IAF develop and implement an enterprise risk management policy that fully defines the Foundation's risk management policies, procedures, and strategy, including (a) the organization's processes and methodologies for categorizing risk; (b) developing a risk profile; (c) assessing risk and risk appetite/tolerance levels and responding to risk; and (d) monitoring risk.
IAF (a) create a change control board or related oversight body, composed of knowledgeable individuals from across functional departments that reviews, approves, and manages changes to configuration items; and (b) ensure that the oversight body formed in "a" above develops a configuration management plan that documents roles and responsibilities and configuration management processes, including identifying and managing configuration items at the appropriate point in an organization's software development life cycle; performing configuration monitoring; and applying configuration management requirements to contracted systems. The plan should also ensure that the originator and approver of changes are not the same person.
IAF test and exercise the Foundation's continuity of operations plan and document the specific test and exercise activities conducted, along with their results.
IAF remediate configuration-related vulnerabilities in the network identified by the Office of Inspector General, as appropriate, and document the results or document acceptance of the risks of those vulnerabilities.