(a) A security risk analysis of information resources shall
be performed and documented. The security risk analysis shall be updated based
on the inherent risk. The inherent risk and frequency of the security risk
analysis will be ranked, at a minimum, as either "High," "Medium," or "Low,"
based primarily on the following criteria:
(1) High Risk-annual assessment -Information resources that;
(A) Involve large dollar amounts or significantly important
transactions, such that business or government processes would be hindered
or an impact on public health or safety would occur if the transactions were
not processed timely and accurately, or
(B) Contain confidential or sensitive data such that unauthorized
disclosure would cause real damage to the parties involved, or
(C) Impact a large number of people or interconnected systems.
(2) Medium Risk-biennial assessment - Information resources
that;
(A) Transact or control a moderate or low dollar value, or
(B) Data items that could potentially embarrass or create problems
for the parties involved if released, or
(C) Impact a moderate proportion of the customer base.
(3) Low Risk-biennial assessment - Information resources that;
(A) Publish generally available public information, or
(B) Result in a relatively small impact on the population.
(b) A system change could cause the overall classification
to move to the High Risk category.
(c) Security risk assessment results, vulnerability reports,
and similar information shall be documented and presented to the agency head
or his or her designated representative. The agency head shall make the final
security risk management decisions to either accept exposures or protect the
data according to its value/sensitivity. The agency head must approve the
security risk management plan. This information may be exempt from disclosure
under §2054.77(c), Government Code.
|