Scoping, Likelihood of Occurrence, and Impact Determination

Scoping consists of identifying and classifying the type of application or information system to be assessed and determining the type and extensiveness of the restricted data.  The system is determined to contain restricted data if it produces, captures, stores, processes, transmits PHI, ePHI, PII, student, financial, business confidential, or other restricted data. DSCP will work with the system  owners or Control Point to determine and document likelihood or probability of threat occurrence and the potential adverse impact of threat occurrence based on business function, system criticality, and amount and type of restricted data.

Threats and Vulnerabilities Identification

DSCP will work with the Control Point, Business Unit or Enterprise component to identify, characterize, document, and prioritize known and potential threats and vulnerabilities to the information resources.