Risk Identification

Status: Live

The organization will develop, disseminate, and review: 1) a formal risk Identification standard that address purpose, scope, and compliance; and 2) formal procedures to facilitate implementing the policy. [UCF ID 00698]

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

Authority documents complied with:

COSO Enterprise Risk Management (ERM) Integrated Framework (2004), Pg 38, Pg 39; PCAOB Auditing Standard No. 5, ¶ 28, ¶ 30; SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, § 314.102, § 314.104, § 314.110; SAS 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained, § 318.08; AICPA SAS No. 94, The Effect of Information Technology on the Auditor's Consideration of Internal Controls, ¶ 38; FFIEC Guidance on Authentication in an Internet Banking Environment, Pg 2; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg 15, Pg 16, Exam Tier I Obj 1.4, Exam Tier I Obj 3.5; FFIEC IT Examination Handbook – Management, Pg 21; FFIEC IT Examination Handbook – Operations, July 2004, Pg 12, Pg 13; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 36; FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003, Pg 3; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Pg 21; Standards for Safeguarding Customer Information; Final Rule, FTC 16 CFR 314, May 2002, § 314.4(b); Army Regulation 380-19: Information Systems Security, February 27, 1998, § 5-3.a; Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27, § 27.230(a)(14); FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security, § 3.3, § 3.4.2 thru § 3.4.4; The National Strategy to Secure Cyberspace, February 2003, § IV.A.2.b; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.3.1; Business Continuity Institute (BCI) Good Practice Guidelines, 2005, Stage 1.1 Process; CobiT 4.1, PO9.3; The Standard of Good Practice for Information Security, SM3.4.5, SM3.4.6, SM6.6.3, CB5.3.4, CB5.3.5, CI2.5.4(b), CI5.4.6, CI5.4.5, NW4.4.5, NW4.4.6, SD3.5.5, SD3.5.6; ISO/IEC 15408-1:2005 Common Criteria for Information Technology Security Evaluation Part 1, § 6.1.1; ISO 17799:2005 Code of Practice for Information Security Management, § 4.1, § 4.2; ISO 27001:2005, Information Security Management Systems - Requirements, § 4.2.1(f); ISO/IEC 27002-2005 Code of practice for information security management, § 4.1, § 4.2; Australian Government ICT Security Manual (ACSI 33), § 2.4.19, § 3.7.32; Australia Better Practice Guide - Business Continuity Management, January 2000, Pg 20; BIS Sound Practices for the Management and Supervision of Operational Risk, ¶ 23, Principle 4; OMB Circular A-123 Management’s Responsibility for Internal Control, § I.A, § II.B; Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control, Pg 24, Pg 31; The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002, ¶ 3.2.3, ¶ 3.2.4, ¶ 4.2.3; Archer Control Table, ATCS-032; Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, Final Rule, November 9, 2007, App J to Part 41.II(a), App J to Part 41.II(b), App J to Part 222.II(a), App J to Part 222.II(b), App J to Part 334.II(a), App J to Part 334.II(b), App J to Part 571.II(a), App J to Part 571.II(b), App A to Part 681.II(b), App J to Part 717.II(b)

Sarbanes Oxley Guidance

The organization should identify all risk events that may occur. Events with a relatively remote possibility of occurring should be identified if the impact on achieving an objective is great. When identifying events, both internal and external factors should be considered. Internal factors include personnel, infrastructure, technology, and processes. External factors include the natural environment, the economy, political events, social events, and technology. [Pg 38, Pg 39, COSO Enterprise Risk Management (ERM) Integrated Framework (2004)]

The auditor should identify all significant accounts and disclosures and any assertions that could possibly contain a misstatement. The auditor should identify the likely sources of potential misstatements for significant accounts and disclosures. [¶ 28, ¶ 30, PCAOB Auditing Standard No. 5]

The auditor should identify risks, relate the risks to what could go wrong at the assertion level, and determine what the possibilities are of the risks causing a material misstatement. The auditor should determine if the identified risks relate to specific assertions or relate to the whole financial statement. The auditor should decide, in his/her judgment, which risks are significant risks. [§ 314.102, § 314.104, § 314.110, SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement]

The auditor's assessment of the identified risks should be used as a basis for the design and performance of audit procedures. [§ 318.08, SAS 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained]

[¶ 38, AICPA SAS No. 94, The Effect of Information Technology on the Auditor's Consideration of Internal Controls]

The risk assessment should identify the controls that are currently implemented on the system based on the risks that are identified. After the identification of all the risks, new controls should be implemented or controls should be improved, if possible, to help counter any known risks. [§ I.A, § II.B, OMB Circular A-123 Management’s Responsibility for Internal Control]

The organization should analyze the risk assessment and identify all risks and develop a plan for mitigating those risks. [Pg 24, Pg 31, Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control]

Banking and Finance Guidance

The organization should identify and assess the risks associated with any Internet-based services or products. [Pg 2, FFIEC Guidance on Authentication in an Internet Banking Environment]

Management should develop strategies for mitigating the risks that could occur from internal and external interdependencies. Mitigation strategies include strengthening the physical facility, installing fire suppression systems, implementing alternate power sources, using redundant vendor sources, establishing back-up procedures, safeguarding the back-up media, and maintaining adequate [Pg 15, Pg 16, Exam Tier I Obj 1.4, Exam Tier I Obj 3.5, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

Senior management should ensure that the risk identification techniques are coordinated and consistent across the organization. [Pg 21, FFIEC IT Examination Handbook – Management]

In identifying risks, the organization should consider events that could disrupt operations, such as technology mistakes, system development and implementation problems, system capacity problems, system failures, and/or system security breaches. [Pg 12, Pg 13, FFIEC IT Examination Handbook – Operations, July 2004]

The risk analysis should identify confidential assets, critical operations, and potential threats and define safeguards and countermeasures. [Pg 36, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

The organization should identify existing and/or potential risks associated with the service provider that could negatively affect the organization. [Pg 3, FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003]

When an organization is identifying risks, the organization should consider the risks from creating and transmitting payment orders, being involved in wholesale payments systems directly or indirectly, and/or providing additional services to wholesale payments systems. [Pg 21, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

The organization should identify all internal and external risks to the integrity, security, and confidentiality of customer information and should assess the safeguards that are currently in place to ensure they are functioning correctly. [§ 314.4(b), Standards for Safeguarding Customer Information; Final Rule, FTC 16 CFR 314, May 2002]

The risks associated with products, activities, and systems should be identified and assessed. The risk identification process should consider both internal and external factors. [¶ 23, Principle 4, BIS Sound Practices for the Management and Supervision of Operational Risk]

US Federal Security Guidance

The risks to the system should be derived from the threats and vulnerabilities. [§ 5-3.a, Army Regulation 380-19: Information Systems Security, February 27, 1998]

The facility must address all the specific risks for its location that are identified by the Assistant Secretary. [§ 27.230(a)(14), Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27]

This document describes risk assessments. In §3.3 it indicates that threats and vulnerabilities should be identified, then measured to determine likelihood of occurrence. According to §3.4.2, an early step in a good risk assessment is identifying and valuing each of an organization’s assets. This process is subjective as it requires determining both the cost of an item and what it means to organizational operations. §3.4.3 goes more in depth on describing how to determine the likelihood of a threat’s occurrence. Assigning measurements from 1 to 3, with 3 being highest likelihood of a threat becoming a problem is suggested. §3.4.4 says that while a quantitative approach may be useful, qualitative approaches can also be just as good. Striking a balance between the two is considered to be ideal. [§ 3.3, § 3.4.2 thru § 3.4.4, FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security]

Automated auditing and reporting mechanisms should be used to determine the effectiveness of security controls. Reports can be used to understand risks inherent in the systems being continuously audited and reported on. [§ IV.A.2.b, The National Strategy to Secure Cyberspace, February 2003]

When identifying relevant Red Flags for covered accounts, the financial institution or creditor should consider the following factors: the types of covered accounts; the methods for opening and accessing covered accounts; and any previous experiences with identity theft. Financial institutions and creditors should use the following sources to identify Red Flags: previous identity theft incidents at the organization; identity theft methods that reflect changes in risks; and supervisory guidance. [App J to Part 41.II(a), App J to Part 41.II(b), App J to Part 222.II(a), App J to Part 222.II(b), App J to Part 334.II(a), App J to Part 334.II(b), App J to Part 571.II(a), App J to Part 571.II(b), App A to Part 681.II(b), App J to Part 717.II(b), Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, Final Rule, November 9, 2007]

NIST Guidance

A vulnerability analysis, a safeguard analysis, a likelihood assessment, threat identification, and a consequence assessment are all called for. [§ 3.3.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

ISO Guidance

All asset owners should analyze the threats to their assets to determine the risks. The results of this analysis will produce countermeasures that can be used to reduce risks to an acceptable level. [§ 6.1.1, ISO/IEC 15408-1:2005 Common Criteria for Information Technology Security Evaluation Part 1]

Risk analyses are used to identify risks. They may need to be performed in various divisions/departments to cover different parts of the organization or different information systems. [§ 4.1, § 4.2, ISO 17799:2005 Code of Practice for Information Security Management]

The organization should decide how to treat risks by identifying and evaluating its options. Some possible actions include: applying security controls; avoiding the risks; transferring the risks to other parties, such as insurers; and accepting the risks. [§ 4.2.1(f), ISO 27001:2005, Information Security Management Systems - Requirements]

Risk analyses are used to identify risks. They may need to be performed in various divisions/departments to cover different parts of the organization or different information systems. [§ 4.1, § 4.2, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

An organization should examine a variety of scenarios to determine how severe the risks in each situation are to the organization. [Stage 1.1 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005]

The organization should identify any event (threat and vulnerability) with a potential impact on the goals or operations of the enterprise, including business, regulatory, legal, technology, trading partner, human resources and operational aspects. Determine the nature of the impact— positive, negative or both—and maintain this information. [PO9.3, CobiT 4.1]

The risk analysis methodology used should meet all organization objectives, compliance requirements, classification requirements, and the operating system and network characteristics. Risks to e-commerce should be included in the risk analysis. [SM3.4.5, SM3.4.6, SM6.6.3, CB5.3.4, CB5.3.5, CI2.5.4(b), CI5.4.6, CI5.4.5, NW4.4.5, NW4.4.6, SD3.5.5, SD3.5.6, The Standard of Good Practice for Information Security]

Other European and African Guidance

The Board of Directors must identify all key risks to the organization. The organization should develop a dynamic risk identification process as part of the risk management system. Residual, existing, and emerging risks should be identified during the risk assessment process. [¶ 3.2.3, ¶ 3.2.4, ¶ 4.2.3, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002]

Asia and Pacific Rim Guidance

All risks identified during a vulnerability analysis should be analyzed and what measures need to be taken to mitigate the risks should be determined. Each identified risk should describe the risk, how it can occur, and the consequences if it occurs. [§ 2.4.19, § 3.7.32, Australian Government ICT Security Manual (ACSI 33)]

An organization should use a risk classification framework to ensure that appropriate risks are identified. A diagram is provided showing how a framework could be structured. It is best to view this diagram directly as a description here will not do it justice. [Pg 20, Australia Better Practice Guide - Business Continuity Management, January 2000]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.