All DOC organizations will establish and implement a risk management process for all IT resources, to ensure that the balance of risks, vulnerabilities, threats and countermeasures achieves a residual level of risk that is acceptable based on the sensitivity or criticality of the individual systems.
System owners shall conduct a periodic risk analysis of each IT system to insure that appropriate, cost effective safeguards are incorporated into existing and new systems. The objective of the risk analysis is to provide a measure of the relative vulnerabilities and threats to an installation so that security resources can be effectively distributed to minimize the potential for future losses. The risk analysis may vary from an informal, but documented, review of a microcomputer or terminal installation to a formal, fully quantified risk analysis for a large mainframe computer system. A risk analysis will be performed:
Section 7 of the "DOC IT Security Manual" contains specific information and guidance concerning the risk management and risk analysis requirements.