Risk acceptance

Status: Live

The organization will ensure that the risk appetite is established by management and reviewed by the board of directors and is used to set the strategy of the organization’s enterprise risk management program. [UCF ID 00706]

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

COSO Enterprise Risk Management (ERM) Integrated Framework (2004), Pg 9, Pg 10, Pg 16, Pg 25, Pg 57, Pg 58; SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, § 314.115; Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework, ¶ 730; FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier II Obj A.1; FFIEC IT Examination Handbook – Information Security, Pg 15; FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003, Pg 13; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Pg 21, Exam Tier II Obj 1.1; Health Insurance Portability and Accountability Act of 1996 (HIPAA), § 164.308(a)(1)(ii)(B); Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.3.2; Business Continuity Institute (BCI) Good Practice Guidelines, 2005, Stage 1.3 Process; CobiT 4.1, PO4.8, ME4.5; The Standard of Good Practice for Information Security, SM1.1.2(b), SM3.4.8, SM6.6.5(b), SM6.6.5(c), CB5.3.7, CI5.4.8, NW4.4.8, SD3.5.8; ISO/IEC 15408-1:2005 Common Criteria for Information Technology Security Evaluation Part 1, § 6.1.1, § 7.5; ISO 17799:2005 Code of Practice for Information Security Management, § 4.2; ISO 27001:2005, Information Security Management Systems - Requirements, § 1.2, § 4.2.1(d), § 4.2.1(e), § 4.2.1(h), § 5.1; ISO/IEC 27002-2005 Code of practice for information security management, § 4.2; OECD Principles of Corporate Governance, 2004, § VI.D; Australian Government ICT Security Manual (ACSI 33), § 2.4.38; BIS Sound Practices for the Management and Supervision of Operational Risk, ¶ 31; The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002, ¶ 3.1.3; Archer Control Table, ATCS-028, ATCS-035

Sarbanes Oxley Guidance

The organization's desired return from its strategy should be aligned with its risk appetite. Risk appetite should be accounted for when resources are allocated to the business units. Risk acceptance should be based on risk identification and assessment. [Pg 9, Pg 10, Pg 16, Pg 25, Pg 57, Pg 58, COSO Enterprise Risk Management (ERM) Integrated Framework (2004)]

For significant risks, the auditor should evaluate the controls design and determine if the controls have been implemented. This determination is obtained by evaluating if and how management responds to the risks. [§ 314.115, SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement]

Banking and Finance Guidance

The Board of Directors should be responsible for setting the organization's risk tolerance level. [¶ 730, Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework]

[Exam Tier II Obj A.1, FFIEC IT Examination Handbook – Audit, August 2003]

After all threats and vulnerabilities have been assigned probabilities and ranked, the organization should decide which ones they are willing to accept and which ones should be corrected. [Pg 15, FFIEC IT Examination Handbook – Information Security]

The examiner-in-charge (EIC) should plan an exit meeting upon completion of the examination. The meeting should inform the organization on the EIC's findings, conclusions, and recommendations and should confirm and/or obtain management's commitment to taking all required corrective actions. [Pg 13, FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003]

The organization's risk management policy should include the identification, measurement, mitigation, and management of risks related to the organization's activities. [Pg 21, Exam Tier II Obj 1.1, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

The organization should decide if it should control or mitigate the identified risks or accept the risk. [¶ 31, BIS Sound Practices for the Management and Supervision of Operational Risk]

Healthcare and Life Science Guidance

Security measures that reduce risks and vulnerabilities to an appropriate level should be implemented. [§ 164.308(a)(1)(ii)(B), Health Insurance Portability and Accountability Act of 1996 (HIPAA)]

NIST Guidance

[§ 3.3.2, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

ISO Guidance

Asset owners should be confident that the countermeasures will counter the threat prior to exposing the asset to the threat. The owner is responsible for accepting the risk of exposing the asset to the threat. The Common Criteria evaluation results should be used as one of the inputs to decide if the risks should be accepted. [§ 6.1.1, § 7.5, ISO/IEC 15408-1:2005 Common Criteria for Information Technology Security Evaluation Part 1]

If the organization decides to accept the risks identified through the risk analyses, several options exist: Reduce the risks by applying appropriate controls; accept the risks as they exist; not allow actions that would cause the risks to occur; or transfer the risks to another party. [§ 4.2, ISO 17799:2005 Code of Practice for Information Security Management]

Criteria should be developed for identifying the acceptable level of risk for the organization. If an organization decides not to implement security controls to reduce the risks associated with a threat, these risks should be justified and accepted by appropriate personnel. [§ 1.2, § 4.2.1(d), § 4.2.1(e), § 4.2.1(h), § 5.1, ISO 27001:2005, Information Security Management Systems - Requirements]

If the organization decides to accept the risks identified through the risk analyses, several options exist: Reduce the risks by applying appropriate controls; accept the risks as they exist; not allow actions that would cause the risks to occur; or transfer the risks to another party. [§ 4.2, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

Risks should be evaluated based on the organization’s risk tolerance. If a risk falls outside acceptable tolerance levels, existing risk management control strategies should be reviewed and additional controls added as necessary. [Stage 1.3 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005]

The organization should embed ownership and responsibility for IT-related risks within the business at an appropriate senior level. Define and assign roles critical for managing IT risks including the specific responsibility for information security, physical security and compliance. Establish risk and security management responsibility at the organization wide level to deal with organization wide issues. Additional security management responsibilities may need to be assigned at a system-specific level to deal with related security issues. Obtain direction from senior management on the appetite for IT risk and approval of any residual IT risks.
The organization should work with the board to define the enterprise’s appetite for IT risk. Communicate IT risk appetite into the enterprise and agree on an IT risk management plan. Embed risk management responsibilities into the organization, ensuring that the business and IT regularly assess and report IT-related risks and the impact on the business. Make sure IT management follows up on risk exposures, paying special attention to IT control failures and weaknesses in internal control and oversight, and their actual and potential business impact. The enterprise’s IT risk position should be transparent to all stakeholders. [PO4.8, ME4.5, CobiT 4.1]

The results of risk analyses should be reviewed and signed off by the owner. Top management should ensure all installed information security controls are proportionate to the risk. When accepting risks, top management should be aware of the consequences of accepting the risks and ensure no risks have been overlooked. [SM1.1.2(b), SM3.4.8, SM6.6.5(b), SM6.6.5(c), CB5.3.7, CI5.4.8, NW4.4.8, SD3.5.8, The Standard of Good Practice for Information Security]

EU Guidance

The Board should review the organization's risk policy. [§ VI.D, OECD Principles of Corporate Governance, 2004]

Other European and African Guidance

The risk appetite of the organization and what risks the organization will accept or not accept to achieve the organizational goals must be decided by the Board of Directors. [¶ 3.1.3, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002]

Asia and Pacific Rim Guidance

All identified risks should be evaluated to determine if they are acceptable or unacceptable. [§ 2.4.38, Australian Government ICT Security Manual (ACSI 33)]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of systems that have had risk levels reviewed by management [UCF Control ID 02138]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.