Identify the risks to organizational information and technology.

UCF ID: 00698
Control Type: Process or Activity
Status: Live

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

Authority documents complied with:

COSO Enterprise Risk Management (ERM) Integrated Framework (2004), Pg 38, Pg 39; PCAOB Auditing Standard No. 5, ¶ 28, ¶ 30; SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, § 314.102, § 314.104, § 314.110; SAS 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained, § 318.08; FFIEC Guidance on Authentication in an Internet Banking Environment, Pg 2; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg 15, Pg 16, Exam Tier I Obj 1.4, Exam Tier I Obj 3.5; FFIEC IT Examination Handbook – Management, Pg 21; FFIEC IT Examination Handbook – Operations, July 2004, Pg 12, Pg 13; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 36; FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003, Pg 3; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Pg 21; Standards for Safeguarding Customer Information; Final Rule, FTC 16 CFR 314, May 2002, § 314.4(b); Army Regulation 380-19: Information Systems Security, February 27, 1998, § 5-3.a; Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27, § 27.230(a)(14); FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security, § 3.3, § 3.4.2 thru § 3.4.4; The National Strategy to Secure Cyberspace, February 2003, § IV.A.2.b; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.3.1; Business Continuity Institute (BCI) Good Practice Guidelines, 2005, Stage 1.1 Process; CobiT, Version 4.1, PO9.3; The Standard of Good Practice for Information Security, SM3.4.5, SM3.4.6, SM6.6.3, CB5.3.4, CB5.3.5, CI2.5.4(b), CI5.4.6, CI5.4.5, NW4.4.5, NW4.4.6, SD3.5.5, SD3.5.6; ISO/IEC 13335-1, Information technology — Security techniques — Management of information and communications technology security — Part 1: Concepts and models for information and communications technology security management, 2004, § 3.2 Par 2-4, § 3.6; ISO/IEC 15408-1 Common Criteria for Information Technology Security Evaluation Part 1, 2005, § 6.1.1; ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 4.1, § 4.2; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, § 4.2.1(f); ISO/IEC 27002 Code of practice for information security management, 2005, § 4.1, § 4.2; Australian Government ICT Security Manual (ACSI 33), § 2.4.19, § 3.7.32; Australia Better Practice Guide - Business Continuity Management, January 2000, Pg 20; BIS Sound Practices for the Management and Supervision of Operational Risk, ¶ 23, Principle 4; OMB Circular A-123 Management’s Responsibility for Internal Control, § I.A, § II.B; Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control, Pg 24, Pg 31; The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002, ¶ 3.2.3, ¶ 3.2.4, ¶ 4.2.3; Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, Final Rule, November 9, 2007, App J to Part 41.II(a), App J to Part 41.II(b), App J to Part 222.II(a), App J to Part 222.II(b), App J to Part 334.II(a), App J to Part 334.II(b), App J to Part 571.II(a), App J to Part 571.II(b), App A to Part 681.II(b), App J to Part 717.II(b); AICPA Red Flag Rule Identity Theft Prevention Program, November 1, 2009, § V.B.9; Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009, § 4.3.1 ¶ 1(c); BS 25999-1, Business continuity management. Code of practice, 2006, § 6.5.1; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 9.5.1; Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition, § 5.3.2, Annex A.5.3.2; Defense Industrial Base Information Assurance Standard, § 3.4 ¶ 3

Sarbanes Oxley Guidance

The organization should identify all risk events that may occur. Events with a relatively remote possibility of occurring should be identified if the impact on achieving an objective is great. When identifying events, both internal and external factors should be considered. Internal factors include personnel, infrastructure, technology, and processes. External factors include the natural environment, the economy, political events, social events, and technology. [Pg 38, Pg 39, COSO Enterprise Risk Management (ERM) Integrated Framework (2004)]

The auditor should identify all significant accounts and disclosures and any assertions that could possibly contain a misstatement. The auditor should identify the likely sources of potential misstatements for significant accounts and disclosures. [¶ 28, ¶ 30, PCAOB Auditing Standard No. 5]

The auditor should identify risks, relate the risks to what could go wrong at the assertion level, and determine what the possibilities are of the risks causing a material misstatement. The auditor should determine if the identified risks relate to specific assertions or relate to the whole financial statement. The auditor should decide, in his/her judgment, which risks are significant risks. [§ 314.102, § 314.104, § 314.110, SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement]

The auditor's assessment of the identified risks should be used as a basis for the design and performance of audit procedures. [§ 318.08, SAS 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained]

The risk assessment should identify the controls that are currently implemented on the system based on the risks that are identified. After the identification of all the risks, new controls should be implemented or controls should be improved, if possible, to help counter any known risks. [§ I.A, § II.B, OMB Circular A-123 Management’s Responsibility for Internal Control]

The organization should analyze the risk assessment and identify all risks and develop a plan for mitigating those risks. [Pg 24, Pg 31, Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control]

Banking and Finance Guidance

The organization should identify and assess the risks associated with any Internet-based services or products. [Pg 2, FFIEC Guidance on Authentication in an Internet Banking Environment]

Management should develop strategies for mitigating the risks that could occur from internal and external interdependencies. Mitigation strategies include strengthening the physical facility, installing fire suppression systems, implementing alternate power sources, using redundant vendor sources, establishing back-up procedures, safeguarding the back-up media, and maintaining adequate [Pg 15, Pg 16, Exam Tier I Obj 1.4, Exam Tier I Obj 3.5, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

Senior management should ensure that the risk identification techniques are coordinated and consistent across the organization. [Pg 21, FFIEC IT Examination Handbook – Management]

In identifying risks, the organization should consider events that could disrupt operations, such as technology mistakes, system development and implementation problems, system capacity problems, system failures, and/or system security breaches. [Pg 12, Pg 13, FFIEC IT Examination Handbook – Operations, July 2004]

The risk analysis should identify confidential assets, critical operations, and potential threats and define safeguards and countermeasures. [Pg 36, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

The organization should identify existing and/or potential risks associated with the service provider that could negatively affect the organization. [Pg 3, FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003]

When an organization is identifying risks, the organization should consider the risks from creating and transmitting payment orders, being involved in wholesale payments systems directly or indirectly, and/or providing additional services to wholesale payments systems. [Pg 21, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

The organization should identify all internal and external risks to the integrity, security, and confidentiality of customer information and should assess the safeguards that are currently in place to ensure they are functioning correctly. [§ 314.4(b), Standards for Safeguarding Customer Information; Final Rule, FTC 16 CFR 314, May 2002]

The risks associated with products, activities, and systems should be identified and assessed. The risk identification process should consider both internal and external factors. [¶ 23, Principle 4, BIS Sound Practices for the Management and Supervision of Operational Risk]

US Federal Security Guidance

The risks to the system should be derived from the threats and vulnerabilities. [§ 5-3.a, Army Regulation 380-19: Information Systems Security, February 27, 1998]

The facility must address all the specific risks for its location that are identified by the Assistant Secretary. [§ 27.230(a)(14), Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27]

This document describes risk assessments. In §3.3 it indicates that threats and vulnerabilities should be identified, then measured to determine likelihood of occurrence. According to §3.4.2, an early step in a good risk assessment is identifying and valuing each of an organization’s assets. This process is subjective as it requires determining both the cost of an item and what it means to organizational operations. §3.4.3 goes more in depth on describing how to determine the likelihood of a threat’s occurrence. Assigning measurements from 1 to 3, with 3 being highest likelihood of a threat becoming a problem is suggested. §3.4.4 says that while a quantitative approach may be useful, qualitative approaches can also be just as good. Striking a balance between the two is considered to be ideal. [§ 3.3, § 3.4.2 thru § 3.4.4, FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security]

Automated auditing and reporting mechanisms should be used to determine the effectiveness of security controls. Reports can be used to understand risks inherent in the systems being continuously audited and reported on. [§ IV.A.2.b, The National Strategy to Secure Cyberspace, February 2003]

When identifying relevant Red Flags for covered accounts, the financial institution or creditor should consider the following factors: the types of covered accounts; the methods for opening and accessing covered accounts; and any previous experiences with identity theft. Financial institutions and creditors should use the following sources to identify Red Flags: previous identity theft incidents at the organization; identity theft methods that reflect changes in risks; and supervisory guidance. [App J to Part 41.II(a), App J to Part 41.II(b), App J to Part 222.II(a), App J to Part 222.II(b), App J to Part 334.II(a), App J to Part 334.II(b), App J to Part 571.II(a), App J to Part 571.II(b), App A to Part 681.II(b), App J to Part 717.II(b), Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, Final Rule, November 9, 2007]

The organization should conduct standardized assessments. A standardized mission assurance assessment has been established for application to critical DIB assets and considers impact, vulnerability, and threat/hazard. This approach ensures the relevant factors of each DIB asset are considered and the risks are prioritized to support military operations. [§ 3.4 ¶ 3, Defense Industrial Base Information Assurance Standard]

NIST Guidance

A vulnerability analysis, a safeguard analysis, a likelihood assessment, threat identification, and a consequence assessment are all called for. [§ 3.3.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

ISO Guidance

§ 3.2 Par 2-4 An organization should implement and maintain a security program to identify assets and assign a value. The level of detail should be determined on the basis of the security objectives. Asset attributes to be considered include their value and/or sensitivity, and any safeguards present. Vulnerabilities in the presence of particular threats influence protection requirements for assets. The environments, cultures and legal systems in which the organization operates may affect assets and their attributes. Based on an assessment of threats and vulnerabilities, and their combined impact, risk can be assessed and then safeguards applied to protect the assets as appropriate. An assessment of residual risk is then necessary to determine whether the assets are adequately protected.
§ 3.6 Risk. An organization should assess risk as part of its ICT security program. Risk is the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. Single or multiple threats may exploit single or multiple vulnerabilities.
A risk scenario describes how a particular threat or group of threats may exploit a particular vulnerability or group of vulnerabilities that exposes assets to harm. The risk is characterized by a combination of two factors, the probability of the incident occurring and its impact. Any change to assets, threats, vulnerabilities and safeguards may have significant effects on risks. Early detection or knowledge of any changes increases the opportunity for appropriate actions to be taken to treat risk. Options for risk treatment include risk avoidance, risk reduction, risk transfer and risk acceptance.
Management should be made aware of all residual risks in terms of impact and the probability of an incident occurring. The decision to accept residual risks must be taken by those who are in a position to accept the impact of incidents occurring and who can authorize the implementation of additional safeguards if the level of residual risk is not acceptable. [§ 3.2 Par 2-4, § 3.6, ISO/IEC 13335-1, Information technology — Security techniques — Management of information and communications technology security — Part 1: Concepts and models for information and communications technology security management, 2004]

All asset owners should analyze the threats to their assets to determine the risks. The results of this analysis will produce countermeasures that can be used to reduce risks to an acceptable level. [§ 6.1.1, ISO/IEC 15408-1 Common Criteria for Information Technology Security Evaluation Part 1, 2005]

Risk analyses are used to identify risks. They may need to be performed in various divisions/departments to cover different parts of the organization or different information systems. [§ 4.1, § 4.2, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

The organization should decide how to treat risks by identifying and evaluating its options. Some possible actions include: applying security controls; avoiding the risks; transferring the risks to other parties, such as insurers; and accepting the risks. [§ 4.2.1(f), ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]

Risk analyses are used to identify risks. They may need to be performed in various divisions/departments to cover different parts of the organization or different information systems. [§ 4.1, § 4.2, ISO/IEC 27002 Code of practice for information security management, 2005]

Potential risks should be identified by ICT disaster recovery service providers, in particular outsourced service providers, and procedures should be developed to address all of the identified risks. The risks may also include ones related to seizures or stoppages due to a legal enforcement. Procedures should be clearly documented and pre-arranged. [§ 9.5.1, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]

General Guidance

An organization should examine a variety of scenarios to determine how severe the risks in each situation are to the organization. [Stage 1.1 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005]

The organization should identify any event (threat and vulnerability) with a potential impact on the goals or operations of the enterprise, including business, regulatory, legal, technology, trading partner, human resources and operational aspects. Determine the nature of the impact— positive, negative or both—and maintain this information. [PO9.3, CobiT, Version 4.1]

The risk analysis methodology used should meet all organization objectives, compliance requirements, classification requirements, and the operating system and network characteristics. Risks to e-commerce should be included in the risk analysis. [SM3.4.5, SM3.4.6, SM6.6.3, CB5.3.4, CB5.3.5, CI2.5.4(b), CI5.4.6, CI5.4.5, NW4.4.5, NW4.4.6, SD3.5.5, SD3.5.6, The Standard of Good Practice for Information Security]

Conduct regular risk assessments to identify where and how the firm stores or transmits personal information. [§ V.B.9, AICPA Red Flag Rule Identity Theft Prevention Program, November 1, 2009]

A formal and documented evaluation process must be established, implemented, and maintained by the organization to systematically analyze vulnerability, risk, impact, and criticality. [§ 4.3.1 ¶ 1(c), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009]

The following hazards must be evaluated: natural hazards; accidental and intentional events caused by humans; and events caused by technology. See Annex A.5.3.2 for a list of potential hazards from each of these categories. [§ 5.3.2, Annex A.5.3.2, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition]

UK and Canadian Guidance

The level of risk should be understood and should be based on the critical activities and the risk of disrupting these activities. [§ 6.5.1, BS 25999-1, Business continuity management. Code of practice, 2006]

Other European and African Guidance

The Board of Directors must identify all key risks to the organization. The organization should develop a dynamic risk identification process as part of the risk management system. Residual, existing, and emerging risks should be identified during the risk assessment process. [¶ 3.2.3, ¶ 3.2.4, ¶ 4.2.3, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002]

Asia and Pacific Rim Guidance

All risks identified during a vulnerability analysis should be analyzed and what measures need to be taken to mitigate the risks should be determined. Each identified risk should describe the risk, how it can occur, and the consequences if it occurs. [§ 2.4.19, § 3.7.32, Australian Government ICT Security Manual (ACSI 33)]

An organization should use a risk classification framework to ensure that appropriate risks are identified. A diagram is provided showing how a framework could be structured. It is best to view this diagram directly as a description here will not do it justice. [Pg 20, Australia Better Practice Guide - Business Continuity Management, January 2000]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.