USDA
RISK MANAGEMENT PROGRAM
TABLE OF CONTENTS
DM 3540-000
Page
Chapter 8 –
General Information
1 Purpose 1
2 Cancellation 2
3 References 2
4 Scope 2
5 Abbreviations 2
3540-001
Part I – Risk
Management Methodology
1 Background 1
2 Policy 1
3 Responsibilities 2
Table
1 USDA Risk Assessment Methodology
3540-002
Part 2 – Risk
Assessments and Security Checklists
1 Background 1
2 Policy 1
3 Procedures 2
4 Responsibilities 3
U.S. Department of
Agriculture
Washington, D.C.
DEPARTMENTAL MANUAL |
NUMBER: 3540-000 |
SUBJECT: USDA Risk Management Program |
DATE: February 17, 2005 |
OPI: OCIO,
Cyber Security |
CHAPTER 8
GENERAL
INFORMATION
1 PURPOSE
This
Departmental Manual chapter establishes the policy and procedures for the use
of a Risk Management Program in the security protection of Information
Technology (IT) assets within USDA. A
comprehensive Risk Management Program includes the use of a standardized Risk
Management Methodology, Risk Assessments, Risk Checklists and Mitigation
Strategies.
Part
1, Risk Management Methodology. This part provides a standardized process to
evaluate the possible risks or threats to USDA systems and determine potential
mitigations. It provides a methodology
and model for conducting risk assessments at both the application and system
level.
Part
2, Risk Assessments and Risk Checklists. The Office of
Management and Budget (OMB) require a review of security controls during the
development of a system, whenever significant modifications are made to the
system or every three years. Likewise,
44 U.S.C. 3533 (a) (6) and 3543 (a) (5) require an annual review of Federal
security programs.
Risk assessment checklists have been developed to comply with these requirements and to support OCIO’s risk-based approach to cyber security. When executed, these checklists identify potential vulnerabilities that could lead to the loss of mission-critical information assets. This part establishes policy and procedures for performing Risk Assessments and using USDA’s Security Checklists.
2 CANCELLATION
This Departmental Manual will be in effect until superseded.
See
Appendix B, CS Legal and Regulatory References
4 SCOPE
This
manual chapter applies to all USDA agencies, programs, teams, organizations,
appointees, employees and other activities.
5 Abbreviations
AIS - Automated Information
Systems
CIO - Chief Information Officer
CM - Configuration Management
CS - Cyber Security
IRM - Information Resources
Management
IT - Information Technology
OMB - Office of Management &
Budget
OCIO - Office of the Chief Information
Officer
RA - Risk Assessment
RM - Risk Management
SLC - System Development Life Cycle
USDA - United States Department of
Agriculture