The presentation will cover what a risk assessment is and what an agency needs to have in place beforehand. Agencies need to have policies and procedures that address each control family as required by SEC501-9.1. Additionally, agencies should have up-to-date Business Impact Analysis (BIA), Business Continuity Plan (BCP), Disaster Recovery Plan (DR), and have conducted a System and Data Classification project prior to commencement of a risk assessment. A Risk Assessment should identify, estimate, and prioritize information security risk through the careful analysis of threats and vulnerabilities to determine the extent to which circumstances or events could adversely impact an agency or the likelihood that such circumstances or events will occur. The purpose of a risk assessment is to identify any threat (weather, fire, power, hardware, software, etc.) that can disrupt operations and prevent the agency from accomplishing its mission.
