Risk Assessment Toolkit


As outlined in the State Administrative Manual (SAM) Section 5305 et seq., risk management is the process of taking actions to avoid or reduce risk to acceptable levels. This process includes both the identification and assessment of risk through risk analysis (SAM Section 5305.1) and the initiation and monitoring of appropriate practices in response to that analysis through the agency's risk management program.

Risk assessment is a critical component of that process to ensure state agencies have an effective risk management plan in place as defined in the SAM Sections 5305 et seq. Although the following tools are available for agencies to use in identifying information security risks and helping to mitigate the issues, it may be difficult for an agency to determine where to start with a risk assessment or which tool might be the best tool to use.  Guidance for implementing a suggested strategy for a successful information security program and conducting an effective risk assessment can be found in the Information Security Program Guide for State Agencies.

Risk Assessment Tools


These tools are considered basic, but they will assist agency staff who may not have extensive experience in risk assessment begin to develop a more comprehensive risk management program.

  • Information Security Risk Assessment Checklist (doc)
    This simple checklist provides a high-level view of common security practices.  It is not intended to cover all of the steps agencies must take to complete the annual risk certification process.  However, it may be useful as part of a periodic risk analysis or for a targeted review of security practices in specific areas.  General instructions for its use are included in the Checklist's Introduction section.  Its targeted audience is generally focused towards executive management to use as a basic tool for risk assessment.


  • SANS Information Security Management Audit Checklist (doc)
    A comprehensive risk assessment checklist developed by the SANS (SysAdmin, Audit, Network, Security) Institute and based upon the International Organization for Standardization (ISO) 17799:2005 standards for an information security programThis checklist does not provide vendor specific security considerations but rather attempts to provide a generic checklist of security considerations to be used when auditing an organization's Information Technology Security. Its targeted audience is generally focused towards a team approach, which might include members from the agency's business and program areas, information technology, human resources, and the agency's Information Security Officer.


Certain statutory laws and regulations require agencies to fully and accurately assess their mandatory compliance with information security provisions. The following risk management tools can assist agencies in ensuring compliance through specialized risk assessment and auditing tools.

  • HIPAA requires every organization that maintains or transmits personal health information to take specific steps to comply with regulations in the areas of privacy, technology, security, and transaction coding. The California Office of Health Information Integrity (CalOHII) has provided the following HIPAA Security Compliance Review Tool to help agencies determine their level of compliance with the Final Security Rule.
  • The Payment Card Industry (PCI) Data Security Standard (DSS) is the set of security and compliance monitoring requirements every organization must follow in order to protect cardholder data and accept payment cards for the reimbursement of fees and services. The following tools are available to assist agencies with meeting these requirements:

Other Resources

  • Sample Risk Assessment Report (doc)
    It is important to document the results of the risk assessment in the form of a report that can be given to the agency's executive management. This sample report provides a template for a brief overview, the problems identified, and the recommendations for corrections or mitigation. Consider using this format for reporting your findings and recommendations to your executive management.
  • Sample Matrix Report (doc)
    This sample report provides an agency the appropriate risk level for action items resulting from an information security risk assessment.

The California Office of Information Security (Office) web site contains links to other sites that are not owned or controlled by us. The information provided at these sites does not reflect the views of this Office or indicate an endorsement of a particular company or product. Please be aware that our Office is not responsible for the security and privacy practices of such other sites.


Last Updated: Monday, March 14, 2016