MSISA – Oct. 1 2012
Arlington, TX (CST)
A. As-Is Question Set
If yes, page number
If no, justification
Does a policy that addresses the need for risk management exist?
yes - pg7
The “Purpose” section of the Risk Assessment stated that it was to ensure compliance with HBWC’s IT Security Policy, though that document is not included in the Risk Assessment
Is the acceptable risk posture for the organization included in the policy?
There is a reference to what certain risks would cost financially, but there is no statements as to an acceptable risk posture. Although, the risk assessment was performed to help understand the exposure.
Does the policy include details about a risk assessment?
There is no reference to whether the policy
Is there a section in the policy that includes multi-perspectives on risk including the following:
• Vulnerability space
• Business impact assessment
The risk assessment includes various perspectives on the found risks, but is in undetermined if the identified risks were observation or based on the policy.
Is there a section in the policy that includes reporting results of risk assessments?
The risk assessment was reported or management in general, there is no reference that it was as required in the policy.
Is there a section in the policy that includes a remediation analysis report based on risk assessments (i.e., how to reduce risk or increase security posture)?
The risk assessment provides risk mitigation responses, but there is no reference that is was in response to the policy.
Is there a procedure in existence that describes how to implement and enforce risk management policies?
There is mention on Page 10 of a SOP document, but it can not be determined if that refers to user task SOP, or security procedure
Does the procedure include a breadth of scope? Does the breadth of scope include the following: