Assessment Level

Three level details of the risk assessment

In IT Risk Assessment (ITRA), changes are categorized into three levels: Level 1, Level 2, and Level 3. These levels dictate the scrutiny, controls, criticality, risk review, and quality checks. This tiered approach streamlines processes while managing risks effectively, aligning with NIST SP 800-53 (e.g., CM-3 for Configuration Change Control and RA-3 for Risk Assessment).

Change Level	Criteria (Key Triggers)	Applicable Controls	Criticality	Risk Assessment Review	NIST Alignment	Quality Check
Level 1	- New/modified confidential/PII - Asset reclassification to critical - Cloud/third-party additions - Major process/architecture changes	ITRA questionnaire + full/sample review	High: Large-scale projects with major operational/financial/regulatory impact (e.g., new systems, cloud services). Medium: Smaller projects with similar impacts.	High: Full ITRA review post-PM confirmation. Medium: Sample-based review. Sample Sizes: <=2 risks/controls: 1 sample 3-12: 2 13-52: 5 53-365: 20 >365: 25	CM-3 (full change control), RA-3 (comprehensive assessment), SA-10 (config mgmt)	Quarterly (all closed ITRAs)
Level 2	Pre-approved systems with routine updates: - UI improvements - Algorithm optimizations - Bug/security fixes - Feature additions without redesign Approved: ITWS FO Monthly Release	Pre-defined Standard Change control list	Low	N/A (Direct sign-off)	CM-3 (baseline change control)	Quarterly (all closed ITRAs)
Level 3	Minimal impact (triage summary): - No criticality uplift - No PII changes - No third-party/process/architecture shifts	Pre-defined Brief Change control list	Low	N/A (Direct sign-off)	CM-3 (minimal documentation)	Quarterly (all closed ITRAs)