|
Home > About USPS & News > Forms & Publications > Postal Periodicals and Publications > Handbooks > Handbook AS-805 - Information Security > 4 Risk Management > 4-5 Independent Risk Management
4-5 Independent Risk Management
Independent risk assessments are conducted by organizations that are
separate and distinct from those responsible for the development and
operation of the information resources. Such assessments will follow the
independent risk assessment guidelines provided in Handbook AS-805-A,
Information Security Assurance.
Note: Independent processes (e.g., independent risk assessment,
independent code review, independent security test validation,
independent penetration testing and vulnerability scans) are evaluations
conducted by independent personnel, contractors, or vendors for the
purpose of applying rigorous evaluation standards to information
resources. An independent process is conducted by an organization that
is separate and distinct from those responsible for the development and
operation of the information resource.
An independent risk assessment may be recommended during the business
impact assessment (BIA) process when information resources are:
a. Publicly accessible.
b. Developed, hosted, or managed primarily by non-Postal Service
personnel.
c. Highly visible or have high impact.
Note: An independent risk assessment may be required at any time by
the CIO/VP IT; manager, CISO; or vice president of the functional
business area.
|
