Highlights of IS.010 Information Security Risk Management Standard
Highlights of IS.010 Information Security Risk Management Standard
Massachusetts Executive Office of Technology and Security Services IS.010 Information Security Risk Management Standard defines the key elements of the Commonwealth’s information security risk assessment model to enable consistent identification, evaluation, response and monitoring of risks facing IT processes. This standard defines the key elements of the Commonwealth’s information security risk assessment model to enable consistent identification, evaluation, response and monitoring of risks facing IT processes. Topics include:
- Annual information security risk assessments (weighing potential risk and likelihood and impact
- Impact categories and definitions (financial, reputational, legal and regulatory and operational)
- Impact ratings for each impact category (critical, high, moderate, low)
- Likelihood of risk occurring (highly likely, likely, possible, unlikely)
- Effectiveness of compensating controls (Effective, partially effective, ineffective)
- Risk mitigation (how a risk is reduced through acceptance, transfer, avoidance or preventative measures)
- Mandatory initial, annual and periodic information security awareness training
See the Enterprise Information Security Standards Self-Assessment Questionnaire [Excel] that can be used to track compliance with implementing these internal controls. Departments should expect to be audited on compliance with these internal controls.
The Executive Office of Technology Services and Security (EOTSS) publishes Enterprise Information Security Policies and Standards which must be included in a department’s Internal Control Plan, implemented, tested, and included in staff training. These standards apply to all Executive Department offices and agencies and are the default standard for non-Executive Departments who have not adopted comparable cyber and data security standards as part of their Internal Control Plan.