Components of a Risk Assessment

Administrative Safeguards

These include, but are not limited to, those control measures that ensure

• classification of data handled by the unit and determination of controls to protect those assets;
• documentation of procedures, standards, and recommended practices to ensure that applicable policies and controls are implemented appropriately for a given business process;
• identification of personnel who are authorized to access systems;
• assurance that appropriate authorization controls are implemented;
• security awareness training and education for all personnel; and
• background checks prior to the selection and hiring of new personnel into critical positions.

 

Logical Safeguards

These encompass the range of technical controls that

• ensure access by only authorized users and session termination when finished;
• enforce secure password management;
• manage tracking of development, maintenance, and changes to application software and information systems;
• manage access to the network; and
• ensure event logging.

 

Physical Safeguards

These protect physical resources through controls that

• allow access by only authorized individuals, through the use of physical means, such as locks, badge readers, or access cards;
• ensure the prevention, detection, early warning of and recovery from emergency disruptions, such as flooding, power failures, or earthquakes; and
• govern the receipt and removal of hardware and electronic media, including equipment reassignment, and final disposition of equipment.