ITP.1.3.020 Risk Assessment

Information security risk assessment is the process to identify and understand risks to the confidentiality, integrity, and availability of information and information systems. The Tribe shall maintain an ongoing information security risk assessment program that effectively involves three phases:

(a) Information gathering. Gather data regarding the information and technology assets of the Tribe, threats to those assets, vulnerabilities, existing security controls and processes, and the current security standards and requirements;

(b) Analysis. Analyze the probability and impact associated with the known threats and vulnerabilities to its assets; and

(c) Prioritize responses. Rank the risks present due to threats and vulnerabilities to determine the appropriate level of training, controls, and testing necessary for effective mitigation.