Copyright(c), 1995 - Management Analytics and Others - All Rights Reserved
(A) The information security function within each agency shall require
a comprehensive risk analysis of all information processing systems
be performed on a periodic basis as set by agency standards. Risk
analysis results shall be presented to the owner of the information
resource for risk management. Each step of the risk analysis
process must be documented. The degree of risk acceptance (i.e.,
the exposure remaining after implementation of the recommended
protective measures) must be identified.
(B) A risk analysis report documenting the risk assessment must be
submitted to the agency head. The risk analysis process provides
the basis for preparing the agency's risk analysis report.
(C) All information resources determined by agency management to be
essential to the agency's critical mission and functions, the loss
of which would have an unacceptable impact, shall have a written
and cost effective contingency plan that will provide for the
prompt and effective continuation of critical state missions in the
event of a disaster. The contingency plan shall be tested and
updated at least annually to assure that it is valid and remains
current.
(D) Data and software essential to the continued operation of critical
agency functions shall be backed up. The security controls over the
backup resources shall be as stringent as the protection required
of the primary resources.