Risk Assessment

Risk Management practice embodies a structured and disciplined approach that emphasizes the alignment of strategy, policy, process

This is an early draft web site primarily started to host the risk assessment tool. Retrieval of controls by Low, Moderate & High, and writing/reading responses are working properly.


Essential activities to prepare the organization to manage security and privacy risks


  • key risk management roles identified
  • organizational risk management strategy established, risk tolerance determined
  • organization-wide risk assessment
  • organization-wide strategy for continuous monitoring developed and implemented
  • common controls identified

Categorize the system and information processed, stored, and transmitted based on an impact analysis


  • system characteristics documented
  • security categorization of the system and information completed
  • categorization decision reviewed/approved by authorizing official

Select the set of NIST SP 800-53 controls to protect the system based on risk assessment(s)


  • control baselines selected and tailored
  • controls designated as system-specific, hybrid, or common
  • controls allocated to specific system components
  • system-level continuous monitoring strategy developed
  • security and privacy plans that reflect the control selection, designation, and allocation are reviewed and approved

Implement the controls and document how controls are deployed


  • controls specified in security and privacy plans implemented
  • security and privacy plans updated to reflect controls as implemented

Assess to determine if the controls are in place, operating as intended, and producing the desired results


  • assessor/assessment team selected
  • security and privacy assessment plans developed
  • assessment plans are reviewed and approved
  • control assessments conducted in accordance with assessment plans
  • security and privacy assessment reports developed
  • remediation actions to address deficiencies in controls are taken
  • security and privacy plans are updated to reflect control implementation changes based on assessments and remediation actions
  • plan of action and milestones developed

Senior official makes a risk-based decision to authorize the system (to operate)


  • authorization package (executive summary, system security and privacy plan, assessment report(s), plan of action and milestones)
  • risk determination rendered
  • risk responses provided
  • authorization for the system or common controls is approved or denied

Continuously monitor control implementation and risks to the system


  • system and environment of operation monitored in accordance with continuous monitoring strategy
  • ongoing assessments of control effectiveness conducted in accordance with continuous monitoring strategy
  • output of continuous monitoring activities analyzed and responded to
  • process in place to report security and privacy posture to management
  • ongoing authorizations conducted using results of continuous monitoring activities
List of NIST 800 53 Revision 5 CURRENT VERSION 5.1 Security and Privacy Controls
Open Source Privacy Router
Owner Profile

In a career that rarely takes the path of least resistance, Charles is a highly collaborative and skilled professional with over 20 years domestic and international experience building teams to deliver sustainable B2X business services. Most of his experience was gained in Critical Infrastructure and "Too Big to Fail" enterprise environments.

Charles utilizes relationships and tools to lead improvements in customer development, business continuity, business models, markets, products, engagement, growth, retention and delivery.

Sectors; Automotive, Energy, Financial Services, Government, Healthcare and Insurance.

Google, please index
Contact Us