Risk Management

Topics on this page

The following resources provide policy, standards, and guidelines to assist state agencies in the development and maintenance of their risk management programs.

Also see our Frequently Asked Questions about Risk Management and Privacy Program Compliance Certification

State Administrative Manual (SAM)

The SAM is a central point for statewide policies, procedures, regulations and information developed and issued by authoring agencies such as this Office, the Department of Finance (Finance), Department of General Services (DGS), and Governor's Office. The following SAM policies directly relate to operational recovery and business continuity.

As announced in Management Memo (MM) 08-02, the policy sections related to information security and privacy have been restructured and renumbered effective February 19, 2008. No policies were changed through MM 08-02 or this restructure.

Topic SAM Section
Risk Management 5305
Risk Analysis 5305.1
Agency Risk Management Program 5305.2


Statewide Information Management Manual (SIMM)

The following SIMM sections are applicable to risk management.

Agency Risk Management and Privacy Program Compliance Certification (SIMM 5330-B):

The signed Certification acknowledges that each agency is in compliance with state policy governing risk management and privacy requirements as defined in SAM Section 5305.2, Government Code Section 11019.9, and the Information Practices Act (Civil Code Section 1798 et seq.). It is due to the California Office of Information Security by January 31st of each year.

Plan of Action and Milestones (SIMM 5305-C):

Each state entity is responsible for establishing an Information Security Program to effectively manage risk. The state entity’s information security program shall incorporate an Information Security Program Plan (ISPP) to provide for the proper use and protection of its information assets, this is to include a Plan of Action and Milestones (POAM) process for addressing information security program deficiencies.

Topic Section
Agency Risk Management and Privacy Program Compliance Certification (doc) 5330-B
Information Security Program Management Standard  (pdf) 5305-A
Plan of Action and Milestones Instructions  (doc) 5305-B
Plan of Action and Milestones Worksheet  (xls) 5305-C
Frequently Asked Questions  (pdf) 5305


Risk Assessment Toolkit

These are tools for agencies to use in identifying information security risks and to help mitigate the issues. Click on "Risk Assessment Toolkit" in the title to access the toolkit.

MS-ISAC Nationwide Cyber Security Review Self-Assessment Reporting Tool (NCSR)

The Nationwide Cyber Security Review (NCSR) is a voluntary self-assessment survey designed to evaluate cyber security management. The NCSR will provide participants with instructions and guidance, supplemental documentation, and the ability to contact the NCSR help desk directly from the survey. The survey is available October 1, to coincide with National Cyber Security Awareness Month, and closes on November 30.

Once complete, participants will have immediate access to an individualized report that measures the level of adoption of security controls within their organization and includes recommendations on how to raise the organization's risk awareness. In alternate years only (odd numbered years) the MS-ISAC and DHS will aggregate all review data and share a high level summary with all participants. The names of participants and their organizations will not be identified in this report. This report is provided to Congress in alternate years (odd numbered years) to highlight cybersecurity gaps and capabilities among our State, Local, Territorial and Tribal Governments.

The California Office of Information Security (Office) web site contains links to other sites that are not owned or controlled by us. The information provided at these sites does not reflect the views of this Office or indicate an endorsement of a particular company or product. Please be aware that our Office is not responsible for the security and privacy practices of such other sites.

Last Updated: Friday, November 18, 2016