Risk Assessments
We perform risk assessments per customers requirements and documents the result in a Risk Assessment Report. The risk assessment determines the degree of risk associated with the confidentiality, integrity, and availability of the IT system and the information it processes, stores, and transmits. The risk assessment report documents the results of the risk assessment activities and includes the threats to and the vulnerabilities of the system, proposals for and evaluations of the effectiveness of various security controls, the trade-offs associated with the controls (e.g., performance impact and cost), and the residual risk associated with a candidate set of controls. For each residual risk, the report specifies the rationale for accepting or rejecting the risk and possible future security controls to mitigate the risk. The certifier evaluates the final risk assessment report, carefully judging the scope and accuracy of its findings. The certifier's statement to the DAA is based on the information contained in the risk assessment report and other supporting documents. The DAA uses the risk assessment report along with the other documents provided in the certification package to make the final accreditation decision. The risk assessment report should contain, at a minimum, the information outlined in NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems, October 2001.