CPA3.1 - Risk Assessment

Information

The generic objectives and activities of this CPA are found across other capability process areas and can be used within these CPAs. They are important core organisational objectives that would be required in any institution or infrastructure.

GO3.1: Overall Risk Analysis

Risk assessments and overall risk analysis will be undertaken when there are changes to the technical infrastructure which may affect the security or resilience of any service, component or procedure.

GRA3.1.1 Risk Assessment Procedure

A risk assessment methodology (and tool) is used to make a systematic analysis of security and infrastructure resilience risk factors associated with data, systems, personnel, and technical hardware.

(0) Not defined:

There is no evidence that risk assessments are undertaken.

(1) Initial:

There is some awareness of the need for risk assessment and some risk assessments are undertaken, but on an ad hoc basis or when requested by the organisation for a specific purpose.

(2) Repeated/partial:

Risk assessments are undertaken when significant changes are made to the technical infrastructure, policies or procedures, but these are not analysed.

(3) Defined:

There is a documented risk assessment methodology (and tool) that is used to make a systematic analysis of security and infrastructure resilience risk factors when there are changes to the technical infrastructure.

(4) Managed:

The use of the risk assessment methodology and analysis is monitored. Any significant risks are managed immediately as part of risk mitigation procedure, with issues, incidents and discrepancies are documented.

(5) Optimised:

At regular intervals the risk assessment and analysis processes are reviewed. Any modifications to the processes are documented and communicated internally.