5305    RISK MANAGEMENT
(New 03/08)

Risk management is the process of taking actions to avoid or reduce risk to acceptable levels. This process includes both the identification and assessment of risk through risk analysis (SAM Section 5305.1) and the initiation and monitoring of appropriate practices in response to that analysis through the agency's risk management program.

State agencies need to ensure the integrity of computerized information resources by protecting them from unauthorized access, modification, destruction, or disclosure and to ensure the physical security of these resources. Agencies shall also ensure that users, contractors, and third parties having access to state computerized information resources are informed of and abide by this policy and the agency security plan, and are informed of applicable state statutes related to computerized information resources.

Each agency that employs information technology must establish risk management and disaster recovery planning processes for identifying, assessing, and responding to the risks associated with its information assets. The state's information assets (its data processing capabilities, information technology infrastructure and data) are an essential public resource. For many agencies, program operations would effectively cease in the absence of key computer systems. In some cases, public health and safety would be immediately jeopardized by the failure or disruption of a system. The non-availability of state information system and resources can also have a detrimental impact on the state economy and the citizens who rely on state programs. Furthermore, the unauthorized modification, deletion, or disclosure of information included in agency files and data bases can compromise the integrity of state programs, violate individual right to privacy, and constitute a criminal act.

AUTHORITY          STANDARDS          GUIDANCE          FORMS          TOOLS