Related Websites

• State and Consumer Services Agency
• State Chief Information Officer
• CA Highway Patrol
• CA Office of Health Information Integrity
• CA Office of Homeland Security
• CA Office of Emergency Services

Right Column

Risk Assessment Toolkit

Overview

As outlined in the State Administrative Manual (SAM) Section 5305 et seq., risk management is the process of taking actions to avoid or reduce risk to acceptable levels. This process includes both the identification and assessment of risk through risk analysis (SAM Section 5305.1) and the initiation and monitoring of appropriate practices in response to that analysis through the agency's risk management program.

Risk assessment is a critical component of that process to ensure state agencies have an effective risk management plan in place as defined in the SAM Sections 5305 et seq. Although the following tools are available for agencies to use in identifying information security risks and helping to mitigate the issues, it may be difficult for an agency to determine where to start with a risk assessment or which tool might be the best tool to use.  Guidance for implementing a suggested strategy for a successful information security program and conducting an effective risk assessment can be found in the Information Security Program Guide for State Agencies.

Risk Assessment Tools

BASIC

These two tools are considered basic, but they will assist agency staff who may not have extensive experience in risk assessment begin to develop a more comprehensive risk management program.

• Information Security Risk Assessment Checklist (.doc, 131k)
  This simple checklist provides a high-level view of common security practices.  It is not intended to cover all of the steps agencies must take to complete the annual risk certification process.  However, it may be useful as part of a periodic risk analysis or for a targeted review of security practices in specific areas.  General instructions for its use are included in the Checklist's Introduction section.  Its targeted audience is generally focused towards executive management to use as a basic tool for risk assessment.
• Assessment Tool for State Agencies (.doc, 217k)
  This tool is a more detailed list that agencies can use to more adequately assess their risk. This tool generally aligns with the International Organization for Standardization (ISO) 17799:2005 standards and delves deeper into specific risk categories than the Checklist above. It also provides a scoring tool to determine an agency's overall evaluation. Its targeted audience is generally focused towards a team approach, which might include members from the agency's business and program areas, information technology, human resources, and the agency's Information Security Officer.

ADVANCED

An assessment is one method an agency can employ to help determine the current status of its information systems and agency-wide information security program. Ideally, assessments of selected security controls on an ongoing basis should be conducted to systematically identify programmatic weaknesses and where necessary, establish targets for continuing improvement. These following Checklists and Forms are ideal tools for providing a standardized method for conducting assessments and evaluating the effectiveness of an agency's information security program.

• SANS Information Security Management Audit Checklist (.doc, 304k)
  A comprehensive risk assessment checklist developed by the SANS (SysAdmin, Audit, Network, Security) Institute and based upon the International Organization for Standardization (ISO) 17799:2005 standards for an information security program.  This checklist does not provide vendor specific security considerations but rather attempts to provide a generic checklist of security considerations to be used when auditing an organization's Information Technology Security. Its targeted audience is generally focused towards a team approach, which might include members from the agency's business and program areas, information technology, human resources, and the agency's Information Security Officer.
• Technical Guide to Information Security Testing and Assessment, SP 800-115 (.pdf, 606k)
• Other NIST-related publications that can assist an agency in conducting a comprehensive assessment include:
  • Risk Management Guide for Information Technology Systems, SP 800-30 (.pdf, 479k)
  • Recommended Security Controls for Federal Information Systems, SP 800-53 (.pdf, 1355k)
  • NIST 800-26 is replaced by NIST 800-53, SP 800-53 Rev. 2 Dec 2007 Recommended Security Controls for Federal Information Systems.
    • sp800-53-rev2-final.pdf
  • Revised NIST SP 800-26 System Questionnaire with NIST SP 800-53 References and Associated Security Control Mappings - April 2005
    • Revised Special Publication 800-26 (.doc, 484k)

STATUTORY AND REGULATORY

Certain statutory laws and regulations require agencies to fully and accurately assess their mandatory compliance with information security provisions. The following risk management tools can assist agencies in ensuring compliance through specialized risk assessment and auditing tools.

• HIPAA requires every organization that maintains or transmits personal health information to take specific steps to comply with regulations in the areas of privacy, technology, security, and transaction coding. The California Office of HIPAA Implementation (CalOHI) has provided the following HIPAA Security Compliance Review Tool to help agencies determine their level of compliance with the Final Security Rule.
  • Health Insurance Portability and Accountability Act (HIPAA) Compliance Review Security Tool
• The Payment Card Industry (PCI) Data Security Standard (DSS) is the set of security and compliance monitoring requirements every organization must follow in order to protect cardholder data and accept payment cards for the reimbursement of fees and services. The following tools are available to assist agencies with meeting these requirements:
  • Payment Card Industry (PCI) Self-Assessment Questionnaire
    This Questionnaire  is an important validation tool that is primarily used by smaller merchants and service providers to demonstrate compliance with the PCI DSS.
  • PCI DSS Supporting Documents

Other Resources

• Risk Assessment Reference Chart(.doc 18k)
  A chart to assist agencies in identifying certain topics and references, and where they apply in the SAM, NIST 800-53, and HIPAA requirements.
• Sample Risk Assessment Report (.doc, 40K)
  It is important to document the results of the risk assessment in the form of a report that can be given to the agency's executive management. This sample report provides a template for a brief overview, the problems identified, and the recommendations for corrections or mitigation. Consider using this format for reporting your findings and recommendations to your executive management.
• Sample Matrix Report (.doc, 38K)
  This sample report provides an agency the appropriate risk level for action items resulting from an information security risk assessment.
• Office of State Audits and Evaluations (OSAE) Audit Guides
  Commonly used guides in state Financial Integrity and State Managers Accountability (FISMA) audits.
• Project Management Methodology
  Developing a risk management plan for a project can be difficult. A complete set of tools to develop a comprehensive risk management plan is available on Department of Finance's Web site under the State Information Management Manual (SIMM), Section 200, Project Management Methodology.

The California Office of Information Security (Office) web site contains links to other sites that are not owned or controlled by us. The information provided at these sites does not reflect the views of this Office or indicate an endorsement of a particular company or product. Please be aware that our Office is not responsible for the security and privacy practices of such other sites.