PS-08-031 Information Security – Risk Management

Issue Date:  3/20/2008

Revision Effective Date:  3/20/2008 

Review Date: 12/1/2020


“Risk” is the net negative impact of the exploitation of a vulnerability, considering both the probability and the impact of occurrence.  “Risk management” is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level.  An effective risk management process is an important component of a successful IT security program and an essential management function of the organization.

The principal goal of an organization’s risk management process is to protect the organization and its ability to perform their mission. It fosters informed decision making, allowing the security management organization to balance the operation and economic costs of protective measures and achieve gains in mission capability.

This policy requires agencies to take a risk-based approach to securing their information systems.


Each agency shall institute an organization-wide risk management approach to information security that assesses the risks (including the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction) to information and information systems that support the operations and assets of the organization.

Each agency shall develop policies, procedures and select cost-effective controls (based on the risk assessment) that reduce information security risks to an acceptable level and ensure information security is addressed throughout the lifecycle of each organization’s information systems.


Information Security Infrastructure (SS-08-005)

Risk Management Framework (SS-08-041)


NIST SP 800-12 Introduction to Computer Security NIST Handbook (Information Security Risk Management)…

NIST SP 800-30 Risk Management Guide for Information Technology Systems Rev. 1

NIST SP 800-53 Rev. 5


Risk – A function of the likelihood of a given threat source exploiting a potential vulnerability, and the resulting impact of that adverse event on the organization.

Risk Management - The process of identifying, controlling, and mitigating information system–related risks. It includes risk assessment; cost-benefit analysis; and the selection, implementation, test, and security evaluation of safeguards. This overall system security review considers both effectiveness and efficiency, including impact on the mission and constraints due to policy, regulations, and laws.