Safeguard selection and prioritization in light of risk assessment findings

Status: Live

The organization will collect information about risks and threats and then prioritize those risks and threats by importance, assigning appropriate safeguards to manage and control those threats and risks. [UCF ID 00707]

Supporting and supported controls

This control directly supports:

Risk Assessment [UCF Control ID 00685]

There are no supporting controls.

Authority documents complied with:

COSO Enterprise Risk Management (ERM) Integrated Framework (2004), Pg 56, Pg 57; SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, § 314.96; FFIEC IT Examination Handbook – Information Security, Pg 13, Pg 14; FFIEC IT Examination Handbook – Management, Pg 23; FFIEC IT Examination Handbook – Operations, July 2004, Pg 13, Pg 14; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Exam Tier I Obj 4.3; FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003, Pg 3; CMS Information Security Risk Assessment _IS RA_ Procedure, Version 1.0, Pg 14; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 1-5.a(1), § 5-4.b; Protection of Assets Manual, ASIS International, Pg 2-II-15; FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security, § 3.5.1; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 2.7; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.3.2; The Standard of Good Practice for Information Security, SM3.4.6(c), SM3.4.7, CB5.3.5(c), CB5.3.6, CI2.5.4(c), CI5.4.6(c), CI5.4.7, NW4.4.6(c), NW4.4.7, SD3.5.6(c), SD3.5.7; ISO 17799:2005 Code of Practice for Information Security Management, § 4.2; ISO 27001:2005, Information Security Management Systems - Requirements, § 4.2.1(g); ISO/IEC 27002-2005 Code of practice for information security management, § 4.2; Australian Government ICT Security Manual (ACSI 33), § 2.4.35, § 2.4.38; Australia Better Practice Guide - Business Continuity Management, January 2000, Pg 39, Pg 40; BIS Sound Practices for the Management and Supervision of Operational Risk, ¶ 13; OMB Circular A-123 Management’s Responsibility for Internal Control, § III (FISMA); Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control, Pg 44; Archer Control Table, ATCS-027, ATCS-032, ATCS-038

Sarbanes Oxley Guidance

The organization should develop a plan to implement the responses to reduce the risks. Procedures should be in place to ensure the actions are taken to effectively implement the controls. [Pg 56, Pg 57, COSO Enterprise Risk Management (ERM) Integrated Framework (2004)]

The auditor should evaluate if the organization has established effective controls to address the risks from IT. The controls are effective if they maintain the information's integrity and if they maintain data security. [§ 314.96, SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement]

Organizations should provide the appropriate controls to reduce the risks. These controls should be proportionate to the risk of not having a control in place. [§ III (FISMA), OMB Circular A-123 Management’s Responsibility for Internal Control]

The organization should prioritize the corrective action to be taken to reduce the effect of risks on the system. The corrective action plan should include a description of the deficiency, when it was first discovered, when it should be fixed by, who is responsible for fixing the it, and how to measure the status of the fix. [Pg 44, Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control]

Banking and Finance Guidance

The organization should identify the controls that are necessary to mitigate the impact or the likelihood of an identified threat exploiting a vulnerability. [Pg 13, Pg 14, FFIEC IT Examination Handbook – Information Security]

The risks identified in the risk assessment should be ranked and prioritized. [Pg 23, FFIEC IT Examination Handbook – Management]

Management should prioritize the corrective actions that need to be taken based on the probability of the event occurring, the financial or legal impact to the organization, and the importance of the system to the organization. [Pg 13, Pg 14, FFIEC IT Examination Handbook – Operations, July 2004]

[Exam Tier I Obj 4.3, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]

The organization should communicate to the service provider any findings, recommendations, and/or required corrective actions that need to be taken in a timely manner. [Pg 3, FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003]

The risk management framework should cover the organization's tolerance for risk and the prioritization of risk management activities. [¶ 13, BIS Sound Practices for the Management and Supervision of Operational Risk]

Healthcare and Life Science Guidance

Once the risks have been listed, the must be ranked and reviewed in terms of combined likelihood and impact severity in terms of the business level concerns with missions, functions, business objectives, and political interests. [Pg 14, CMS Information Security Risk Assessment _IS RA_ Procedure, Version 1.0]

US Federal Security Guidance

Identified risks to the system should be countered with the use of cost-effective measures. The security controls selected may degrade operational efficiency. Management should take this disruption into account when determining if the implementation of the countermeasure is acceptable. [§ 1-5.a(1), § 5-4.b, Army Regulation 380-19: Information Systems Security, February 27, 1998]

Countermeasures should be developed for each identified risk and threat. [Pg 2-II-15, Protection of Assets Manual, ASIS International]

[§ 3.5.1, FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security]

US Internal Revenue Guidance

All findings from the safeguard review must be addressed in a timely fashion and must be resolved before the next reporting cycle, as defined by the Safeguard Activity Report. [§ 2.7, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

[§ 3.3.2, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

ISO Guidance

When implementing controls, the organization should reduce risk to an acceptable level. Controls should take into account the requirements and constraints of regulations, organizational objectives and relationships, and the costs in relation to risk reduction. [§ 4.2, ISO 17799:2005 Code of Practice for Information Security Management]

Based on the results of the risk assessment, security controls should be selected and implemented. [§ 4.2.1(g), ISO 27001:2005, Information Security Management Systems - Requirements]

When implementing controls, the organization should reduce risk to an acceptable level. Controls should take into account the requirements and constraints of regulations, organizational objectives and relationships, and the costs in relation to risk reduction. [§ 4.2, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

The results of the risk analysis should be documented and include recommendations to reduce the risk to an acceptable level. Based on the risk analysis results, security controls should be identified, evaluated, and selected to reduce or eliminate the risks. [SM3.4.6(c), SM3.4.7, CB5.3.5(c), CB5.3.6, CI2.5.4(c), CI5.4.6(c), CI5.4.7, NW4.4.6(c), NW4.4.7, SD3.5.6(c), SD3.5.7, The Standard of Good Practice for Information Security]

Asia and Pacific Rim Guidance

When assessing and prioritizing risks, the risks should be compared against target risk levels and predetermined standards to aid in determining what is acceptable and unacceptable. Unacceptable risks should be prioritized. [§ 2.4.35, § 2.4.38, Australian Government ICT Security Manual (ACSI 33)]

Choosing safeguards is required and treatments be based on two factors:
safeguards and treatments that reduce the exposure to, and impact of, loss of the processes and resources on which the functions rely
implement alternate processes and resources to be used following an outage and plans to recover from the outage and restore normal operations
If necessary, variations on existing treatments, or redesigns, should be considered. When choosing any treatment the following areas must be addressed:
people
facilities
telecommunications
information systems
business activities
For each critical activity or resource that an organization chooses to provide safeguards for, multiple arrangements should be made that allow other systems or resources to be used in their place in the event of an emergency. To ensure an organization has good alternatives, use this checklist:
Document a brief description of each viable option
Determine other resources required and the costs for each option
Compare recovery options to MAO: Does the option meet the recovery needs? Does the option exceed the organization’s needs? [Pg 39, Pg 40, Australia Better Practice Guide - Business Continuity Management, January 2000]

Metrics

The metrics associated with this control are as follows:

Report on the percentage of identified risks that have a defined risk mitigation plan [UCF Control ID 02042]

Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented [UCF Control ID 02065]

Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period [UCF Control ID 02129]

Report on the the average time elapsed between vulnerability or weakness discovery and implementation of corrective action [UCF Control ID 02140]

Report on the percentage of information security risks related to systems architecture identified in the most recent risk assessment that have been adequately mitigated [UCF Control ID 02060]