1917 Vulnerability and Risk Assessment

Georgia State Seal

Department of Human Services
Online Directives Information System

Index:

POL1917

Revised:

06/02/2025

Next Review:

06/02/2027

Subject: DHS Information Security Policies

Policy

This policy establishes the Enterprise Risk Management Policy, for managing risk associated with information assets, information leakage, and network vulnerabilities. The Risk Management Policy and associated plans, augment DHS mission, by proactively identifying threats and vulnerabilities, which can result in consequences (impact).

Authority

  1. United States Department of Commerce National Institute for Standards and Technology (NIST)

  2. United States Internal Revenue Service

  3. United States Department of Health & Human Services – Administration of Children and Families (ACF), Office of Child Support Services (OCSS)

  4. United States Department of Health & Human Services - Centers for Medicare & Medicaid Services (CMS)

  5. Georgia Technology Authority

  6. Social Security Administration

  7. Federal Bureau Investigation (Criminal Justice Information Services)

References

Applicability

The scope of this policy is applicable to all Information Technology (IT) resources owned or operated by DHS. Any information, not specifically identified as the property of other parties, that is transmitted or stored on DHS IT resources (including email, messages, and files) is the property of DHS. All users (DHS employees, contractors, vendors, or others) of IT resources are responsible for adhering to this policy.

Definitions

Vulnerability

A hardware, software, or firmware weakness, or design deficiency, that leaves a system open to assault, harm, or unauthorized exploitation, either externally or internally, thereby resulting in unacceptable risk of information compromise, information alteration, or service denial.

Risk Assessment

The identification, evaluation, and estimation of the levels of risks involved in a situation, their comparison against benchmarks or standards, and determination of an acceptable level of risk.

Responsibilities

DHS shall adopt the Risk Management principles established in NIST SP 800-37 “Guide for Applying the Risk Management Framework to Federal Information Systems,” as the official policy for this domain. The following subsections outline the Risk Management standards that constitute DHS policy. Each DHS Business System is then bound to this policy, and shall develop or adhere to a program plan which demonstrates compliance with the policy related the standards documented.

RA-1 Risk Assessment Procedures

  1. Develop, document, and disseminate to designated agency personnel:

    1. All organizational level vulnerability and risk assessment policy that:

      1. Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

      2. Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

    2. Procedures to facilitate the implementation of the vulnerability and risk assessment policy and the associated controls.

  2. Designate an agency official to manage the development, documentation, and dissemination of the vulnerability and risk assessment policy and procedures; and

  3. Review and update the current vulnerability and risk assessment control:

    1. Policy every one (1) year (or if there is a significant change); and

    2. Procedures every one (1) year, (or when there is a significant change).

RA-2 Security Categorization

  1. Categorize the system and information it processes, stores, and transmits;

  2. Document the security categorization results, including supporting rationale, in the security plan for the system; and

  3. Verify that the Authorizing Official (AO) or AO’s designated representative reviews and approves the security categorization decision.

RA-3 Risk Assessment

  1. Conduct a risk assessment, including:

    1. Identifying threats to and vulnerabilities in the system;

    2. Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and

    3. Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;

  2. Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;

  3. Document risk assessment results in system security plans and risk assessment plans;

  4. Review risk assessment results at least annually;

  5. Disseminate risk assessment results to agency-defined personnel (e.g., AO, System Owner, system administrator); and

  6. Update the risk assessment at least every three years or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

RA-3 (1) Supply Chain Risk Assessment:

  1. Assess supply chain risks associated with Federal Tax Information and

  2. Update the supply chain risk assessment every three (3) years, when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.

RA-3 (2) Use of All-Source Intelligence:

Use all-source intelligence to assist in the analysis of risk.

RA-5 Vulnerability Monitoring and Scanning

  1. Monitor and scan for vulnerabilities in the system and hosted applications every thirty (30) days, prior to placing a new information system on the agency network, to confirm remediation actions, and when new vulnerabilities potentially affecting the system are identified and reported;

  2. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

    1. Enumerating platforms, software flaws and improper configurations;

    2. Formatting checklists and test procedures; and

    3. Measuring vulnerability impact;

  3. Analyze vulnerability scan reports and results from vulnerability monitoring;

  4. Remediate legitimate vulnerabilities in accordance with an agency assessment of risk;

  5. Share information obtained from the vulnerability monitoring process and control assessments with agency-defined personnel to help eliminate similar vulnerabilities in other systems; and

  6. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.

RA-5 (2) Update by Vulnerabilities to be Scanned:

Update the system vulnerabilities’ to be scanned at least every 30 days; prior to a new scan; when new vulnerabilities are identified and reported.

RA-5 (3) Breadth and Depth of Coverage:

Define the breadth and depth of vulnerability scanning coverage.

RA-5 (4) Discoverable Information:

Determine information about the system that is discoverable and take appropriate corrective actions.

RA-5 (5) Privileged Access:

Implement privileged access authorization to all information system components for selected vulnerability scanning activities.

RA-5 (11) Public Disclosure Program:

Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components.

IRS.1:

Implement a vulnerability management process for IT software systems (including wireless networks) to complement their patch management process. information systems (e.g., systemic weaknesses or deficiencies).

RA-7: Risk Response

Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance.

RA-8: Privacy Impact Assessments

Conduct privacy impact assessments for systems, programs, or other activities before:

  1. Developing or procuring information technology that processes personally identifiable information; and

  2. Initiating a new collection of personally identifiable information that:

    1. Will be processed using information technology; and

    2. Includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more individuals, other than agencies, instrumentalities, or employees of the federal government.

RA-9: CRITICALITY ANALYSIS

Control: Identify critical system components and functions by performing a criticality analysis for systems, system components, or system services at stage-gate decision points in the system development life cycle.

History

Date Change User Version

Evaluation

The Office of Information Technology (OIT), upon recommendation of the DHS Chief Information Security Officer (CISO), evaluates this policy annually by:

  1. Comparing its content and intent to evolving regulatory compliance standards imposed upon the Agency, such as, IRS 1075, NIST 800-53, and CMS MARS-E.

  2. Addressing any deficiencies or gaps discovered during periodic audits conducted by Georgia DOAA or other regulatory bodies, such as, IRS, CMS, SSA, FBI, etc.