Establish and maintain a risk action plan based on the risk assessment findings.

UCF ID: 00705
Control Type: Establish/Maintain Documentation
Status: Live

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

COSO Enterprise Risk Management (ERM) Integrated Framework (2004), Pg 53; Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework, ¶ 620(c), ¶ 666(c); FFIEC Guidance on Authentication in an Internet Banking Environment, Pg 2; FFIEC IT Examination Handbook – Information Security, Pg 15, Exam Tier I Obj 6.9; FFIEC IT Examination Handbook – Operations, July 2004, Pg 13, Pg 14, Exam Tier II Obj G.1; FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003, Pg 3; Standards for Safeguarding Customer Information; Final Rule, FTC 16 CFR 314, May 2002, § 314.4(c); Health Insurance Portability and Accountability Act of 1996 (HIPAA), § 164.308(a)(1)(ii)(B); Responsible Care Security Code of Management Practices, American Chemistry Council, Pg 2; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 3-5.b(5), § 5-5; NCUA Guidelines for Safeguarding Member Information, 12 CFR 748, July 1, 2001, Pg 82; TITLE 49, Subtitle VII - Aviation Programs, December 5, 2001, § 44904(c); IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 5.6.4, § 6.3.5, Exhibit 4 CA-5; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.3.2; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, CA-5.2; CobiT, Version 4.1, PO9.5; The Standard of Good Practice for Information Security, SM3.3.4; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, § 4.2.2(a); Australian Government ICT Security Manual (ACSI 33), § 2.4.41, § 2.4.42, § 2.4.44; Australia Better Practice Guide - Business Continuity Management, January 2000, Pg 23, Workbook Pg 15; OMB Circular A-123 Management’s Responsibility for Internal Control, § II.E, § IV.B; Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control, Pg 39, Pg 41; The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002, ¶ 3.2.3; Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008, § 4.2.3; BS 25999-1, Business continuity management. Code of practice, 2006, § 6.6.4 ¶ 1, § 6.6.5; BS 25999-2, Business continuity management. Specification, 2007, § 4.1.3.2, § 6.1.2; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 9.5.1; Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition, § 5.5, Annex A.5.5.1, Annex A.5.5.2

Sarbanes Oxley Guidance

The organization should determine how it will respond to the identified risks. The organization can respond in one of four ways: avoid the risk, reduce the likelihood of the risk occurring, share the risk with other organizations, or accept the risk as it is. When determining responses, management should assess cost versus benefit and evaluate the effects of the responses on the risk likelihood and expected impact. [Pg 53, COSO Enterprise Risk Management (ERM) Integrated Framework (2004)]

Any deficiencies that have been identified should be evaluated, corrected, and reported to the appropriate personnel. A systematic approach should be in place to control these deficiencies. [§ II.E, § IV.B, OMB Circular A-123 Management’s Responsibility for Internal Control]

The organization should develop and implement a corrective action plan. The corrective action plan should include milestones and completion dates. Management should review the status of the corrective action plan periodically to ensure the deficiencies are being corrected in a timely matter. The status of the corrective action plan should be reported to the Senior Management Council on a regular basis. [Pg 39, Pg 41, Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control]

Banking and Finance Guidance

Action should be taken based on the findings in the management reports. [¶ 620(c), ¶ 666(c), Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework]

The organization should identify the actions necessary to mitigate the identified risks. [Pg 2, FFIEC Guidance on Authentication in an Internet Banking Environment]

If the organization finds controls are inadequate or do not exist, the organization should include an action plan to improve or implement the appropriate controls. [Pg 15, Exam Tier I Obj 6.9, FFIEC IT Examination Handbook – Information Security]

Management should prioritize the corrective actions that need to be taken based on the probability of the event occurring, the financial or legal impact to the organization, and the importance of the system to the organization. [Pg 13, Pg 14, Exam Tier II Obj G.1, FFIEC IT Examination Handbook – Operations, July 2004]

The organization should receive a commitment from the service provider to correct any significant security deficiencies and verify the effectiveness of any corrective actions taken. [Pg 3, FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003]

The organization should implement safeguards to control the risks that were identified during the risk assessment. [§ 314.4(c), Standards for Safeguarding Customer Information; Final Rule, FTC 16 CFR 314, May 2002]

Healthcare and Life Science Guidance

An organization must implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. [§ 164.308(a)(1)(ii)(B), Health Insurance Portability and Accountability Act of 1996 (HIPAA)]

US Federal Security Guidance

The organization should take action to mitigate any identified and/or potential security risks. [Pg 2, Responsible Care Security Code of Management Practices, American Chemistry Council]

The organization should select countermeasures that are required by the risk management review. The risk analysis should be used to create a plan to implement the selected countermeasures. [§ 3-5.b(5), § 5-5, Army Regulation 380-19: Information Systems Security, February 27, 1998]

[Pg 82, NCUA Guidelines for Safeguarding Member Information, 12 CFR 748, July 1, 2001]

Measures must be taken to correct any security deficiencies found during the assessment and monitoring process. [§ 44904(c), TITLE 49, Subtitle VII - Aviation Programs, December 5, 2001]

US Internal Revenue Guidance

Organizations that receive Federal Tax Information must develop a Plan of Action and Milestones (POA&M) to identify the remedial actions necessary to correct any noted internal and external deficiencies. The POA&M must include security controls needed to reduce or eliminate known system vulnerabilities. The annual Safeguard Activity Report submitted to the IRS should contain the organizational findings and the actions taken to correct the deficiencies. [§ 5.6.4, § 6.3.5, Exhibit 4 CA-5, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

[§ 3.3.2, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

The plan of action and milestones document should be examined to ensure the organization plans, implements, and evaluates all listed remedial actions to eliminate or reduce known vulnerabilities. [CA-5.2, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

The organization should take the appropriate steps to reduce risks to an acceptable level. [§ 4.2.3, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008]

ISO Guidance

The organization should develop a risk treatment plan. This plan should identify management actions, resources, responsibilities, and priorities to manage the identified risks. [§ 4.2.2(a), ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]

Clear risk mitigation plans and policies should be in place by the ICT disaster recovery service providers and they should have clear and specific documented steps for dealing with all of the identified risks. [§ 9.5.1, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]

General Guidance

The organization should identify a risk owner and affected process owners, and develop and maintain a risk response to ensure that cost-effective controls and security measures mitigate exposure to risks on a continuing basis. The risk response should identify risk strategies such as avoidance, reduction, sharing or acceptance. In developing the response, consider the costs and benefits and select responses that constrain residual risks within the defined risk tolerance levels. [PO9.5, CobiT, Version 4.1]

Results from risk analyses should be used to determine actions to be taken to remediate the findings. [SM3.3.4, The Standard of Good Practice for Information Security]

A mitigation strategy must be developed and implemented by the organization. It must include measures to take to limit or control the consequences, extent, or severity of an unpreventable incident. Annex A.5.5.1 contains a list of other items the strategy should contain. The strategy must be based on hazard identification, risk assessment, impact analysis, and cost-benefit analysis results as well as program constraints and operational experience, must include actions, interim and long-term, to reduce vulnerabilities, and should establish interim and long-term actions for reducing risk from hazards. [§ 5.5, Annex A.5.5.1, Annex A.5.5.2, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition]

UK and Canadian Guidance

Transferring risks by buying insurance or paying a third party to take the risk may be used to reduce the risk exposure because another organization is better able to handle the risk. Some risks are not fully transferable, like reputational risk. For some risks, the best option is to change, suspend, or terminate the service, product, function, process, or activity. This should only be considered if it does not conflict with the organization's objectives, stakeholder expectations, and statutory compliance. [§ 6.6.4 ¶ 1, § 6.6.5, BS 25999-1, Business continuity management. Code of practice, 2006]

Appropriate risk treatments for each critical activity must be selected and implemented in accordance with the risk acceptance level of the activity. The organization must take preemptive action, appropriate to the impact a potential problem can cause, to protect against potential nonconformities to prevent them from occurring. The documented preventive action procedures must define requirements for identifying potential nonconformities, along with their causes; determining and implementing the preventive actions; recording the results; reviewing the action that was taken; identifying any changed risks and ensuring significantly changed risks are watched; ensuring personnel who need to know are notified of nonconformities and the preventive actions that are taken; and the priority of preventive actions. [§ 4.1.3.2, § 6.1.2, BS 25999-2, Business continuity management. Specification, 2007]

Other European and African Guidance

The organization should develop a risk mitigation process as part of the risk management system. [¶ 3.2.3, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002]

Asia and Pacific Rim Guidance

A risk treatment plan should be developed to describe how risk treatment controls (measures taken to reduce risk by minimizing the chances of the risk occurring) should be implemented on the system to reduce the residual risks for the identified unacceptable risks. The risk treatment plan should include responsibilities, a timetable, and how to monitor the implementation of the risk treatment controls. [§ 2.4.41, § 2.4.42, § 2.4.44, Australian Government ICT Security Manual (ACSI 33)]

Tells us that the last step of a risk assessment is developing and implementing treatments for all major risks in order to reduce or nullify them.
Workbook Pg 15 Discusses designing ways to handle risks. It focuses chiefly on cost of design. It is important to determine during a recovery how much it will cost to recover business processes. Possible costs to consider include:
outside services
temporary employees
emergency purchases
rental/lease of equipment
wages paid to idle staff
temporary relocation of employees [Pg 23, Workbook Pg 15, Australia Better Practice Guide - Business Continuity Management, January 2000]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of identified risks that have a defined risk mitigation plan. [UCF Control ID 02042]
    Report on the percentage of information security risks related to systems architecture identified in the most recent risk assessment that have been adequately mitigated. [UCF Control ID 02060]
    Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. [UCF Control ID 02129]
    Report on the average time elapsed between vulnerability or weakness discovery and implementation of corrective action. [UCF Control ID 02140]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.