IT Risk Assessment in the Military

I am a civilian employee working for the Air Force.  Part of my job is to perform recurring assessments on the systems I maintain and report the status to our IT Security Office who decides what, if any action to take on findings.  The CISO will then either decide to accept some risks or approve what is done to mitigate them.

As I mentioned in my first post we use Security Technical Implementation Guides (STIGs) provided by the Defense Information Systems Agency (DISA) to perform these evaluations.  Some of the STIGs are automated and others are simply checklists used to check a system for compliance with the STIG guidelines.

These checks are performed before a new system is brought online and recur periodically throughout the life-cycle of the system.  When we complete a review, an IT inspector goes through the checklist and verifies the findings and then a plan is made to mitigate or accept the risks.

As another layer of verification, organizations are inspected by an outside agency that also runs the the STIGs on systems. 

This multi-layer risk management system has proven very effective.

Here is the link to the DISA STIGs that are available to the public:

http://iase.disa.mil/stigs/a-z.html