Department of Corrections and Rehabilitation - Operations Manual

Cancel

Chapter 4 – Information Technology

Article 46 – Information Systems Risk Management

View All Sections >

49030.4 ITS – Risk Management Definitions

  • Audit Requirements

    • A section of the EDPElectronic Data Processing (see IT) audit reviews ITS documentation; each system not exempt from the audit requirements shall have an approved risk analysis report.

  • Critical Functions, System, and Resources

    • Elements vital to the organization’s operation, and possibly to the continued, viable existence of the organization.

  • Current Risk

    • Current risks are evident and continuing, and are inherent to a business operation, location, or process.

  • Data Integrity

    • The state that exists when computerized data are the same as that in source documents and have not been exposed to accidental or malicious alteration or destruction.

  • Data Protection

    • Measures to safeguard data from occurrences that could lead to the modification, destruction, or disclosure of data.

  • Data Security

    • Protecting data from modification, destruction, or disclosure.

  • Potential Risk

    • Potential risk is outside normal and purposeful business operations, and results from some intentional or unintentional, indeterminate action.

  • Risk

    • Risk is a measure of the relative value attached to certain circumstances and conditions inherent in any business operation, or change to that operation. Risks are either current or potential.

  • Risk Analysis Content:

    • Technical Analysis

      • For each risk scenario, specify the threat and potential safeguards/controls identified. Each control should be discussed along with its intended purpose and the types of threats it is effective against. If no safeguards are found, then a statement to that effect shall be provided.

    • Operational Analysis

      • Each control identified above shall be analyzed and its impact on current operations should be discussed. All operational constraints that would make the safeguard difficult or impractical to implement or operate shall be discussed. Risks that shall be accepted due to the operational unacceptability of their safeguards shall be identified here.

    • Economic Analysis

      • For all controls that are technically and operationally feasible, discuss the cost benefit.

    • Risk Acceptance Summary

      • Lists all risks, acceptable or unacceptable. If acceptable, then indicate the basis for acceptance.

    • Controls Summary

      • Presents the controls to be used for eliminating or reducing the risks identified in the risk acceptance summary. Each control shall be described in terms of its loss reduction or effect, as well as the primary and secondary threat categories against which the control is effective.

    • Countermeasures

      • Any type of procedure (e.g., physical, procedural, hardware, software and personnel) used to counteract a threat to the system.

  • Risk Analysis Management Report:

    • Summary

      • A concise overview of the analysis. It shall begin with a statement describing the scope and objectives of the study, followed by the recommendations for risk acceptance and alternatives for reducing or eliminating the unacceptable risks.

    • Risk Scenario Summary

      • A summary of the essential data from the risk analysis.

    • Risk Management Process

      • Risk management is the work a manager does to identify the risk, assess its level, and create a plan for the acceptance, rejection, or control of the risk. This work is carried out by the application of a well defined analytic process called “risk analysis,” and culminates in a risk analysis report and risk reduction decision study.

    • Risk Analysis

      • Involves identifying the assets and resources that are at risk, as well as the threats to those assets and resources and the vulnerabilities in the risk environment that might allow the threats to materialize. Risk analysis also involves estimating the frequency with which the threats might occur, the safeguards currently in place, and the cost/impact that could be incurred if the threats to the risk environment were to materialize (this process correlates to the problem definition and analysis of the “current problem” steps in a generic systems approach).

    • Risk Reduction Analysis

      • Involves identifying the availability of potential safeguards, determining the operational and economic feasibility of potential safeguards, and developing a risk reduction decision study for presentation to management (this process correlates to the identification of alternatives, cost-benefit analysis, selection of best alternative, and conceptual system design phases of the generic systems approach).

    • Management Decision

      • Management decides which risks are acceptable. For those that are not currently acceptable, management decides which of the alternatives shall be implemented and approves the resources required to purchase, or design and develop, and then implement them (this process corresponds to the management decision phase of the generic systems approach).

    • Development of Risk Reduction Plans

      • Outlines the tasks to be performed to implement the safeguards selected by management. Tasks include identification of the specific safeguards, assignment of responsibility for design, development or purchase, and implementation of the safeguards. Plans shall also include a timetable of the milestones leading to implementation (this process corresponds to the detailed design and development/testing phases of the generic systems approach).

    • Implementation and Maintenance of Safeguards

      • Involves the installation, operation and maintenance of new or modified safeguards. Implementation shall involve personnel training and coordinating any changes in operations with affected personnel.

    • Vulnerability

      • Susceptibility of a system to a specific threat, attack or harmful event, or the opportunity available for a threat agent to mount such an attack.

    • Vulnerability Assessment

      • A review of a system or program to determine its susceptibility to loss or unauthorized use.