The organization will ensure that it establishes a proper risk assessment approach to handle reasonably foreseeable internal and external threats that could mitigate the confidentiality, integrity, or availability of IT assets. [UCF ID 00687]
Supporting and supported controls
This control directly supports:
• Risk Assessment [UCF Control ID 00685]
This control has the following supporting controls:
• Establishing processes for risk profiling [UCF Control ID 01157]
Authority documents complied with:
Australia Better Practice Guide - Business Continuity Management Pg 16-17; Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework 620(d), 676, 730; FFIEC IT Examination Handbook – Information Security Pg 11, Pg 14, Exam Tier I Obj 3.2; FFIEC IT Examination Handbook – Development and Acquisition Pg 10; FFIEC IT Examination Handbook – Audit Pg 15, Exam Tier II Obj D.2; FFIEC IT Examination Handbook – Management Pg 15, Pg 21, Exam Obj 5.2; FFIEC IT Examination Handbook – Operations Pg 13; FFIEC IT Examination Handbook – Outsourcing Technology Services Pg 7; FFIEC IT Examination Handbook – Supervision of Technology Service Providers Pg 5; FFIEC IT Examination Handbook – Wholesale Payment Systems Pg 22; CobiT 4.1 PO9.2; The Standard of Good Practice for Information Security SM3.4.1, SM3.4.2, SM3.4.3; ISO 17799:2000, Code of Practice for Information Security Management § ix; ISO 17799:2005 Code of Practice for Information Security Management § 4.1; ISO 27001:2005, Information Security Management Systems - Requirements § 4.2.1 (c ); ISO/IEC 27002-2005 Code of practice for information security management § 4.1; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14 § 3.3.1; Computer Security Incident Handling Guide, NIST SP 800-61 § 3.1.2; The King Committee on Corporate Governance, Executive Summary of the King Report 2002 ¶ 3.1.3; VISA E-Commerce Merchants Guide to Risk Management Pg. 17; Sarbanes-Oxley Act (SOX) ¶ 60, ¶ 65; COSO Enterprise Risk Management (ERM) Framework Pg 19-20; PCAOB Audit Standard No. 5 ¶ 34; SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement § 314.76 - § 314.79; NCUA Guidelines for Safeguarding Member Information, 12 CFR 748 Pg 81
Sarbanes Oxley Guidance
¶ 60, ¶ 65 of PCAOB Auditing Standard No. 2 states that the auditor should identify all significant accounts and disclosures to determine the controls to test. The auditor should evaluate quantitative and qualitative factors. Qualitative and quantitative factors include the size of the accounts; susceptibility to errors or fraud; activity volume; possibility of liabilities; and changes in the account from the prior period.
¶ 34 of PCAOB Audit Standard No. 5 states that the auditor should identify the points in the organization where misstatements could occur, the controls that have been implemented to prevent, detect, or correct any misstatements, and the controls that have been implemented to prevent or detect unauthorized acquisition, use, or disposition of assets that could result in a material misstatement.
Pg 19-20 of COSO Enterprise Risk Management (ERM) Framework states that the risk management philosophy should be understood by all personnel in order for them to recognize and effectively manage risk. The risk philosophy should be reflected in the organization's risk policy and the everyday actions taken by management.
P. 24 of Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control states that the organization should identify all risks, both internal and external, that could prevent the organization from meeting its objectives.
§ 314.76 - § 314.79 of SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement states that the risk assessment process should identify, analyze, and manage the risks to preparing the financial statements. The auditor should evaluate the organization to determine how risks are identified, how estimates of the risks occurring are determined, and how management decides what actions to take to correct the problem(s). The business risks identified by the organization should be examined by the auditor to help determine they can result in a material misstatement on the financial statements.
Banking and Finance Guidance
The FFIEC IT Examination Handbook – Development and Acquisition Pg 10 states that the internal and external risks to the project should be identified, assessed, monitored, reported, and managed.
Credit Card Guidance
The VISA E-Commerce Merchants Guide to Risk Management Pg. 17 states that when designing the organization's e-commerce web site, operational needs and risk factors should be the number one concern. Areas that should be considered include privacy, reliability, refund policies, and customer service access..
US Federal Security Guidance
12 CFR Part 748 Pg 81 calls for organization to create a risk assessment approach that includes preparing to handle “reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of member information or member information systems” by examining the likelihood and potential damage of threats and ensuring that policies, procedures and systems are sufficient enough to control risks. Pg. 82 continues, stating that once risks are identified and prioritized, a program must be implemented to deal with them. Recommended security measures include access controls on member information systems, authentication devices, background checks for employees with special access privileges and incident response programs.
NIST Guidance
NIST 800-14 § 3.3.1 calls for the determination of the risk assessments scope and methodology. This includes identifying “the system under consideration, the part of the system to be analyzed, and the analytical method including its level of detail and formality.”
NIST 800-61 Computer Security Incident Handling Guide 3.1.2 talks about preventing security incidents from happening frequently by conducting a risk assessment. It offers a list of remedies for handling some of the problem spots an organization might uncover during an assessment. Items included in the discussion are patch management, host security, network security, malicious code prevention and user awareness training.
International Standards Organization Guidance
Finally, ISO 17799 § ix calls for the assessment of security risks, “balancing the expenditure on controls against the business harm likely to result from security failures.”
The ISO/IEC 27002-2005 Code of practice for information security management § 4.1 states that a systematic approach for estimating the magnitude of risks and for determining the significance of the risks should be used for risk assessments.
The ISO 27001:2005 Information Security Management Systems - Requirements § 4.2.1 (c ) states that an appropriate risk assessment methodology should be chosen by the organization. The chosen methodology should produce comparable and reproducible results every time a risk assessment is conducted.
The ISO 17799:2005 Code of Practice for Information Security Management § 4.1 states that a systematic approach for estimating the magnitude of risks and for determining the significance of the risks should be used for risk assessments.
IT Infrastructure Library Guidance
ITIL Best Practice for Security Management 2.2.4 calls for conducting a risk analysis to best determine how to spend money and resources defending the organization against potential risks.
IT Infrastructure Library Guidance
ITIL Best Practice for Security Management 2.2.4 calls for conducting a risk analysis to best determine how to spend money and resources defending the organization against potential risks.
UK and Canadian Guidance
Other European and African Guidance
¶ 3.1.3 of The King Committee on Corporate Governance, Executive Summary of the King Report 2002 states that the Board of Directors must ensure the organization identifies risk on an ongoing process, measures the impact of each identified risk, and proactively manages each identified risk.
Asia and Pacific Rim Guidance
The Australia BCM Guide Pg 16-17 says that approaching risk assessment from the perspective that some risks may yield advantages as well as examining those that may cause problems. With problematic risks the goal is to find ways to prevent them from affecting the organization negatively in the first place. If a risk does cause a problem for an organization, there should be measures in place to handle the risk. A comprehensive approach to risk management therefore, considers risk treatments proactively by designing and implementing controls to prevent risk events occurring and reactively by mitigating the consequences of risk events should they occur.