Assess organization-wide security and privacy risk and update the risk assessment results on an ongoing basis.
Potential Inputs: Risk management strategy; mission or business objectives; current threat information; system-level security and privacy risk assessment results; supply chain risk assessment results; previous organization-level security and privacy risk assessment results; information sharing agreements or memoranda of understanding; security and privacy information from continuous monitoring.
Expected Outputs: Organization-level risk assessment results.
Primary Responsibility: Senior Accountable Official for Risk Management or Risk Executive (Function); Senior Agency Information Security Officer; Senior Agency Official for Privacy.
Supporting Roles: Chief Information Officer; Mission or Business Owner; Authorizing Official or Authorizing Official Designated Representative.
Discussion: Risk assessment at the organizational level leverages aggregated information from system- level risk assessment results, continuous monitoring, and any strategic risk considerations relevant to the organization. The organization considers the totality of risk from the operation and use of its information systems, from information exchange and connections with other internally and externally owned systems, and from the use of external providers. For example, the organization may review the risk related to its enterprise architecture and information systems of varying impact levels residing on the same network and whether higher impact systems are segregated from lower impact systems or systems operated and maintained by external providers. The organization may also consider the variability of environments that may exist within the organization (e.g., different locations serving different missions/business processes) and the need to account for such variability in risk assessments. Risk assessments of the organization’s supply chain may be conducted as well. Risk assessment results may be used to help organizations establish a Cybersecurity Framework Profile.
References: [SP 800-30]; [SP 800-39] (Organization Level, Mission/Business Process Level); [SP 800-161]; [IR 8062].