Status: Live
The organization will correlate its risk assessment approach to the business impact of the risks being evaluated. [UCF ID 00686]
Supporting and supported controls
This control directly supports:
- • Risk Assessment [UCF Control ID 00685]
This control has the following supporting controls:
- • Conducting a Business Impact Analysis [UCF Control ID 01147]
Authority documents complied with:
Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework, ¶ 728; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Exam Tier I Obj 3.1; FFIEC IT Examination Handbook – Information Security, Pg 10; FFIEC IT Examination Handbook – Operations, July 2004, Pg 30; FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003, Pg 3; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.3.1; CobiT 4.1, PO9.1; The Standard of Good Practice for Information Security, SM3.4.4, SM3.4.6(b), CB5.3.3, CB5.3.5(b), CI5.4.2, CI5.4.4, CI5.4.6(b), NW4.4.2, NW4.4.4, NW4.4.6(b), SD3.5.4, SD3.5.6(b); ISO 27001:2005, Information Security Management Systems - Requirements, § 4.2.1(e), Annex A.6.2.1
Banking and Finance Guidance
Management has the responsibility to understand the nature of the risks to the organization and to ensure that the risk management process is appropriate in terms of the risk profile and business plan. [¶ 728, Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework]
[Exam Tier I Obj 3.1, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]
To be effective, the risk assessment process should be based on the operating environment and the business environment. Both technical and nontechnical information should be gathered to gain a thorough understanding of both environments. [Pg 10, FFIEC IT Examination Handbook – Information Security]
The organization should conduct a risk assessment of the criticality of the organization's applications and data in order for management to determine the back-up methodologies that should be used. [Pg 30, FFIEC IT Examination Handbook – Operations, July 2004]
The organization should verify the effectiveness and integrity of the service provider's risk management controls and systems. [Pg 3, FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003]
NIST Guidance
At a high level, there are three parts to a risk assessment, determining an assessment’s scope and methodology, collecting and analyzing data and interpreting risk assessment results. Each of these three things is discussed in greater detail. This section is work reviewing directly. [§ 3.3.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]
ISO Guidance
The organization should assess the business impact of a security failure. The assessment should look at the loss of confidentiality, integrity, and availability. The business impact of external parties accessing the organization's data should be identified and appropriate controls implemented. [§ 4.2.1(e), Annex A.6.2.1, ISO 27001:2005, Information Security Management Systems - Requirements]
General Guidance
The organization should integrate the IT governance, risk management and control framework with the organization's (enterprise’s) risk management framework. This includes alignment with the organization's risk appetite and risk tolerance level. [PO9.1, CobiT 4.1]
The risk analysis should determine the business impact of associated risks and take into account the critical business applications and networks that are supported by the installation (facility). [SM3.4.4, SM3.4.6(b), CB5.3.3, CB5.3.5(b), CI5.4.2, CI5.4.4, CI5.4.6(b), NW4.4.2, NW4.4.4, NW4.4.6(b), SD3.5.4, SD3.5.6(b), The Standard of Good Practice for Information Security]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.