Risk assessment policy

The risk assessment policy establishes the rules for the organization that explains how the organization will conduct risk assessments at the organizational, operational, and system-specific level.

What the risk assessment policy should address:

• Assessing risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and inpiduals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of organizational information
• Scanning for vulnerabilities in the information system and applications periodically and when new vulnerabilities affecting the system are identified
• Remediating vulnerabilities in accordance with assessments of risk