Policy Name
Information Risk Management Policy

Risk Assessment (and Management) is the process to periodically review and mitigate risk to systems, business services, and sensitive data to ensure processes meet the organization's information security policies and standards. The goal is to reduce and mitigate risk to the organization.

  • Information, system and process owners must periodically review and mitigate risk on systems, applications and processes using a risk-based approach.
  • Risk assessment must be performed at least annually on sensitive or high risk systems, applications and processes.
  • Risk assessment must consist of a documented process approved by executive management.
  • Risks identified from risk assessment must be prioritized for mitigation based on data classification and risk to the organization.


The following benefits will be achieved:

  • Ensure periodic reviews using a risk based approach to reduce risk
  • A method to prioritize mitigation of risk

All employees, contractors, agents and third-parties

Consequeces for Noncompliance
Noncompliance to this policy can result in disciplinary action up to and including termination of employment or contract.

Risk Asssessment and Management