U.S. Department of Health and Human Services
Risk assessment or risk analysis is a process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals. The process incorporates threat and vulnerability analysis. It includes determining the probability that a security incident could occur, the resulting impact, and additional security controls that would mitigate this impact.
A risk assessment is a required part of a security documentation for Security Authorization. Risk assessments should be conducted during the initiation and development stage of the EPLC. Once the system is implemented, a risk assessment should be performed at least every three years or in the event of a significant change.
Page 2 of 9
System Security Testing