"Information Assurance (IA) Risk Management is a process employed by an organization to achieve and maintain an acceptable level of IA risk. This document establishes the requirements for enterprise IA risk management within the national security community which requires a holistic view of the IA risks to National Security Systems (NSS) operating within the enterprise using disciplined processes, methods, and tools. It provides a framework for decision makers to continuously evaluate and prioritize IA risks in order to accept or recommend strategies to remediate or mitigate those risks to an acceptable level. Risk assessment is the process of determining the extent to which an entity is threatened; that is, determining the likelihood of potential adverse circumstances or events and the resulting harm to or impact on organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation. When operating local information systems or communicating information between government organizations, it is the responsibility of the organization to ensure the security of that information and the information system on which it is stored, processed, or transmitted. To encourage agencies to share information, they must have confidence that the information will be adequately protected by the receiving organization. This confidence is gained through the use of universally accepted and implemented risk management activities, with demonstrated performance over time. This process provides organizations the confidence to share information at the appropriate level of trust."
CNSS Policy No. 22
Committee on National Security Systems: http://www.cnss.gov