Risk measurement and scoring

Status: Live

The organization will maintain a risk measurement scoring system that is easy to understand, avoids subjectivity as much as possible and considers all relevant risk factors. [UCF ID 00703]

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

COSO Enterprise Risk Management (ERM) Integrated Framework (2004), Pg 49, Pg 51; FFIEC IT Examination Handbook – Audit, August 2003, Pg 16; FFIEC IT Examination Handbook – Information Security, Pg 15, Exam Tier I Obj 3.1; FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security, § 3.4.4; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.3.1; Business Continuity Institute (BCI) Good Practice Guidelines, 2005, Stage 1.3 Process; CobiT 4.1, PO9.4; ISO 17799:2005 Code of Practice for Information Security Management, § 4.2; ISO 27001:2005, Information Security Management Systems - Requirements, § 4.2.2(d); ISO/IEC 27002-2005 Code of practice for information security management, § 4.2

Sarbanes Oxley Guidance

A combination of qualitative and quantitative techniques should be used when determining risk to the organization. Qualitative techniques are used when risks cannot be measured in qualitative measures. Quantitative techniques usually require more effort and rigor. [Pg 49, Pg 51, COSO Enterprise Risk Management (ERM) Integrated Framework (2004)]

Banking and Finance Guidance

The organization should develop a scoring system that is understandable and objective. Risk factors used for scoring systems include the adequacy of controls; volume of transactions; the age of the system or application; physical and logical security; previous reports; and human resources (experience, turnover, technical competence). [Pg 16, FFIEC IT Examination Handbook – Audit, August 2003]

The organization should rank the level of risk associated with all information. These levels are subjective and should be based on the threat likelihood and the level of exposure to the threat. [Pg 15, Exam Tier I Obj 3.1, FFIEC IT Examination Handbook – Information Security]

US Federal Security Guidance

[§ 3.4.4, FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security]

NIST Guidance

Risk measurement to include asset valuation, consequence assessment, threat identification, safeguard analysis, vulnerability analysis and likelihood assessment is called for. [§ 3.3.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

ISO Guidance

The organization should develop criteria for deciding if risks can or cannot be accepted. [§ 4.2, ISO 17799:2005 Code of Practice for Information Security Management]

The organization should define how the effectiveness of security controls should be measured. The organization should also state how these measurements will be used to assess the effective of controls. [§ 4.2.2(d), ISO 27001:2005, Information Security Management Systems - Requirements]

The organization should develop criteria for deciding if risks can or cannot be accepted. [§ 4.2, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

It is recommended that an organization creates a quantitative risk scoring system. Scoring should be available for impact of a threat and likelihood of a threat occurring. [Stage 1.3 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005]

On a regular basis, identified risks should be assessed using qualitative and quantitative methods. [PO9.4, CobiT 4.1]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.