Establish a risk acceptance level appropriate for the organization's risk appetite.

UCF ID: 00706
Control Type: Process or Activity
Status: Live

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

COSO Enterprise Risk Management (ERM) Integrated Framework (2004), Pg 9, Pg 10, Pg 16, Pg 25, Pg 57, Pg 58; SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, § 314.115; Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework, ¶ 730; FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier II Obj A.1; FFIEC IT Examination Handbook – Information Security, Pg 15; FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003, Pg 13; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Pg 21, Exam Tier II Obj 1.1; Health Insurance Portability and Accountability Act of 1996 (HIPAA), § 164.308(a)(1)(ii)(B); Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.3.2; Business Continuity Institute (BCI) Good Practice Guidelines, 2005, Stage 1.3 Process; CobiT, Version 4.1, PO4.8, ME4.5; The Standard of Good Practice for Information Security, SM1.1.2(b), SM3.4.8, SM6.6.5(b), SM6.6.5(c), CB5.3.7, CI5.4.8, NW4.4.8, SD3.5.8; ISO/IEC 15408-1 Common Criteria for Information Technology Security Evaluation Part 1, 2005, § 6.1.1, § 7.5; ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 4.2; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, § 1.2, § 4.2.1(d), § 4.2.1(e), § 4.2.1(h), § 5.1; ISO/IEC 27002 Code of practice for information security management, 2005, § 4.2; OECD Principles of Corporate Governance, 2004, § VI.D; Australian Government ICT Security Manual (ACSI 33), § 2.4.38; BIS Sound Practices for the Management and Supervision of Operational Risk, ¶ 31; The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002, ¶ 3.1.3; Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009, § 4.3.1 ¶ 2(e); BS 25999-1, Business continuity management. Code of practice, 2006, § 6.6.3; ISO/IEC 13335-1, Information technology — Security techniques — Management of information and communications technology security — Part 1: Concepts and models for information and communications technology security management, 2004, § 3.6; ISO/IEC 13335-3 Information technology — Guidelines for the management of IT Security — Part 3: Techniques for the management of IT Security, 1998, ¶ 7.1, ¶ 9.5; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, § 1.4

Sarbanes Oxley Guidance

The organization's desired return from its strategy should be aligned with its risk appetite. Risk appetite should be accounted for when resources are allocated to the business units. Risk acceptance should be based on risk identification and assessment. [Pg 9, Pg 10, Pg 16, Pg 25, Pg 57, Pg 58, COSO Enterprise Risk Management (ERM) Integrated Framework (2004)]

For significant risks, the auditor should evaluate the controls design and determine if the controls have been implemented. This determination is obtained by evaluating if and how management responds to the risks. [§ 314.115, SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement]

Banking and Finance Guidance

The Board of Directors should be responsible for setting the organization's risk tolerance level. [¶ 730, Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework]

[Exam Tier II Obj A.1, FFIEC IT Examination Handbook – Audit, August 2003]

After all threats and vulnerabilities have been assigned probabilities and ranked, the organization should decide which ones they are willing to accept and which ones should be corrected. [Pg 15, FFIEC IT Examination Handbook – Information Security]

The examiner-in-charge (EIC) should plan an exit meeting upon completion of the examination. The meeting should inform the organization on the EIC's findings, conclusions, and recommendations and should confirm and/or obtain management's commitment to taking all required corrective actions. [Pg 13, FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003]

The organization's risk management policy should include the identification, measurement, mitigation, and management of risks related to the organization's activities. [Pg 21, Exam Tier II Obj 1.1, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

The organization should decide if it should control or mitigate the identified risks or accept the risk. [¶ 31, BIS Sound Practices for the Management and Supervision of Operational Risk]

Healthcare and Life Science Guidance

Security measures that reduce risks and vulnerabilities to an appropriate level should be implemented. [§ 164.308(a)(1)(ii)(B), Health Insurance Portability and Accountability Act of 1996 (HIPAA)]

NIST Guidance

[§ 3.3.2, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

An organization should assess the risk to operations and assets by the information system. Information systems security risk acceptance level must be established within the risk management strategy of the organization. [§ 1.4, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

ISO Guidance

Asset owners should be confident that the countermeasures will counter the threat prior to exposing the asset to the threat. The owner is responsible for accepting the risk of exposing the asset to the threat. The Common Criteria evaluation results should be used as one of the inputs to decide if the risks should be accepted. [§ 6.1.1, § 7.5, ISO/IEC 15408-1 Common Criteria for Information Technology Security Evaluation Part 1, 2005]

If the organization decides to accept the risks identified through the risk analyses, several options exist: Reduce the risks by applying appropriate controls; accept the risks as they exist; not allow actions that would cause the risks to occur; or transfer the risks to another party. [§ 4.2, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

Criteria should be developed for identifying the acceptable level of risk for the organization. If an organization decides not to implement security controls to reduce the risks associated with a threat, these risks should be justified and accepted by appropriate personnel. [§ 1.2, § 4.2.1(d), § 4.2.1(e), § 4.2.1(h), § 5.1, ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]

If the organization decides to accept the risks identified through the risk analyses, several options exist: Reduce the risks by applying appropriate controls; accept the risks as they exist; not allow actions that would cause the risks to occur; or transfer the risks to another party. [§ 4.2, ISO/IEC 27002 Code of practice for information security management, 2005]

Risk. An organization should assess risk as part of its ICT security program. Risk is the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. Single or multiple threats may exploit single or multiple vulnerabilities.
A risk scenario describes how a particular threat or group of threats may exploit a particular vulnerability or group of vulnerabilities that exposes assets to harm. The risk is characterized by a combination of two factors, the probability of the incident occurring and its impact. Any change to assets, threats, vulnerabilities and safeguards may have significant effects on risks. Early detection or knowledge of any changes increases the opportunity for appropriate actions to be taken to treat risk. Options for risk treatment include risk avoidance, risk reduction, risk transfer and risk acceptance.
Management should be made aware of all residual risks in terms of impact and the probability of an incident occurring. The decision to accept residual risks must be taken by those who are in a position to accept the impact of incidents occurring and who can authorize the implementation of additional safeguards if the level of residual risk is not acceptable. [§ 3.6, ISO/IEC 13335-1, Information technology — Security techniques — Management of information and communications technology security — Part 1: Concepts and models for information and communications technology security management, 2004]

¶ 7.1 IT Security Objectives and Strategy. An organization should form IT security objectives by considering the question 'what broad level of risk is acceptable to the organization?'. The correct level of acceptable risks, and the appropriate level of security, is the key to successful security management. The necessary broad level of security is determined by the IT security objectives an organization needs to meet. In order to assess these security objectives, the assets and how valuable they are for the organization should be considered. This is mainly determined by the importance that IT has for supporting the conduct of the organization's business; the costs of IT itself is only a small part of its value. Possible questions for assessing how much an organization's business depends on IT are:
· What are the important/very important parts of the business which cannot be carried out without IT support?
· What are the tasks which can only be done with the help of IT?
· What essential decisions depend on the accuracy, integrity, or availability of information processed by IT, or on how up-to-date this information is?
· What confidential information processed needs to be protected?
· What are the implications of an unwanted security incident for the organization?
Answering these questions can help to assess the security objectives of an organization. If, for example, some important or very important parts of the business are dependent on accurate or up to date information, then one of the security objectives of this organization may be to ensure the integrity and timeliness of the information as it is processed in the IT systems. Also, important business objectives and their relation to security should be considered when assessing security objectives.
¶ 9.5 Risk Acceptance. After choosing the safeguards and identifying the reduction of risks these safeguards will achieve, there will always be residual risks - no system can be made absolutely secure. These residual risks should be categorized as 'acceptable' or 'unacceptable' for the organization. This categorization can be accomplished by reviewing the potential adverse business impacts associated with those risks. Obviously, the unacceptable risks cannot be tolerated without further considerations. It is a management decision whether these risks will be accepted because of other constraints (like costs, or simply impossibility of prevention - as in the case of planes crashing on a building or earthquakes; however, plans to recover from such events can still be made), or whether additional and maybe expensive safeguards are selected to reduce the unacceptable risks. [¶ 7.1, ¶ 9.5, ISO/IEC 13335-3 Information technology — Guidelines for the management of IT Security — Part 3: Techniques for the management of IT Security, 1998]

General Guidance

Risks should be evaluated based on the organization’s risk tolerance. If a risk falls outside acceptable tolerance levels, existing risk management control strategies should be reviewed and additional controls added as necessary. [Stage 1.3 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005]

The organization should embed ownership and responsibility for IT-related risks within the business at an appropriate senior level. Define and assign roles critical for managing IT risks including the specific responsibility for information security, physical security and compliance. Establish risk and security management responsibility at the organization wide level to deal with organization wide issues. Additional security management responsibilities may need to be assigned at a system-specific level to deal with related security issues. Obtain direction from senior management on the appetite for IT risk and approval of any residual IT risks.
The organization should work with the board to define the enterprise’s appetite for IT risk. Communicate IT risk appetite into the enterprise and agree on an IT risk management plan. Embed risk management responsibilities into the organization, ensuring that the business and IT regularly assess and report IT-related risks and the impact on the business. Make sure IT management follows up on risk exposures, paying special attention to IT control failures and weaknesses in internal control and oversight, and their actual and potential business impact. The enterprise’s IT risk position should be transparent to all stakeholders. [PO4.8, ME4.5, CobiT, Version 4.1]

The results of risk analyses should be reviewed and signed off by the owner. Top management should ensure all installed information security controls are proportionate to the risk. When accepting risks, top management should be aware of the consequences of accepting the risks and ensure no risks have been overlooked. [SM1.1.2(b), SM3.4.8, SM6.6.5(b), SM6.6.5(c), CB5.3.7, CI5.4.8, NW4.4.8, SD3.5.8, The Standard of Good Practice for Information Security]

The organization must ensure it takes into account all significant risks and impacts when it establishes, implements, and operates the organizational resilience management system. [§ 4.3.1 ¶ 2(e), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009]

EU Guidance

The Board should review the organization's risk policy. [§ VI.D, OECD Principles of Corporate Governance, 2004]

UK and Canadian Guidance

The organization should decide if a risk is acceptable without further action being taken. If the cost of the action is disproportionate to the benefits or the actions are limited, top management will need to decide if the risk is in the organization's risk appetite. [§ 6.6.3, BS 25999-1, Business continuity management. Code of practice, 2006]

Other European and African Guidance

The risk appetite of the organization and what risks the organization will accept or not accept to achieve the organizational goals must be decided by the Board of Directors. [¶ 3.1.3, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002]

Asia and Pacific Rim Guidance

All identified risks should be evaluated to determine if they are acceptable or unacceptable. [§ 2.4.38, Australian Government ICT Security Manual (ACSI 33)]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.