Applicable (Y)es / (N)o |
(C)onfidentiality |
(I)ntegrity |
(A)vailability |
RPN (C+I+A) |
(S)atisfactory |
||||||
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
(O)ther than satisfactory +## |
||
|
|
|
|
|
|
|
|
|
|
|
|
1.Column 1 Applicable, is the Policy or Control applicable to the organization; yes or no?
2.Column 2 (C)onfidentiality, are the related risk as assessed … ?
a.(L)ow = 1
b.(M)oderate = 2
c.(H)igh = 3
3.Column 3 (I)ntegrity, are the risk assessed as L1, M2, H3?
4.Column 4 (A) vailability, are the related risk assessed as L1, M2, H3?
5.Column 5, RPN = Risk Priority Number = C + I + A
6.Column 6, the assessment is Satisfactory or Other than Satisfactory, plus a reference ## used for logging Other than satisfactory observations.