Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources, and risk measurement criteria.
This level 3 practice extends the related level 2 practice (RM.2.141) by requiring that defined risk categories, identified sources of risk, and specific risk measurement criteria be included in the risk assessment. Risk assessments are performed periodically to identify potential risks to the organization, or after an incident to mitigate recurrence of that risk. A risk assessment identifies risks to an organization's functions and the supporting assets: people, technology, information, and facilities. Threat information, vulnerabilities, likelihoods, and impacts are used to identify risk. Evaluate and prioritize the identified risks based on the defined risk criteria: risk sources, risk categories, and risk measurement criteria. It is important to note that risk assessments differ from vulnerability scanning. A vulnerability scan focuses primarily on technical vulnerabilities in a system, and provides input to a risk assessment. A risk assessment may not be a strictly technical assessment. It includes such qualitative data as results from likelihood analysis and potential threat descriptions. Refer to RM.2.142 for vulnerability scanning. Example The CIO has asked you to perform a risk assessment for the organization’s IT assets. You assemble the leads from each major area across the IT organization. One of the first tasks the team performs is to define risk in terms of severity and impact to the organization. The team identifies organizational functions and the IT assets required to support them. This information is confirmed by executive input. You then lead the team through an exercise that defines the threats (e.g., APT, hacker, criminal) and attacker tools, techniques, and procedures (e.g., ransomware, defaced website) that the organization may face. The team uses publicly available information and previous internal IT assessments to create the organization’s threat list. The threats and an analysis of susceptibility are analyzed to determine the likelihood of occurring. The team ranks the impacts and prepares a report for the CIO. As a result of the report the CIO directs you to improve the security for the public facing web servers hosting a sponsor-used application. Additional tasks to mitigate risks are added to a prioritized action list to be worked by the IT organization.
NIST CSF V1.1 The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
NIST SP 800-53 Rev 4 RA-3
NIST CSF v1.1 ID.RA-5
CERT RMM v1.2 RISK:SG3, RISK:SG4.SP3
RM.3.144.[a] the organization maintains a process for performing risk assessments;
RM.3.144.[b] the organization documents and maintains defined risk categories, risk sources, and risk measurement criteria;
RM.3.144.[c] the organization prioritizes risk; and
RM.3.144.[d] the organization performs risk assessment at a frequency defined by the organization.