While the other assessor roles on the Security Assessment team perform technical testing and generate risk information, the Risk Assessor focuses exclusively on analyzing existing Risk Information Sources (RIS) (regardless of generation source). Put another way, the other assessor roles generate a RIS that is (potentially) used by the Risk Assessor (possibly along with other RIS) to determine the risk posture of the system being assessed. The Risk Assessor role is utilized whenever a Risk Assessment is requested.
The Risk Assessor typically works independently of and after the Security Assessment team. The Risk Assessor is not typically a part of the Security Assessment team but may interact with them to better understand their findings and their context.
Before identifying the risks to the system, the Risk Assessor first familiarizes herself with the system by reviewing the system’s SSP, ISRA, PIA, and any existing ACT RARs. The purpose of this review is to understand the purpose, design, implementation, and environment of the system; its development roadmap; and the already-identified risks to the security and privacy of the system.
The Risk Assessor reviews and analyzes the data from all available RIS (including the Findings and output from ongoing ACT Security Assessments). Available RIS might include ACT Security Assessments that are being conducted concurrently or that were conducted in the past; other available RIS might include sources such as penetration testing performed by the CMS Cybersecurity Integration Center (CCIC), DHS Cyber Hygiene, etc. The Risk Assessor works with ISPG and/or the appropriate Security Assessment Lead or Risk Assessment Lead to determine which Risk Information Sources should be considered for each Assessment.
The Risk Assessor documents the identified Risks and analysis in the current version of the ACT Risk Assessment Report Template.
Minimum Qualifications: (Minimum knowledge, skills, and abilities to perform the job)
Desired Qualifications: (desired experience, education, and training)