Skip to content

Risk Assessment

ATTENTION: This page is intended to be viewed online and may not be printed or copied.

Annex E


E. Confidentiality and Document Protection

There are numerous approaches and reference materials related to Sensitive Security Information (SSI) control, document classification, custodial care, maintenance, methods of distribution/transmittal/storage, and protection against disclosure to unauthorized entities. The methods of classification and restrictions related to distribution may have many variables depending upon the governing body, security clearance requirements and their contractual relationship with the assessor organization.

Confidentiality and document protection procedures should as a minimum determine and define:

  • The relationship between stakeholders and assessor(s);

  • Minimum expectations related to classification of:

    • Information;

    • Descriptive data or images, and photographic images;

    • Plans;

    • Media encryption; and

    • Methods in which information is to be controlled.

  • Control, classification and marking protocols;

  • Protection and custodial care of information, digital images, plans, notes and other site/facility specific documentation while travelling, transmitting and in possession of the assessor(s);

  • Protective storage and accessibility requirements, for all information and data, while in possession of the assessor(s) or stakeholder, method for obtaining access to, tracking distribution, reproduction and destruction requirements of specific information; and

  • Penalties along with mitigation, reporting, investigative and recovery requirement related to inadvertent or deliberate disclosure of SSI.

Next: Annex F

Table of Contents

RA Standard Home

  • General
  • Definition of Risk Assessment
  • Quantitative and Qualitative Analysis
  • Managing Organizational and Specific Risk Assessments
  • Plan-Do-Check-Act Model


  • Scope
  • Normative References
  • Terms and Definitions
  • General
  • Impartiality, Independence, and Objectivity
  • Trust, Competence, and Due Professional Care
  • Honest and Fair Representation
  • Responsibility and Authority
  • Consutative Approach
  • Fact-Based Approach
  • Confidentiality
  • Change Management
  • Continual Improvement
Managing A Risk Assessment Program
  • General
  • Understanding the Organization and Its Objectives
  • Establishing the Framework
  • Establishing the Program
  • Implementing the Risk Assessment Program
  • Monitoring the Risk Assessment Program
  • Review and Improvement
Performing Individual Risk Assessments
  • General
  • Commencing the Risk Assessment
  • Planning Risk Assessment Activities
  • Conducting Risk Assessment Activities
  • Post Risk Assessment Activities
  • General
  • Competence

Annex A: Risk Assessment Methods, Data Collection, and Sampling

  • General
  • Types of Interactions
  • Assessment Paths
  • Sampling

Annex B: Root Cause Analysis

  • General
  • Applying Root Cause Techniques
  • Ten Steps for Effective Root Cause Analysis

Annex C: Background Screening and Security Clearances

  • General
  • Background Checks
  • Interviews
  • Privacy Protection

Annex D: Contents of the Risk Assessment Report

Annex E: Confidentiality and Document Protection

Annex F: Examples of Risk Treatment Procedures that Enhance Resilience of the Organization

  • General
  • Prevention and Mitigation Procedures
  • Response Procedures
  • Continuity Procedures
  • Recovery Procedures

Annex G: Business Impact Analysis

Annex H: Bibliography