Maintaining the Risk Assessment
The third step in the risk assessment process is to maintain the assessment. The objective of this step is to keep current over time, the specific knowledge of the risk organizations incur. The
results of risk assessments inform risk decisions and risk responses by organizations. To support ongoing risk management decisions (e.g., authorization decisions for information systems and common controls), organizations maintain risk assessments to incorporate any changes detected through risk monitoring. Risk monitoring provides organizations with the means to, on an ongoing basis:
(i) verify compliance;
(ii) determine the effectiveness of risk response measures; and
(iii) identify risk-impacting changes to organizational information systems and the environments in which those systems operate.
Maintaining risk assessments includes the following specific tasks:
- Monitoring risk factors identified in risk assessments on an ongoing basis and understanding subsequent changes to those factors; and
- Updating key components of risk assessments reflecting the monitoring activities carried out by organizations.
Step 3: Maintain the Risk Assessment
Task 3-1: Conduct ongoing monitoring of the factors that contribute to changes in risk to organizational operations and assets, individuals, other organizations, or the Nation.
Supplemental Guidance: Organizations monitor risk factors of importance on an ongoing basis to ensure that the information needed to make credible, risk-based decisions continues to be available over time. Monitoring risk factors (e.g., threat sources and threat events, vulnerabilities and predisposing conditions, capabilities and intent of adversaries, targeting of organizational operations, assets, or individuals) can provide critical information on changing conditions that could potentially affect the ability of organizations to conduct core missions and business functions. Information derived from the ongoing monitoring of risk factors can be used to refresh risk assessments at whatever frequency deemed appropriate. Organizations can also attempt to capture changes in the effectiveness of risk response measures in order to maintain the currency of risk assessments. The objective is to maintain an ongoing situational awareness of the security state of the organizational governance structures and activities, mission/business processes, information systems, and environments of operation. The term security state is used broadly to encompass all factors that may affect the risk being incurred by organizations. Therefore, in applying the risk assessment context (i.e., scope, purpose, assumptions, constraints, risk tolerances, priorities, and trade-offs), organizations consider the part risk factors play in the risk response plan executed. For example, it is expected to be quite common for the security state of information systems (that is, factors measured within those systems) to reflect only a part of the organizational risk response, with response actions at the organization level or mission/business process level providing a significant portion of that response. In such situations, monitoring only the security state of information systems would likely not provide sufficient information to correlate with the overall risk being incurred by organizations. Highly capable, well-resourced, and purpose-driven threat sources can be expected to defeat commonly available protection mechanism (e.g., by bypassing or tampering with such mechanisms). Thus, process-level risk response measures such as reengineering mission/business processes, wise use of information technology, or the use of alternate execution processes, in the event of compromised information systems, can be major elements of organizational risk response plans.
Task 3-2: Update existing risk assessment using the results from ongoing monitoring of risk factors.
Supplemental Guidance: Organizations determine the frequency and the circumstances under which risk assessments are updated. Such determinations can include, for example, the current level of risk to and/or the importance of, core organizational missions/business functions. If significant changes (as defined by organizational policies, direction, or guidance) have occurred since the risk assessment was performed, organizations can revisit the purpose, scope, assumptions, and constraints of the assessment to determine whether all tasks in the risk assessment process need to be performed. Otherwise, the updates constitute differential or incremental risk assessments, identifying and assessing only how selected risk factors have changed, for example:
(i) the identification of new threat events, vulnerabilities, predisposing conditions, undesirable and/or affected assets; and
(ii) the assessments of threat source characteristics (e.g., capability, intent, targeting, and range of effects), likelihoods, and impacts.
Organizations communicate the results of updated risk assessments to entities across all risk management tiers to ensure that responsible organizational officials have access to critical information needed to make ongoing risk-based decisions.
Summary of Key Activities – Maintaining Risk Assessments
- Identify key risk factors that have been identified for ongoing monitoring.
- Determine frequency of risk factor monitoring activities and the circumstances under which the risk assessment needs to be updated.
- Reconfirm the purpose, scope, and assumptions of the risk assessment.
- Conduct the appropriate risk assessment tasks, as needed.
- Communicate the updated risk assessment results to appropriate organizational stakeholders.