![]() ![]() ![]() If not, priorities and values related to identifying targets of threat sources and organizational impacts can typically be derived from strategic planning and policies. The scope of the risk assessment can include not only the missions/business functions, mission/business processes, common infrastructure, or shared services on which the organization currently depends, but also those which the organization might use under specific operational conditions.ΔΆ.5.1.1.3 Organizations may explicitly identify how established priorities and values guide the identification of high-value assets and impacts to organizational stakeholders. Alternatively, the risk assessment can inform decisions regarding a set of closely related missions/business functions or mission/business processes. This can include decisions regarding the selection, tailoring, or supplementation of security controls for specific information systems or the selection of common controls. For example, the risk assessment can inform decisions regarding information systems supporting a particular organizational mission/business function or mission/business process. 1.2.1.1.2.1 Organizational applicability describes which parts of the organization or sub-organizations are affected by the risk assessment and the risk-based decisions resulting from the assessment (including the parts of the organization/sub- organizations responsible for implementing the activities and tasks related to the decisions). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |