Risk Assessment Approach

Status: Live

The organization will ensure that it establishes a proper risk assessment approach to handle reasonably foreseeable internal and external threats that could mitigate the confidentiality, integrity, or availability of IT assets. [UCF ID 00687]

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

Authority documents complied with:

COSO Enterprise Risk Management (ERM) Integrated Framework (2004), Pg 19, Pg 20; PCAOB Auditing Standard No. 5, ¶ 34; SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, § 314.76 thru § 314.79; Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework, ¶ 620(d), ¶ 676, ¶ 730; FFIEC IT Examination Handbook – Audit, August 2003, Pg 15, Exam Tier II Obj D.2; FFIEC IT Examination Handbook – Development and Acquisition, Pg 10; FFIEC IT Examination Handbook – Information Security, Pg 11, Pg 14, Exam Tier I Obj 3.2; FFIEC IT Examination Handbook – Management, Pg 15, Pg 21, Exam Obj 5.2; FFIEC IT Examination Handbook – Operations, July 2004, Pg 13; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Pg 7; FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003, Pg 5; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Pg 22; VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business, Pg 17; Protection of Assets Manual, ASIS International, Pg 19-I-2; NCUA Guidelines for Safeguarding Member Information, 12 CFR 748, July 1, 2001, Pg 81; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.3.1; Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1, § 3.1.2; CobiT 4.1, PO9.2; The Standard of Good Practice for Information Security, SM3.4.1 thru SM3.4.3; ISO 17799:2005 Code of Practice for Information Security Management, § 4.1; ISO 27001:2005, Information Security Management Systems - Requirements, § 4.2.1(c); ISO/IEC 27002-2005 Code of practice for information security management, § 4.1; Australia Better Practice Guide - Business Continuity Management, January 2000, Pg 16, Pg 17; Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control, Pg 24; PCAOB Auditing Standard No. 2, ¶ 60, ¶ 65; The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002, ¶ 3.1.3; Archer Control Table, ATCS-005, ATCS-028

Sarbanes Oxley Guidance

The risk management philosophy should be understood by all personnel in order for them to recognize and effectively manage risk. The risk philosophy should be reflected in the organization's risk policy and the everyday actions taken by management. [Pg 19, Pg 20, COSO Enterprise Risk Management (ERM) Integrated Framework (2004)]

The auditor should identify the points in the organization where misstatements could occur, the controls that have been implemented to prevent, detect, or correct any misstatements, and the controls that have been implemented to prevent or detect unauthorized acquisition, use, or disposition of assets that could result in a material misstatement. [¶ 34, PCAOB Auditing Standard No. 5]

The risk assessment process should identify, analyze, and manage the risks to preparing the financial statements. The auditor should evaluate the organization to determine how risks are identified, how estimates of the risks occurring are determined, and how management decides what actions to take to correct the problem(s). The business risks identified by the organization should be examined by the auditor to help determine they can result in a material misstatement on the financial statements. [§ 314.76 thru § 314.79, SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement]

The organization should identify all risks, both internal and external, that could prevent the organization from meeting its objectives. [Pg 24, Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control]

The auditor should identify all significant accounts and disclosures to determine the controls to test. The auditor should evaluate quantitative and qualitative factors. Qualitative and quantitative factors include the size of the accounts; susceptibility to errors or fraud; activity volume; possibility of liabilities; and changes in the account from the prior period. [¶ 60, ¶ 65, PCAOB Auditing Standard No. 2]

Banking and Finance Guidance

The internal assessment process should identify the different gradations of risk and should correspond to the external ratings. The risk assessment methodology should identify the key business factors and internal control factors that can modify the organization's risk profile. The framework for assessing risks should be established by management. [¶ 620(d), ¶ 676, ¶ 730, Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework]

A risk assessment methodology should be established and approved by management. It should identify the organization's data, applications, operating systems, technology, facilities, personnel, business activities, and business processes and should use a scoring system. [Pg 15, Exam Tier II Obj D.2, FFIEC IT Examination Handbook – Audit, August 2003]

The internal and external risks to the project should be identified, assessed, monitored, reported, and managed. [Pg 10, FFIEC IT Examination Handbook – Development and Acquisition]

The risk assessment should look at how employees use the system on a day-to-day basis. The risk assessment should address employee access, use, and dissemination of information; how information is stored, processed, transmitted, and disposed of; and how to authenticate and authorize personnel who receive information, both physically and electronically. The risk assessment should look at all data and facilities of the organization, including remote facilities and physical access controls. [Pg 11, Pg 14, Exam Tier I Obj 3.2, FFIEC IT Examination Handbook – Information Security]

Senior management should identify, monitor, control, and measure technologies to try to avoid risks that threaten the organization. An effective risk assessment approach should be implemented to help in improving policies and internal controls for the organization. [Pg 15, Pg 21, Exam Obj 5.2, FFIEC IT Examination Handbook – Management]

The risk assessment should be based on the size, complexity, and nature of the organization. Some factors the organization should consider are how critical the information is to the business; the classification of the data; the number of employees, customers, and/or users; the source of the application software; any changes in the operating environment; risks from developing technology; and weaknesses found during audits. [Pg 13, FFIEC IT Examination Handbook – Operations, July 2004]

The following factors should be considered when evaluating the risk of outsourcing services: the sensitivity of the data accessed and controlled by the service provider; the volume of transactions; the criticality to the business; the ability of the service provider to maintain business continuity; the redundancy and reliability of communication lines; the experience of the service provider; and security, reliability, and scalability of the technology. [Pg 7, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]

When assessing the risks, the examiners should evaluate the service provider's policies; the service provider's controls and operational procedures; the service provider's technical expertise; and how the service provider measures performance, makes decisions about risk, and assesses the effectiveness of processes. [Pg 5, FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003]

The organization should implement measures to identify and mitigate legal risks. [Pg 22, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

Payment Card Guidance

When designing the organization's e-commerce web site, operational needs and risk factors should be the number one concern. Areas that should be considered include privacy, reliability, refund policies, and customer service access. [Pg 17, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business]

US Federal Security Guidance

The organization should conduct a security survey to determine what type of security currently exists, to identify any deficiencies, to determine what protection is needed, and to recommend additional security measures to improve the overall security of the organization. [Pg 19-I-2, Protection of Assets Manual, ASIS International]

[Pg 81, NCUA Guidelines for Safeguarding Member Information, 12 CFR 748, July 1, 2001]

NIST Guidance

The determination of the risk assessments scope and methodology is called for. This includes identifying “the system under consideration, the part of the system to be analyzed, and the analytical method including its level of detail and formality. [§ 3.3.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

Talks about preventing security incidents from happening frequently by conducting a risk assessment. It offers a list of remedies for handling some of the problem spots an organization might uncover during an assessment. Items included in the discussion are patch management, host security, network security, malicious code prevention and user awareness training. [§ 3.1.2, Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1]

ISO Guidance

A systematic approach for estimating the magnitude of risks and for determining the significance of the risks should be used for risk assessments. [§ 4.1, ISO 17799:2005 Code of Practice for Information Security Management]

An appropriate risk assessment methodology should be chosen by the organization. The chosen methodology should produce comparable and reproducible results every time a risk assessment is conducted. [§ 4.2.1(c), ISO 27001:2005, Information Security Management Systems - Requirements]

A systematic approach for estimating the magnitude of risks and for determining the significance of the risks should be used for risk assessments. [§ 4.1, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

The organization should establish the context in which the risk assessment framework is applied to ensure appropriate outcomes. This includes determining the internal and external context of each risk assessment, the goal of the assessment and the criteria against which risks are evaluated. [PO9.2, CobiT 4.1]

A structured risk analysis methodology should be used when analyzing risks and should have a clearly defined scope. The methodology used should be properly documented and approved by management, consistent throughout the organization, automated through the use of software, usable for different sizes and types of systems, regularly reviewed to ensure it meets business needs, and easily understandable. [SM3.4.1 thru SM3.4.3, The Standard of Good Practice for Information Security]

Other European and African Guidance

The Board of Directors must ensure the organization identifies risk on an ongoing process, measures the impact of each identified risk, and proactively manages each identified risk. [¶ 3.1.3, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002]

Asia and Pacific Rim Guidance

Approaching risk assessment from the perspective that some risks may yield advantages as well as examining those that may cause problems. With problematic risks the goal is to find ways to prevent them from affecting the organization negatively in the first place. If a risk does cause a problem for an organization, there should be measures in place to handle the risk. A comprehensive approach to risk management therefore, considers risk treatments proactively by designing and implementing controls to prevent risk events occurring and reactively by mitigating the consequences of risk events should they occur. [Pg 16, Pg 17, Australia Better Practice Guide - Business Continuity Management, January 2000]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.