evaluation.
Risk
Management: The process of conducting planning, identification,
analysis, response planning and the controlling of risk.
Risk
Treatment: The selection and implementation of appropriate
options for dealing with risk. Conceptually, treatment options will involve one
or a combination of the following five strategies:
Avoid the risk – eliminate the opportunity for the risk to occur by changing whatever causes the potential for the risk
Reduce the likelihood of occurrence – change processes or products to limit the chance the risk may occur
Reduce the consequences of occurrence – change processes or products to limit the impact the risk may have
Transfer the risk – shift the impact to a third party (insurance, warranties, guarantees, etc.)
Retain/accept the risk – acknowledge the risk and opt not to take any action unless the risk occurs.
Risk Management
Process: The systematic application of management policies,
procedures and practices to the tasks of establishing the context, identifying,
analyzing, evaluating, treating, as well as monitoring and communicating risk.
Significant
Change: Any change to the information system that greatly
alters the way that the system obtains, stores, disseminates, or processes data
or is a change to the foundation infrastructure that the system operates within
such as hardware or operating systems.
System
Security Plan
(SSP): A list of security and
operational controls maintained for a specific system that identified how the
system and data will be protected within a framework dictated by state,
federal, or business compliance needs.
Threat: Any
circumstance or event with the potential to adversely impact organizational
operations and assets, individuals, other organizations or the Commonwealth
through an information system via unauthorized access, destruction, disclosure
or modification of information and/or denial of service.
Policy:
Agencies shall categorize
the information systems within their control in accordance with applicable
federal laws, Executive Orders, directives, policies, regulations, standards, and
guidance. Agencies shall
assign a Security Categorization (SC) and document the
security categorization results, including supporting rationale, in the SSP for the
information system.
Agencies shall ensure that the authorizing official or designated representative reviews
and approves the security categorization decision. A system’s
SC is represented as a composite of the potential impact (low, moderate, high, or not
applicable) associated with each of the three security objectives for
information and information systems such as:
SC
(System name) = {(confidentiality, impact), (integrity, impact), (availability,
impact)}
More detail on information system security
categorization can be found in Federal Information Processing Standard (FIPS)
199.
Each
agency shall conduct
a risk assessment, including
the likelihood and magnitude of harm from the unauthorized access, use,
disclosure, disruption, modification, or destruction of the information system
and the information it processes, stores, or transmits. Agencies shall document
the risk assessment results, review risk assessment results at least annually,
disseminate the risk assessment results to the appropriate personnel, and update
the risk assessment at least every three years or whenever there are significant
changes to the information system or environment of operation. This includes the
identification of new threats and vulnerabilities or other conditions that may affect the
security state of the system.
Details
on conducting a risk assessment are in SP 800-30 Rev. 1, Guide
for Conducting Risk Assessments.
Agencies shall request a vulnerability scan against their information
systems and hosted applications on a schedule based on federal, state, or business compliance
needs for all systems, or when new vulnerabilities
potentially affecting the system or applications are identified and reported. Agencies shall submit the request
to the Commonwealth Service Desk via e-mail at CommonwealthServiceDesk@ky.gov.
Agencies shall analyze the vulnerability
scan reports and results from the security control assessments and remediate
legitimate vulnerabilities in accordance with an organizational assessment of
risk. Agencies shall share
information obtained from the vulnerability scanning process and security
control assessments with the appropriate agency staff to help eliminate similar
vulnerabilities in other information systems.
Authority: KRS 42.726 authorizes the Commonwealth Office of Technology
(COT) to develop policies and compliance processes to support and promote the
effective applications of information technology within the executive branch of
state government.
Applicability:
All executive branch agencies and non-executive branch agencies using
COT-managed infrastructure or services must adhere to this policy. This includes employees, contractors,
consultants, temporaries, volunteers, and other workers within state government.
Responsibility for Compliance:
Each agency must ensure that staff within their organizational authority
are made aware of and comply with this policy. The agency is responsible for
enforcing it. Unauthorized and/or
neglectful actions regarding this policy may result in disciplinary action up
to and including dismissal. COT may
require additional service charges for remediation efforts due to
non-compliance with this policy.
Maintenance:
COT’s Office of the CISO has responsibility for maintaining this
policy. Organizations may modify this
policy to fulfill their responsibilities, but must obtain approval through an
exception request. Staff should refer to
their internal policy, which may have additional information or clarification.
Review Cycle: COT’s
Office of the CISO will review this policy at
least every two years.