Go RIM for Policy Section 5305 - Risk Management

Authority

• Government Code Section 11549
• Statewide Security Policy, Section 5305
• Agency Risk Management and Privacy Program Compliance Certification Requirements, Budget Letter 06-34

Standards

• ISO/IEC 27002:2005 (formerly ISO/IEC 17799:2005), Section 4.1 - Assessing Security Risk;  Section 4.2 - Treating Security Risks; and Section 12.6 - Technical Vulnerability Management
• Federal Information Processing Standards (FIPS)
• HIPAA Security Standards, Section 164.308(a)(1)
• North America Electric Reliability Corporation (NERC) Standards CIP, 002 - Critical Cyber Asset Identification

Guidance

• Risk Management Guide for Information Technology Systems (NIST, SP 800-30)
• Minimum Security Requirements for Federal Information and Information Systems (FIPS 200)
• Technical Guide to Information Security Testing and Assessment (NIST SP 800-115)

Form

• Agency Risk Management and Privacy Program Compliance Certification, SIMM 70C

Tools

• Risk Assessment Toolkit by OISPP
• Sample RFPs and RFOs for Risk Assessment Services
• Threat and Vulnerability Management Resources
• Additional Threat and Vulnerability Management Resources
• Risk Management Toolkit by MITRE.org
• General Security Risk Assessment Guideline by ASIS International
• Incident Cost Estimator Workbook (.xls, 42K)

Definitions

• Administrative and Technical Terms

Related Policies

Under development.