5305.2    AGENCY RISK MANAGEMENT PROGRAM
(Revised 10/09)

The practice of information technology risk management within the agency must be based upon the results of the agency's risk analysis process. Obtaining resources for risk management is subject to the same technical, programmatic, and budgetary justification and review processes required for any information technology program. See SAM Section 4819.3.

The risk management practices implemented by the agency will vary depending upon the nature of the agency's information assets. Among the practices that must be included in each agency's risk management program are:

1. Organizational and Management Practices, see SAM Section 5315.
   
   
2. Personnel Practices, see SAM Section 5325.
   
   
3. Physical Security Practices, see SAM Section 5330.
   
   
4. Information Integrity and Data Security Practices, see SAM Section 5335.
   
   
5. Personal Computer Security Practices, see SAM Section 5335.
   
   
6. Software Integrity Practices, see SAM Section 5345.

AUTHORITY          STANDARDS          GUIDANCE          FORMS          TOOLS