Back

Establish, implement, and maintain a risk assessment program.


CONTROL ID
00687
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain the risk assessment framework., CC ID: 00685

This Control has the following implementation support Control(s):
  • Address past incidents in the risk assessment program., CC ID: 12743
  • Employ third parties when implementing a risk assessment, as necessary., CC ID: 16306
  • Include the need for risk assessments in the risk assessment program., CC ID: 06447
  • Include the information flow of restricted data in the risk assessment program., CC ID: 12339
  • Establish and maintain the factors and context for risk to the organization., CC ID: 12230
  • Establish, implement, and maintain a financial plan to support the risk management strategy., CC ID: 12786
  • Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria., CC ID: 12903
  • Address cybersecurity risks in the risk assessment program., CC ID: 13193
  • Establish, implement, and maintain Data Protection Impact Assessments., CC ID: 14830
  • Use the risk taxonomy when managing risk., CC ID: 12280
  • Establish, implement, and maintain a risk assessment policy., CC ID: 14026
  • Establish, implement, and maintain risk assessment procedures., CC ID: 06446
  • Perform risk assessments for all target environments, as necessary., CC ID: 06452
  • Establish, implement, and maintain a risk assessment awareness and training program., CC ID: 06453
  • Evaluate the effectiveness of threat and vulnerability management procedures., CC ID: 13491


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The Board of Directors must ensure the organization identifies risk on an ongoing process, measures the impact of each identified risk, and proactively manages each identified risk. (¶ 3.1.3, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002)
  • formal risk assessment is conducted periodically by, for instance, the function(s) designated by the senior management under subsection 3.3.1(i) above or an independent party (such as the assessor), to determine whether any independent assessment should be performed during the year, and if so, the s… (§ 3.3.1(iv), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • In addition, AIs should manage the risk associated with fraudulent websites, phishing emails or similar scams (which may involve Internet banking mobile applications (Apps)) which are designed to trick their customers into revealing sensitive customer information such as account numbers, Internet ba… (§ 4.4.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • In addition, AIs should manage the risk associated with fraudulent websites, malicious mobile applications (Apps), fake Internet banking Apps, phishing emails or similar scams which are designed to trick their customers into revealing sensitive customer information such as account numbers, Internet … (§ 4.3.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • Conducting a threat assessment which may include aspects like acts of nature, acts of war, accidents, malicious acts originating from inside or outside the organization (Critical components of information security 2) 3) Bullet 2, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Institutions are ultimately responsible and accountable for maintaining oversight of CS and managing the attendant risks of adopting CS, as in any other form of outsourcing arrangements. A risk-based approach should be taken by institutions to ensure that the level of oversight and controls are comm… (6.8, Guidelines on Outsourcing)
  • risk assessment – assess the potential impact and likelihood of threats and vulnerabilities to the FI and information assets; (§ 4.1.4(b), Technology Risk Management Guidelines, January 2021)
  • A process should be established to assess the risk of end user developed or acquired applications to the FI, and ensure appropriate controls and security measures are implemented to address the identified risks, and approval is obtained before being used. The FI should ensure proper testing before t… (§ 6.5.3, Technology Risk Management Guidelines, January 2021)
  • The FI should establish policies, standards and procedures and, where appropriate, incorporate industry standards and best practices to manage technology risks and safeguard information assets in the FI. The policies, standards and procedures should also be regularly reviewed and updated, taking int… (§ 3.2.1, Technology Risk Management Guidelines, January 2021)
  • Approaching risk assessment from the perspective that some risks may yield advantages as well as examining those that may cause problems. With problematic risks the goal is to find ways to prevent them from affecting the organization negatively in the first place. If a risk does cause a problem for … (Pg 16, Pg 17, Australia Better Practice Guide - Business Continuity Management, January 2000)
  • The IT security risk management process is a continuous and dynamic process that ensures emerging IT vulnerabilities/threats are identified, assessed and appropriately managed in a timely manner. (¶ 19, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • identify and assess the ICT and security risks to which a financial institution is exposed; (3.3.1 13(b), Final Report EBA Guidelines on ICT and security risk management)
  • ICT risk in the institution's Risk management framework –whether the institution's risk management and internal control framework adequately safeguards the institution's ICT systems. (Title 2 2.1 22.c, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment ins… (4.5 32, Final Report on EBA Guidelines on outsourcing arrangements)
  • a risk assessment plan to identify risks; (Art. 7.1(f), Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
  • When conducting the digital operational resilience testing programme referred to in paragraph 1 of this Article, financial entities, other than microenterprises, shall follow a risk-based approach taking into account the criteria set out in Article 4(2) duly considering the evolving landscape of ICT… (Art. 24.3., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • In order to determine the protection needs of the device, the potential damage to the relevant business processes must be considered in its entirety. The results of defining the protection needs of devices should be documented in a table if such results have an impact on information security. Only d… (§ 8.2.6 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Risk analyses could possibly identify further requirements to be fulfilled as well as safeguards to be implemented. These too should be drawn up in the form of a table. These additional requirements and safeguards should be arranged by subject in line with the target objects examined during modellin… (§ 9.1 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The internal assessment process should identify the different gradations of risk and should correspond to the external ratings. The risk assessment methodology should identify the key business factors and internal control factors that can modify the organization's risk profile. The framework for ass… (¶ 620(d), ¶ 676, ¶ 730, Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework)
  • Establish the context in which the risk assessment framework is applied to ensure appropriate outcomes. This should include determining the internal and external context of each risk assessment, the goal of the assessment, and the criteria against which risks are evaluated. (PO9.2 Establishment of Risk Context, CobiT, Version 4.1)
  • When designing the organization's e-commerce web site, operational needs and risk factors should be the number one concern. Areas that should be considered include privacy, reliability, refund policies, and customer service access. (Pg 17, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business)
  • The organization puts into place effective risk assessment mechanisms that involve appropriate levels of management. (§ 3 Principle 7 Points of Focus: Involves Appropriate Levels of Management, COSO Internal Control - Integrated Framework (2013))
  • The risk assessment approach chosen by the organization should address all of the organization's requirements. BS ISO/IEC 27001 describes the mandatory elements a risk assessment approach should contain. (§ 6.5.2, § 6.5.3, BS 25999-1, Business continuity management. Code of practice, 2006)
  • The risk assessment should look at the organization and the IT services from a physical and from an organizational perspective. (§ 7 ¶ 4, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • The effectiveness and usefulness of the risk assessment results need to be identified by the auditors. This should be directly based on the methodology and the proper execution of the risk assessment. If the methodology input is not applied correctly or is deficient, the output is likely to be incom… (§ 5 ¶ 2, IIA Global Technology Audit Guide (GTAG) 11: Developing the IT Audit Plan)
  • Risks, both internal and external, must be continually assessed in order to address risks in a timely manner and respond to a changing risk environment. (§ 5 (Conclusion) ¶ 1, IIA Global Technology Audit Guide (GTAG) 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment)
  • An appropriate risk assessment technique or approach should be used by the auditor to develop an overall plan to effectively allocate IT audit resources. The risks for each IT layer can only be identified by reviewing the IT-related risks in conjunction with the processes and objectives of the organ… (§ 4.5 ¶ 1, § 4.5 (Static Versus Dynamic Risk), IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • Internal auditors should define the applications, databases, and supporting technology and summarize the risk and controls that were documented in the risk assessment in order to add value to the organization-wide application control risk assessment activities. (§ 3 (Application Control: Risk Assessment Approach), IIA Global Technology Audit Guide (GTAG) 8: Auditing Application Controls)
  • A formal and documented evaluation process must be established, implemented, and maintained by the organization to systematically conduct asset identification and valuation to identify critical activities, products, services, partnerships, functions, stakeholder relationships, supply chains, and the… (§ 4.3.1 ¶ 1, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • The organization should conduct a security survey to determine what type of security currently exists, to identify any deficiencies, to determine what protection is needed, and to recommend additional security measures to improve the overall security of the organization. (Pg 19-I-2, Protection of Assets Manual, ASIS International)
  • Security monitoring arrangements should enable key decision-makers to manage information risk effectively. (SI.02.01.08a, The Standard of Good Practice for Information Security)
  • Security monitoring arrangements should enable key decision-makers to manage information risk effectively. (SI.02.01.08a, The Standard of Good Practice for Information Security, 2013)
  • The organization shall provide a Risk Management plan to help plan the Risk Management for the medical Information Technology network. (§ 4.3.1 ¶ 1(c), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • The Risk Management plan shall include the medical Information Technology network description, including a list of shareholders to notify about risks. (§ 4.3.5 ¶ 1(a)(1), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • ¶ 6 An organization should select a corporate risk analysis strategy, after assessing the security requirements of the IT systems and services. The recommended option involves conducting a high level risk analysis for all IT systems to identify those systems at high risk. These systems are then exa… (¶ 6, ¶ 8, ¶ 9.1, ISO 13335-3 Information technology - Guidelines for the management of IT Security - Part 3: Techniques for the management of IT Security, 1998)
  • ¶ 7 Basic Assessments. An organization should perform a safeguard assessment and selection. The process of safeguard selection always requires identifying the type and characteristic of the IT system considered (for example, a standalone workstation, or a workstation connected to a network), since … (¶ 7, ¶ 7.1, ¶ 7.2, ¶ 7.3, ¶ 8.1.7, ¶ 12, ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • The medical device manufacturer shall establish, document, and maintain a process to identify hazards for medical devices, to estimate and evaluate the risks, to control the risks, and to monitor the effectiveness. (§ 3.1, ISO 14971:2007 Medical devices -- Application of risk management to medical devices, 2007)
  • Management shall define the procedures for managing Information Security risks and the criteria for accepting risks. (§ 6.6.1 ¶ 1(c), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The service provider shall implement and operate technical, administrative, and physical Information Security controls to manage Information Security risks. (§ 6.6.2 ¶ 1(d), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The organization shall define and apply an information security risk assessment process that: (§ 6.1.2 ¶ 1, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • A systematic approach for estimating the magnitude of risks and for determining the significance of the risks should be used for risk assessments. (§ 4.1, ISO 27002 Code of practice for information security management, 2005)
  • The governing body should consider and manage risk associated with its own activities in accordance with the organizational risk framework. For example, the governing body should: (§ 6.9.3.3 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in 6.1, by: (§ 8.1 ¶ 1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization shall define and apply an information security risk assessment process that: (§ 6.1.2 ¶ 1, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • The organization defines and applies an information security risk assessment process. (§ 6.1.2 Required activity, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The entity puts into place effective risk assessment mechanisms that involve appropriate levels of management. (CC3.2 ¶ 3 Bullet 3 Involves Appropriate Levels of Management, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The cyber risk management program is integrated into daily operations and is tailored to address enterprise-specific risks (both internal and external) and evaluate the organization's cybersecurity policies, procedures, processes, and controls. (GV.RM-1.2, CRI Profile, v1.2)
  • The organization identifies, documents, and analyzes threats that are internal and external to the firm. (ID.RA-3.1, CRI Profile, v1.2)
  • The organization identifies, documents, and analyzes threats that are internal and external to the firm. (ID.RA-3.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The cyber risk management program is integrated into daily operations and is tailored to address enterprise-specific risks (both internal and external) and evaluate the organization's cybersecurity policies, procedures, processes, and controls. (GV.RM-1.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The risk management philosophy should be understood by all personnel in order for them to recognize and effectively manage risk. The risk philosophy should be reflected in the organization's risk policy and the everyday actions taken by management. (Pg 19, Pg 20, COSO Enterprise Risk Management (ERM) Integrated Framework (2004))
  • The risk assessment process should identify, analyze, and manage the risks to preparing the financial statements. The auditor should evaluate the organization to determine how risks are identified, how estimates of the risks occurring are determined, and how management decides what actions to take t… (§ 314.76 thru § 314.79, SAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement)
  • The entity puts into place effective risk assessment mechanisms that involve appropriate levels of management. (CC3.2 Involves Appropriate Levels of Management, Trust Services Criteria)
  • The entity puts into place effective risk assessment mechanisms that involve appropriate levels of management. (CC3.2 ¶ 3 Bullet 3 Involves Appropriate Levels of Management, Trust Services Criteria, (includes March 2020 updates))
  • Principle: Firms should conduct regular assessments to identify cybersecurity risks associated with firm assets and vendors and prioritize their remediation. Effective practices include establishing and implementing governance frameworks to: - identify and maintain an inventory of assets authorized… (Cybersecurity Risk Assessment, Report on Cybersecurity Practices)
  • Members should maintain an inventory of critical information technology hardware with network connectivity, data transmission or data storage capability and an inventory of critical software with applicable versions. Members should identify the significant internal and external threats and vulnerabi… (Information Security Program Bullet 2 Security and Risk Analysis ¶ 2, 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs)
  • Does the risk assessment program contain a risk training plan? (§ A.1.7, Shared Assessments Standardized Information Gathering Questionnaire - A. Risk Management, 7.0)
  • Has ownership of the risk assessment program been assigned? (§ A.1.10, Shared Assessments Standardized Information Gathering Questionnaire - A. Risk Management, 7.0)
  • Is there a risk assessment program that has been approved by management? (§ A.1, Shared Assessments Standardized Information Gathering Questionnaire - A. Risk Management, 7.0)
  • Does the risk assessment program have an owner to maintain and review it? (§ A.1, Shared Assessments Standardized Information Gathering Questionnaire - A. Risk Management, 7.0)
  • Program managers must evaluate counterfeit risk and implement countermeasures for mission critical components. (§ 2 Item 2, Overarching DoD Counterfeit Prevention Guidance, Memorandum for Secretaries of the Military Departments, Directors of the Defense Agencies)
  • The organization is required to complete an information security risk assessment. This assessment should address the system's internal and external information threats, along with their likelihood. (§ 3.1 ¶ 1, CMS Information Security Risk Assessment (IS RA) Procedure, Version 1.0 Final)
  • The organization must use a risk-based approach to reduce the frequency and impact of counterfeit material by applying prevention and early detection procedures. (§ 3.b(1), DoD Instruction 4140.67, DoD Counterfeit Prevention Policy)
  • The organization must use a risk-based approach to reduce the frequency and impact of counterfeit material by strengthening the oversight and surveillance procedures for critical materiel. (§ 3.b(2), DoD Instruction 4140.67, DoD Counterfeit Prevention Policy)
  • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (§ 164.306(a)(2), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • § 3.1 ¶ 4 The critical DIB asset risk assessment process should provide an evaluation of the factors that may cause the direct, indirect, temporary, or permanent loss or degradation of critical materials and services and should include: • an industrial and business analysis that defines the busi… (§ 3.1 ¶ 4, § 3.2, § 3.3, Defense Industrial Base Information Assurance Standard)
  • Determine whether the financial institution's and TSP's risk management strategies are designed to achieve resilience, such as the ability to effectively respond to wide-scale disruptions, including cyber attacks and attacks on multiple critical infrastructure sectors. (TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether management conducts a risk assessment sufficient to evaluate the likelihood and impact of potential disruptions and events. (III.B, "Risk Assessment") (App A Objective 5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Internally identified threats. (App A Objective 1:4b, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Management identification and evaluation of AIO-related risks, definition of short- and long-term objectives, and creation of policies and procedures to mitigate those risks. (App A Objective 2:2b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The entity's overall risk assessment and profile. (App A Objective 1:1f, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Risk assessment, priority, and mitigation across the institution. (App A Objective 4:1 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Has a process to identify internal and external threats. (App A Objective 10:1 c., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determines the potential impacts of events and threats, internal and external. (App A Objective 11:1 d., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • External or insider events. (App A Objective 11:2 c., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Department self-assessments. (App A Objective 10:2 h., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • A risk assessment methodology should be established and approved by management. It should identify the organization's data, applications, operating systems, technology, facilities, personnel, business activities, and business processes and should use a scoring system. (Pg 15, Exam Tier II Obj D.2, FFIEC IT Examination Handbook - Audit, August 2003)
  • The internal and external risks to the project should be identified, assessed, monitored, reported, and managed. (Pg 10, FFIEC IT Examination Handbook - Development and Acquisition)
  • Senior management should identify, monitor, control, and measure technologies to try to avoid risks that threaten the organization. An effective risk assessment approach should be implemented to help in improving policies and internal controls for the organization. (Pg 15, Pg 21, Exam Obj 5.2, FFIEC IT Examination Handbook - Management)
  • The risk assessment should be based on the size, complexity, and nature of the organization. Some factors the organization should consider are how critical the information is to the business; the classification of the data; the number of employees, customers, and/or users; the source of the applicat… (Pg 13, FFIEC IT Examination Handbook - Operations, July 2004)
  • The following factors should be considered when evaluating the risk of outsourcing services: the sensitivity of the data accessed and controlled by the service provider; the volume of transactions; the criticality to the business; the ability of the service provider to maintain business continuity; … (Pg 7, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • With respect to compliance risk, determine whether management identified the applicable risks related to MFS. Review whether management understands that the consumer laws, regulations, and supervisory guidance that apply to a given financial product or payment method generally apply regardless of th… (AppE.7 Objective 3:6, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Determine whether any of the financial institution's RDC customers use a service provider in the RDC process. If so, evaluate how the financial institution manages risks, and whether the process is adequate. (App A Tier 2 Objectives and Procedures N.4 Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • When assessing the risks, the examiners should evaluate the service provider's policies; the service provider's controls and operational procedures; the service provider's technical expertise; and how the service provider measures performance, makes decisions about risk, and assesses the effectivene… (Pg 5, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, March 2003)
  • The organization should implement measures to identify and mitigate legal risks. (Pg 22, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • Does the Credit Union have a written risk assessment about implementing the appropriate authentication methodologies? (IT - Authentication Q 31, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • C-SCRM activities performed at Level 2 focus on assessing, responding to, and monitoring risk exposure arising from the mission and business process dependencies on suppliers, developers, system integrators, external system service providers, and other ICT/OT-related service providers. Risk exposure… (2.3.3. ¶ 5, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Assess risk. Review and interpret criticality, threat, vulnerability, likelihood, impact, and related information. (2. ¶ 1 Bullet 2, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Identify assumptions that affect how risk is assessed, responded to, and monitored within the enterprise. (Task 1-1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Finally, the enterprise will complete the procurement step by releasing a statement of work (SOW), performance work statement (PWS), or statement of objective (SOO) for the release of a request for proposal (RFP) or request for quotes (RFQ). Any bidders responding to the RFP or RFQ should be evaluat… (3.1.2. ¶ 7, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Establish formal processes and intervals for continuous monitoring and reassessment of suppliers, supplied products and services, and the supply chain itself for potential changes to the risk profile. (3.4.2. ¶ 1 Bullet 3, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers) (RS.AN-5, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers) (RS.AN-5, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • Risk management processes are established, managed, and agreed to by organizational stakeholders. (ID.RM-1, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • The determination of the risk assessments scope and methodology is called for. This includes identifying "the system under consideration, the part of the system to be analyzed, and the analytical method including its level of detail and formality." (§ 3.3.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • For an ICS, a very important aspect of the risk assessment is to determine the value of the data that is flowing from the control network to the corporate network. In instances where pricing decisions are determined from this data, the data could have a very high value. The fiscal justification for … (§ 6.2.14 ICS-specific Recommendations and Guidance ¶ 2, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Manage threat or target analysis of cyber defense information and production of threat information within the enterprise. (T0149, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide input to or develop courses of action based on threat factors. (T0728, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Review findings from the continuous monitoring program and mitigate risks on a timely basis. (T1007, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization should identify all risks, both internal and external, that could prevent the organization from meeting its objectives. (Pg 24, Implementation Guide for OMB Circular A-123 Management's Responsibility for Internal Control)
  • The auditor should identify all significant accounts and disclosures to determine the controls to test. The auditor should evaluate quantitative and qualitative factors. Qualitative and quantitative factors include the size of the accounts; susceptibility to errors or fraud; activity volume; possibi… (¶ 60, ¶ 65, PCAOB Auditing Standard No. 2)
  • The auditor should identify the points in the organization where misstatements could occur, the controls that have been implemented to prevent, detect, or correct any misstatements, and the controls that have been implemented to prevent or detect unauthorized acquisition, use, or disposition of asse… (¶ 34, PCAOB Auditing Standard No. 5)
  • A risk-based corporate security program should be established and implemented by each pipeline operator to address and document the organization's policies and procedures for managing security related threats, incidents, and responses. In addition, each operator should: (2 ¶ 1, Pipeline Security Guidelines)
  • Monitor for unauthorized access or the introduction of malicious code or communications. (Table 2: Security Continuous Monitoring Baseline Security Measures Cell 1, Pipeline Security Guidelines)
  • Conduct an SVA for newly identified or constructed critical facilities within 12 months of designation or after achieving operational status. (Table 1: Design and Construction Enhanced Security Measures Cell 1, Pipeline Security Guidelines)
  • The Federal government will continue to enhance coordination between CISA and other SRMAs, invest in the development of SRMA capabilities, and otherwise enable SRMAs to proactively respond to the needs of critical infrastructure owners and operators in their sectors. The Federal Government will coll… (STRATEGIC OBJECTIVE 1.2 ¶ 3, National Cybersecurity Strategy)
  • Each covered entity shall conduct a periodic risk assessment of the covered entity's information systems sufficient to inform the design of the cybersecurity program as required by this Part. Such risk assessment shall be reviewed and updated as reasonably necessary, but at a minimum annually, and w… (§ 500.9 Risk Assessment (a), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • identifies reasonably foreseeable internal and external risks; (§ 899-bb. 2(b)(ii)(A)(2), New York General Business Law Chapter 20, Article 39-F, Section 899-BB)