The organization will collect information about risks and threats and then prioritize those risks and threats by importance, assigning appropriate safeguards to manage and control those threats and risks. [UCF ID 00707]
Supporting and supported controls
This control directly supports:
• Risk Assessment [UCF Control ID 00685]
This control has the following supporting controls:
There are no supporting controls.
Authority documents complied with:
Australia Better Practice Guide - Business Continuity Management Pg 39-40; Australian Government ICT Security Manual (ACSI 33) § 2.4.35, 2.4.38; BIS Sound Practices for the Management and Supervision of Operational Risk 13; Safety and Soundness Standards, Appendix of OCC 12 CFR 30 III.C; FFIEC IT Examination Handbook – Information Security Pg 13-14; FFIEC IT Examination Handbook – Management Pg 23; FFIEC IT Examination Handbook – Operations Pg 13-14; FFIEC IT Examination Handbook – Outsourcing Technology Services Exam Tier I Obj 4.3; FFIEC IT Examination Handbook – Supervision of Technology Service Providers Pg 3; The Standard of Good Practice for Information Security SM3.4.6(c ), SM3.4.7, CB5.3.5(c ), CB5.3.6, CI2.5.4(c ), CI5.4.6(c ), CI5.4.7, NW4.4.6(c ), NW4.4.7, SD3.5.6(c ), SD3.5.7; CMS Info Security Business Risk Assessment Pg 14; ISO 17799:2005 Code of Practice for Information Security Management § 4.2; ISO 27001:2005, Information Security Management Systems - Requirements § 4.2.1 (g); ISO/IEC 27002-2005 Code of practice for information security management § 4.2; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14 § 3.3.2; COSO Enterprise Risk Management (ERM) Framework Pg 56, 57; SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement § 314.96; FIPS 191, Guideline for the Analysis of LAN Security 3.5.1
Sarbanes Oxley Guidance
Pg 56, 57 of COSO Enterprise Risk Management (ERM) Framework states that the organization should develop a plan to implement the responses to reduce the risks. Procedures should be in place to ensure the actions are taken to effectively implement the controls.
§ III (FISMA) of OMB Circular A-123 Management’s Responsibility for Internal Control states that organizations should provide the appropriate controls to reduce the risks. These controls should be proportionate to the risk of not having a control in place.
P. 44 of Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control states that the organization should prioritize the corrective action to be taken to reduce the effect of risks on the system. The corrective action plan should include a description of the deficiency, when it was first discovered, when it should be fixed by, who is responsible for fixing the it, and how to measure the status of the fix.
§ 314.96 of SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement states that the auditor should evaluate if the organization has established effective controls to address the risks from IT. The controls are effective if they maintain the information's integrity and if they maintain data security.
Banking and Finance Guidance
The FFIEC IT Examination Handbook – Management Pg 23 states that the risks identified in the risk assessment should be ranked and prioritized.
Healthcare and Life Science Guidance
Page 14 of the CMS Information Security (IS) Business Risk Assessment (RA) Methodology suggests that once the risks have been listed, the must be ranked and reviewed in terms of combined likelihood and impact severity in terms of the business level concerns with missions, functions, business objectives, and political interests.
International Standards Organization Guidance
The ISO/IEC 27002-2005 Code of practice for information security management § 4.2 states that when implementing controls, the organization should reduce risk to an acceptable level. Controls should take into account the requirements and constraints of regulations, organizational objectives and relationships, and the costs in relation to risk reduction.
The ISO 27001:2005 Information Security Management Systems - Requirements § 4.2.1 (g) states that based on the results of the risk assessment, security controls should be selected and implemented.
The ISO 17799:2005 Code of Practice for Information Security Management § 4.2 states that when implementing controls, the organization should reduce risk to an acceptable level. Controls should take into account the requirements and constraints of regulations, organizational objectives and relationships, and the costs in relation to risk reduction.
Asia and Pacific Rim Guidance
The Australia BCM Guide Pg 39-40 requires that choosing safeguards and treatments be based on two factors:
safeguards and treatments that reduce the exposure to, and impact of, loss of the processes and resources on which the functions rely
implement alternate processes and resources to be used following an outage and plans to recover from the outage and restore normal operations
If necessary, variations on existing treatments, or redesigns, should be considered. When choosing any treatment the following areas must be addressed:
people
facilities
telecommunications
information systems
business activities
For each critical activity or resource that an organization chooses to provide safeguards for, multiple arrangements should be made that allow other systems or resources to be used in their place in the event of an emergency. To ensure an organization has good alternatives, use this checklist:
Document a brief description of each viable option
Determine other resources required and the costs for each option
Compare recovery options to MAO: Does the option meet the recovery needs? Does the option exceed the organization’s needs?
Metrics
The metrics associated with this control are as follows:
• Metric Reporting Standard 02042.doc
• Metric Reporting Standard 02065.doc
• Metric Reporting Standard 02129.doc
• Metric Reporting Standard 02140.doc
• Metric Reporting Standard 02060.doc