This is the eleventh of a fourteen piece blog series intended to describe how Ascolta Greenfield environments achieve National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 1, Protecting Controlled Unclassified Information in Non-federal Systems, compliance. This entry covers the controls contained in the Risk Assessment Policy and Procedures family.
What is it?
Companies are dependent upon information technology and associated systems. While the increasing number of information technology products used in various companies and industries can be beneficial, in some instances they may also introduce serious threats that can adversely affect a company’s systems by exploiting both known and unknown vulnerabilities. The exploitation of vulnerabilities in company systems can compromise the confidentiality, integrity, or availability of the information being processed, stored, or transmitted by those systems.
Performing a risk assessment is one of four components of risk management. Risk assessments identify and prioritize risks to company operations, assets, employees, and other organizations that may result from the operation of a system. Risk assessments inform company decision makers and support risk responses by identifying: relevant threats to organizations or threats directed through organizations against other organizations, vulnerabilities both internal and external to organizations, impact (i.e., harm) to the company that may occur given the potential for threats exploiting vulnerabilities, and the likelihood that harm will occur.
How does Greenfield solve it?
Greenfield provides Risk Assessment through a combination of client administrators properly categorizing their systems hosted on AWS in accordance with FIPS 199 and relying on AWS which has developed formal, documented risk assessment policies and procedures that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. The policy is reviewed on an annual basis.
Additionally, Greenfield provides a Risk Assessment Questionnaire that allows you to quickly and easily identify and quantify risks to systems, information, facilities and personnel related to the your systems that impact, store, transmit, process or otherwise handle CUI.