Information Security Governance Papers
| Paper Title | Results Documentation |
|---|---|
| The Abstract of The Paper |
The risk assessment report is the mechanism used to formally report the results of all risk assessment activities. The intended function of this report is to describe and document the risk posture of the system while it is operating in its stated environment (as described in the system characterization) and to provide organization managers with sufficient information so that they can make sound, risk-based decisions, such as resources that must be allocated to the risk mitigation phase. Lastly, the agency should ensure that the results of the risk assessment are appropriately reflected in the system’s Plan of Action and Milestones (POA&M) and System Security Plan.
At a minimum, the risk assessment report should describe the following: • Scope of the assessment based on the system characterization; • Methodology used to conduct the risk assessment; • Individual observations resulting from conducting the risk assessment; and • Estimation of the overall risk posture of the system. |
| Web Link | http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf |