>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

RA-3Risk Assessment

PBMM (P1)
Secret (P1)
Management

>Control Description

(A) The organization conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits. (B) The organization documents risk assessment results in security plan; risk assessment report; [Assignment: organization-defined document]. (C) The organization reviews risk assessment results organization-defined frequency. (D) The organization disseminates risk assessment results to organization-defined personnel or roles. (E) The organization updates the risk assessment organization-defined frequency or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.

>Supplemental Guidance

Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and Canada based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities)Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle.

Risk assessments can also be conducted at various steps in the Risk Management Framework of ITSG-33, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation.

Related controls: RA-2.

>Profile-Specific Parameters

(C) frequency [at la frequency no longer than every 3 years]

Ask AI

Configure your API key to use AI features.