PURPOSE
This document contains instructions to implement the methodology described in Section 6 (Risk Assessment) of the Information Technology (IT) Risk Management Guideline. This document is Appendix D of that Guideline, and is published under separate cover because of its size. This template does not stand alone and should be read only in conjunction with the Guideline.
The purpose of this document is to assist each Commonwealth of Virginia (COV) Agency in assessing the risks to its sensitive IT systems and data, and protecting the resources that support the Agency's mission. These instructions are based on the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30, "Risk Management Guide for Information Technology Systems" and contain a recommended format for COV risk assessments.
The example risk assessment in this document:
1. Does not document compliance with all requirements of the COV ITRM IT Security Policy, IT Security Standard and IT Security Audit Standard. These omissions are designed to illustrate control weaknesses, and must not be construed to relieve any COV Agency of its responsibility to comply with all applicable requirements of IT Security Policy, IT Security Standard and IT Security Audit Standard.
2. Contains the names of fictional individuals, corporations, and products. No similarity to any actual persons, living or dead, nor to any actual corporation or product, past, present, or future, is intended. In addition no such similarity to any actual corporation or product, past, present, or future may be construed to represent an endorsement of any such corporation or product.
FORMAT
This document uses different fonts for instructions and examples, as follows:
- Times New Roman text, including all of the text in this section, is provided as instructions for completing a risk assessment.
- Arial Bold text inside a shaded text border is example text. In the examples, the template uses a fictional system called the Budget Formulation System (BFS), owned and operated by the Financial Operations Division (FOD) of a fictional agency called the Budget Formulation Agency (BFA). Times New Roman italic text is provided as background information. It is provided for better understanding of how to complete each section of the Risk Assessment Report, or so that the author knows to extend or replicate a section, such as by adding Agency-specific threats or vulnerabilities to the risk matrix.
This document consists of two primary sections:
o An example risk assessment, with instructions and explanatory material for BFS. This section is intended to provide guidance to COV agencies on how to complete risk assessments of their sensitive IT systems.
o A blank Risk Assessment Report containing the section headings and tables from the recommended format Risk Assessment Report, but no content. This section is intended for use by COV agencies in completing Risk Assessment Reports for their sensitive systems.