Back

Correlate the business impact of identified risks in the risk assessment report.


CONTROL ID
00686
CONTROL TYPE
Audits and Risk Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain the risk assessment framework., CC ID: 00685

This Control has the following implementation support Control(s):
  • Conduct a Business Impact Analysis, as necessary., CC ID: 01147
  • Analyze and quantify the risks to in scope systems and information., CC ID: 00701


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Standard § II.3(3): Business processes should be analyzed, key controls that have an impact on financial reporting reliability should be identified, and basic internal control components should be assessed to ensure they are operating with regard to the key controls. Practice Standard § II.3(3)[1]… (Standard § II.3(3), Practice Standard § II.3(3)[1], Practice Standard § III.4(2)[4].A, On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • There are well-known information systems security issues associated with applications software, whether the software is developed internally or acquired from an external source .Attackers can potentially use many different paths through the application to do harm to the business. Each of these paths… (Critical components of information security 11) b., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The organization must value the assets in terms of impact from loss or failure of integrity, availability, and confidentiality. (Security Policy No. 1 ¶ 7.3, HMG Security Policy Framework, Version 6.0 May 2011)
  • Management has the responsibility to understand the nature of the risks to the organization and to ensure that the risk management process is appropriate in terms of the risk profile and business plan. (¶ 728, Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework)
  • The organization should provide sufficient information about its impacts in relation to each material topic so that information users can make informed assessments and decisions about the organization. If the disclosures from the Topic Standards do not provide sufficient information about the organi… (Requirement 5 Guidance to 5-a ¶ 5, GRI 1: Foundation 2021)
  • Assess on a recurrent basis the likelihood and impact of all identified risks, using qualitative and quantitative methods. The likelihood and impact associated with inherent and residual risk should be determined individually, by category and on a portfolio basis. (PO9.4 RiskAssessment, CobiT, Version 4.1)
  • An internal review should be conducted on all areas of potential weakness to help the organization determine a strategy of improved resilience. (§ 5.4 ¶ 1, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • The information an auditor needs to define the IT audit universe and to perform a risk assessment can be provided by a top-down approach and the following eight IT environment factors: the degree of geographic and system centralization; what technologies are deployed; how customized the applications… (§ 3.3, § 5.1.1 ¶ 1, § 5.1.1 ¶ 2, IIA Global Technology Audit Guide (GTAG) 11: Developing the IT Audit Plan)
  • The mission, key business objectives, and subobjectives must be understood by auditors in order to identify and assess the organization's levels of risk. The auditors must know what could happen during normal operations, and where, and which could happen as a result of an unusual event. The Chief Au… (§ 6 (Understand the Areas of Potential Risk), IIA Global Technology Audit Guide (GTAG) 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment)
  • The following areas of risk should be addressed when preparing a risk assessment and planning an audit: infrastructure, applications, legal and organizational, and business processes. (§ 5.4 ¶ 1, IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
  • While defining the scope of the organizational resilience management system, the organization must determine the risk scenarios, based on potential external and internal events, that potentially could adversely affect its critical functions and operations. (§ 4.1.1 ¶ 2(d), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • Information risk assessments should ensure that the results of assessments include an assessment of the level of potential business impact and likelihood of threats materialising. (SR.01.02.07b, The Standard of Good Practice for Information Security)
  • Security monitoring arrangements should provide key decision-makers with financial information including the Return On Security Investment of deployed controls (e.g., tangible (financial) and intangible (non- financial) benefits). (SI.02.01.07c, The Standard of Good Practice for Information Security)
  • The analysis of confidentiality requirements should determine how the disclosure of confidential information could have an employee-related impact on the organization in terms of injury or death. (SR.01.03.05b, The Standard of Good Practice for Information Security)
  • The results of security audits should include important information and ratings about implications (e.g., values entered in a business impact reference table, such as very low to very high). (SI.01.04.02d, The Standard of Good Practice for Information Security)
  • Security monitoring arrangements should provide key decision-makers with financial information including the Return On Security Investment of deployed controls (e.g., tangible (financial) and intangible (non- financial) benefits). (SI.02.01.07c, The Standard of Good Practice for Information Security, 2013)
  • The analysis of confidentiality requirements should determine how the disclosure of confidential information could have an employee-related impact on the organization in terms of injury or death. (SR.01.03.05b, The Standard of Good Practice for Information Security, 2013)
  • The results of security audits should include important information and ratings about implications (e.g., values entered in a business impact reference table, such as very low to very high). (SI.01.04.02d, The Standard of Good Practice for Information Security, 2013)
  • Information risk assessments should ensure that the results of assessments include an assessment of the level of potential business impact and likelihood of threats materialising. (SR.01.02.10b, The Standard of Good Practice for Information Security, 2013)
  • [Information] [risk assessments] {should} {be} {supported} by {reviewing} [intelligence information] about impacts being experienced by major organizations (e.g., including those associated with brand, reputational, legal, operational, and financial impact). (SR.01.01.07d, The Standard of Good Practice for Information Security, 2013)
  • ¶ 6 An important part of the IT security management process is the assessment of risks, and how they can be reduced to an acceptable level. It is necessary to take into account the business objectives, as well as organizational and environmental aspects, and each IT system's specific needs and risk… (¶ 6, ¶ 7.1, ISO 13335-3 Information technology - Guidelines for the management of IT Security - Part 3: Techniques for the management of IT Security, 1998)
  • ¶ 10.1 Assessment of Security Concerns An organization should select appropriate safeguards in an effective way, by assessing the security concerns of the business operations supported by the IT system. By the identification of the security concerns, taking into account relevant threats that might … (¶ 10.1, ¶ 11.1, ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • ¶ 7.2 Identification Process. A recommended process for the identification and analysis of the communications related factors that should be taken into account to establish network security requirements, and the provision of an indication of the potential safeguard areas. When considering network c… (¶ 7.2, ¶ 10, ¶ 11, ¶ 11.1, ¶ 11.2, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • The organization should analyse compliance risks by considering causes and sources of noncompliance and the severity of their consequences, as well as the likelihood that noncompliance and associated consequences can occur. Consequences can include, for example, personal and environmental harm, econ… (§ 4.6 ¶ 3, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • the nature and level of risk associated with noncompliance; (§ 5.2.2 ¶ 1 d), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The organization should identify risks, whether or not their sources are under its control. Consideration should be given that there may be more than one type of outcome, which may result in a variety of tangible or intangible consequences. (§ 6.4.2 ¶ 3, ISO 31000 Risk management - Guidelines, 2018)
  • As part of AI risk assessment, the organization should identify risk sources, events or outcomes that can lead to risks. It should also identify any consequences to the organization itself, to individuals, communities, groups and societies. Organizations should take particular care to identify any d… (§ 6.4.2.6 ¶ 1, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize; (Section 6.1.2 ¶ 1(d)(1), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The scope of risks includes, but is not limited to, potential limitations on an entity's ability to deliver its own content, increased competition from edge providers that stream content, reputational harm with consumers, and/or possible restrictions on an entity's ability to generate new revenue st… (TC-TL-520a.3. 1.3, Telecommunication Services Sustainability Accounting Standard, Version 2018-10)
  • The organization's risk assessment approach includes identification of likelihood and potential business impact of applicable cyber risks being exploited. (ID.RA-4.1, CRI Profile, v1.2)
  • Potential business impacts and likelihoods are identified. (ID.RA-4, CRI Profile, v1.2)
  • The organization's risk assessment approach includes identification of likelihood and potential business impact of applicable cyber risks being exploited. (ID.RA-4.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • An impact analysis must be conducted by the organization to determine the potential detrimental impacts hazards may have on the health and safety of persons located in the affected areas, the health and safety of responders, continuity of operations, the facilities, property, and infrastructure, del… (§ 5.3.3, Annex A.5.3.3, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition)
  • § 3.3: The business owner should use the collected IT asset and risk data to analyze the potential impact on business functions and the system. The analysis should identify threats or events, such as capacity shortages, external manmade and natural threats, security breaches, systems development an… (§ 3.3, § 4.1 ¶ 2, CMS Information Security Risk Assessment (IS RA) Procedure, Version 1.0 Final)
  • Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. (§ 164.308(a)(1)(ii)(A), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • The risk assessment of critical DIB assets evaluates the factors that may cause the direct, indirect, temporary, or permanent loss or degradation of critical materials and services. (§ 3.1 ¶ 4, Defense Industrial Base Information Assurance Standard)
  • Proposed Uniform Rating System for IT (URSIT) management component rating and the potential impact of the examiner's conclusions on composite or other URSIT component ratings. (App A Objective 13:1c, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Potential impact of the examiner's conclusions on the entity's risk assessment(s). (App A Objective 13:1d, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Aggregate loss impacts and determine a rating scale to indicate impact severity. (App A Objective 4:4b, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Potential impact of the examiner's conclusions on the entity's risk assessment(s). (App A Objective 18:1d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Proposed Uniform Rating System for IT (URSIT) support and delivery component rating and the potential impact of the examiner's conclusions on composite or other URSIT component ratings. (App A Objective 18:1c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The proposed Uniform Rating System for Information Technology management component rating and the potential impact of the conclusion on the composite or other component IT ratings. (App A Objective 11.1.c, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Potential impact of conclusions on the institution's risk assessment. (App A Objective 11.1.d, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Determine the adequacy of the institution's IT operations planning and investment. Assess the adequacy of the risk assessment and the overall alignment with the institution's business strategy, including planning for IT resources and budgeting. (App A Objective 4, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether the institution's management of operational risk incorporates an enterprise-wide view of IT and business processes that are supported by technology. (App A Objective 8:2, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Proposed Uniform Rating System for Information Technology management component rating and the potential impact of the examiner's conclusions on composite or other component IT ratings. (App A Objective 14:1 c., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Potential impact of the examiner's conclusions on the institution's risk assessment. (App A Objective 14:1 d., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether the a work flow analysis was performed to ensure that all departments and business processes, as well as their related interdependencies, were included in the BIA and risk assessment (Exam Tier I Obj 3.1, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The organization should conduct a risk assessment of the criticality of the organization's applications and data in order for management to determine the back-up methodologies that should be used. (Pg 30, FFIEC IT Examination Handbook - Operations, July 2004)
  • Potential impact of the conclusions on the institution's risk assessment. (AppE.7 Objective 7:1 d., FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Current and emerging threats to mobile applications, weaknesses in mobile application security, and prevalence of mobile devices, common operating systems, and downloadable applications. (AppE.7 Objective 3:4 h., FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The organization should verify the effectiveness and integrity of the service provider's risk management controls and systems. (Pg 3, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, March 2003)
  • The Agencies use the Uniform Rating System for Information Technology (URSIT) to uniformly assess and rate IT-related risks of financial institutions and their TSPs. The primary purpose of this rating system is to evaluate the examined institution's overall risk exposure and risk management performa… (Uniform Rating System for Information Technology ¶ 1, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
  • At a high level, there are three parts to a risk assessment, determining an assessment's scope and methodology, collecting and analyzing data and interpreting risk assessment results. Each of these three things is discussed in greater detail. This section is work reviewing directly. (§ 3.3.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)