Back

Prioritize and select controls based on the risk assessment findings.


CONTROL ID
00707
CONTROL TYPE
Audits and Risk Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary., CC ID: 00704

This Control has the following implementation support Control(s):
  • Analyze the effect of threats on organizational strategies and objectives., CC ID: 12850
  • Analyze the effect of opportunities on organizational strategies and objectives., CC ID: 12849
  • Prioritize and categorize the effects of opportunities, threats and requirements on control activities., CC ID: 12822


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • AIs that allow customers to submit information (e.g. applications for financial products/services) via the Internet (e.g. their corporate websites) should assess the risks and establish appropriate controls, including: (§ 6.2.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • In view of the above specific risks associated with contactless mobile payments, AIs should carefully assess the security risks of their proposed service and formulate relevant security measures before launching the service. At the minimum, AIs should ensure the service complies with any relevant mi… (§ 7.5.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • AIs that allow customers to submit information via the Internet (e.g. their corporate websites) should assess the risks and establish appropriate controls, including: (§ 6.2.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • Possible gaps can then be identified between the expected level of resilience (from inherent risk assessment) and the actual level of resilience (from maturity assessment) (II. Step 3: Bullet 2, Hong Kong Monetary Authority The Cyber Resilience Assessment Framework, Cybersecurity Summit 2016)
  • Standard § I.2(2).2: The impact of reliability on financial reporting should be identified and assessed and any necessary actions taken to mitigate the risks. Practice Standard § III.4(2)[4].D: Deficiencies in general controls may prevent the effective and continuous operation of application contr… (Standard § I.2(2).2, Practice Standard § III.4(2)[4].D, On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • In data administration, it also is necessary to protect data appropriately and to consider storage locations in accordance with the results of risk assessment. (C7.1. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • For Ordinary systems, these measures must be taken in accordance with the content and risk characteristics of the services used. (C24.1. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is also necessary for financial Institutions to consider effective security measures in addition to those listed below. (C5.1. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Risk assessment is the core competence of information security management. The risk assessment must, for each asset within its scope, identify the threat/vulnerability combinations that have a likelihood of impacting the confidentiality, availability or integrity of that asset - from a business, com… (Critical components of information security 2) 2), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • performing comprehensive due diligence on the nature, scope and complexity of the outsourcing arrangement to identify and mitigate key risks; (5.3.1 (b), Guidelines on Outsourcing)
  • risk assessment and mitigation strategies to manage deviations from the framework. (§ 13.6.1(c), Technology Risk Management Guidelines, January 2021)
  • Many IoT devices are designed without or with minimal security controls. If compromised, these devices can be commandeered and used to gain unauthorised access to the FI's network and systems or as a launch pad for cyber attacks on the FI. The FI should assess and implement processes and controls to… (§ 11.5.2, Technology Risk Management Guidelines, January 2021)
  • Institute a risk management framework to identify the security threats to the protection of personal data, assess the risks involved and determine the controls to remove or reduce them. (Annex A1: Risk Management 6, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • using a risk-based approach to prioritise the implementation of identified mitigations. (Security Control: 1163; Revision: 6; Bullet 4, Australian Government Information Security Manual, March 2021)
  • System owners deploying OFFICIAL or PROTECTED systems with Radio Frequency transmitters that will be co-located with SECRET or TOP SECRET systems contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the threat assessment. (Control: ISM-0248; Revision: 6, Australian Government Information Security Manual, June 2023)
  • System owners deploying SECRET or TOP SECRET systems with Radio Frequency transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the threat assessment. (Control: ISM-0247; Revision: 4, Australian Government Information Security Manual, June 2023)
  • System owners deploying SECRET or TOP SECRET systems in shared facilities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the threat assessment. (Control: ISM-1137; Revision: 3, Australian Government Information Security Manual, June 2023)
  • System owners deploying systems or military platforms overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the threat assessment. (Control: ISM-0249; Revision: 4, Australian Government Information Security Manual, June 2023)
  • implementing mitigations based on risk, effectiveness and cost. (Control: ISM-1163; Revision: 9; Bullet 4, Australian Government Information Security Manual, June 2023)
  • implementing mitigations based on risk, effectiveness and cost. (Control: ISM-1163; Revision: 10; Bullet 4, Australian Government Information Security Manual, September 2023)
  • System owners deploying OFFICIAL: Sensitive or PROTECTED systems with Radio Frequency transmitters that will be co-located with SECRET or TOP SECRET systems contact ASD for an emanation security threat assessment and implement any additional installation criteria derived from the threat assessment. (Control: ISM-0248; Revision: 7, Australian Government Information Security Manual, September 2023)
  • System owners deploying systems or military platforms overseas contact ASD for an emanation security threat assessment and implement any additional installation criteria derived from the threat assessment. (Control: ISM-0249; Revision: 5, Australian Government Information Security Manual, September 2023)
  • System owners deploying SECRET or TOP SECRET systems in shared facilities contact ASD for an emanation security threat assessment and implement any additional installation criteria derived from the threat assessment. (Control: ISM-1137; Revision: 4, Australian Government Information Security Manual, September 2023)
  • System owners deploying SECRET or TOP SECRET systems with Radio Frequency transmitters inside or co-located with their facility contact ASD for an emanation security threat assessment and implement any additional installation criteria derived from the threat assessment. (Control: ISM-0247; Revision: 5, Australian Government Information Security Manual, September 2023)
  • The organization must select the controls from this manual to include in the System Security Plan based on the system scope and additional system specific controls to include based on the Security Risk Management Plan or a higher level System Security Plan. (Control: 0895, Australian Government Information Security Manual: Controls)
  • The organization should use a risk-based approach to prioritize the implementation of identified mitigations as a part of the vulnerability management strategy. (Control: 1163 Bullet 3, Australian Government Information Security Manual: Controls)
  • The organization must mitigate or treat the identified vulnerabilities as soon as possible. (Control: 0113, Australian Government Information Security Manual: Controls)
  • Choosing safeguards is required and treatments be based on two factors: safeguards and treatments that reduce the exposure to, and impact of, loss of the processes and resources on which the functions rely implement alternate processes and resources to be used following an outage and plans to recove… (Pg 39, Pg 40, Australia Better Practice Guide - Business Continuity Management, January 2000)
  • Timely identification and remediation of new threats (Attachment G Control Objective Row 13, APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • vulnerabilities and threats to the information assets; (21.(a), Australian Prudential Regulation Authority Prudential Standard CPS 234 Information Security, CPS 234 – 1)
  • An APRA-regulated entity must maintain an information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity. (15., Australian Prudential Regulation Authority Prudential Standard CPS 234 Information Security, CPS 234 – 1)
  • When assessing and prioritizing risks, the risks should be compared against target risk levels and predetermined standards to aid in determining what is acceptable and unacceptable. Unacceptable risks should be prioritized. (§ 2.4.35, § 2.4.38, Australian Government ICT Security Manual (ACSI 33))
  • Based on the risk assessments, financial institutions should determine which measures are required to mitigate identified ICT and security risks to acceptable levels and whether changes are necessary to the existing business processes, control measures, ICT systems and ICT services. A financial inst… (3.3.4 22, Final Report EBA Guidelines on ICT and security risk management)
  • Financial institutions should define and implement data and ICT systems backup and restoration procedures to ensure that they can be recovered as required. The scope and frequency of backups should be set out in line with business recovery requirements and the criticality of the data and the ICT sys… (3.5 57, Final Report EBA Guidelines on ICT and security risk management)
  • adoption of suitable risk management measures in accordance with the provisions of the following paragraphs. (Article 9 2(d), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Member States shall ensure that operators of essential services take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations. Having regard to the state of the art, those measu… (Art. 14.1, Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
  • Member States shall ensure that digital service providers identify and take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in the context of offering services referred to in Annex III wit… (Art. 16.1, Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
  • Taking into account the state-of-the-art and, where applicable, relevant European and international standards, as well as the cost of implementation, the measures referred to in the first subparagraph shall ensure a level of security of network and information systems appropriate to the risks posed.… (Article 21 1 ¶ 2, DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • Financial entities, other than microenterprises, shall establish procedures and policies to prioritise, classify and remedy all issues revealed throughout the performance of the tests and shall establish internal validation methodologies to ascertain that all identified weaknesses, deficiencies or g… (Art. 24.5., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • When reviewing the security requirements it may occur that individual requirements cannot be implemented under the concrete framework conditions. This might be the case if the requirements in the considered environment are not relevant (e.g. if services have not been activated). In rare cases this c… (§ 8.3.6 ¶ 8, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Based on the results of a risk analysis carried out according to OIS-06, the cloud provider has implemented technical safeguards which are suitable to promptly detect and respond to network-based attacks on the basis of irregular incoming or outgoing traffic patterns (e. g. by MAC spoofing and ARP p… (Section 5.9 KOS-01 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The risk caused by the remaining threat might be lowered by developing and implementing one or several supplemental security safeguards which counteract the threat. The following sources of information on supplemental security safeguards may be useful: (§ 6.1 ¶ 7, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • In the risk analysis, threats might have been identified resulting in risks which are currently acceptable, but are expected to increase in the future. This means that there might be need for action in the further development. In these cases, it makes sense and is common to develop and prepare suppl… (§ 6.2 ¶ 1, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • For target objects which are already included in the IT-Grundschutz Compendium, it can turn out to make sense to supplement existing modules by requirements determined in the risk classification. (§ 7 ¶ 7 Bullet 1, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • The risk management framework should cover the organization's tolerance for risk and the prioritization of risk management activities. (¶ 13, BIS Sound Practices for the Management and Supervision of Operational Risk)
  • The organization should establish and implement a Risk Management plan outlining the responses to identified risks. (Supplement on Tin, Tantalum, and Tungsten Step 3: B, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The organization should use measurable risk mitigation methods to manage risks that do not require termination of the supplier relationship. (Supplement on Tin, Tantalum, and Tungsten Step 3: B.2, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The organization should consider building leverage over upstream suppliers who can most effectively mitigate or prevent the identified risk when coming up with a risk mitigation strategy. (Supplement on Tin, Tantalum, and Tungsten Step 3: B.2(a), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Upstream companies should establish and implement a supply chain Risk Management plan outlining the responses to identified risks. (Supplement on Gold Step 3: § I.C, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Upstream companies should use measurable risk mitigation methods to manage risks that do not require termination of the supplier relationship. (Supplement on Gold Step 3: § I.C.2, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Upstream companies should consider building leverage over upstream suppliers who can most effectively mitigate or prevent the identified risk when coming up with a risk mitigation strategy. (Supplement on Gold Step 3: § I.C.2(a), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Downstream companies should establish and implement a supply chain Risk Management plan outlining the responses to identified risks. (Supplement on Gold Step 3: § II.C, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Management considers control activities at various levels in the entity. (§ 3 Principle 10 Points of Focus: Considers at What Level Activities Are Applied, COSO Internal Control - Integrated Framework (2013))
  • The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. (§ 3 Principle 10 ¶ 1, COSO Internal Control - Integrated Framework (2013))
  • Management considers how the environment, complexity, nature, and scope of its operations, as well as the specific characteristics of its organization, affect the selection and development of control activities. (§ 3 Principle 10 Points of Focus: Considers Entity-Specific Factors, COSO Internal Control - Integrated Framework (2013))
  • The organization selects and develops general control activities over technology to support the achievement of objectives. (§ 3 Principle 11 ¶ 1, COSO Internal Control - Integrated Framework (2013))
  • Management selects and develops control activities over the technology infrastructure, which are designed and implemented to help ensure the completeness, accuracy, and availability of technology processing. (§ 3 Principle 11 Points of Focus: Establishes Relevant Technology Infrastructure Control Activities, COSO Internal Control - Integrated Framework (2013))
  • Action must be taken by the organization to eliminate the cause of nonconformities that are associated with implementing and operating the business continuity management system in order to prevent a recurrence of the nonconformities. Corrective action procedures must define the requirements for iden… (§ 6.1.3, BS 25999-2, Business continuity management. Specification, 2007)
  • Strong judgment must be used for implementing suitable controls, which must be appropriate for the risk level. The potential impact of risks may be mitigated by accepting the risk; eliminating the risk; sharing the risk; and controlling/mitigating the risk. (§ 8.1 ¶ 2, § 8.3 ¶ 2, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • Vulnerabilities should be prioritized for remediation based on the criticality of the asset, the frequency or likelihood an attack will occur, and how much effort will be required to implement the fix. Auditors should compare the actual risk with the cost for the fix and then prioritize based on cos… (§ 3.2 (Prioritizing Vulnerabilities), IIA Global Technology Audit Guide (GTAG) 6: Managing and Auditing IT Vulnerabilities)
  • Internal auditors should evaluate the results of the risk assessment in order to add value to the organization-wide application control risk assessment activities. (§ 3 (Application Control: Risk Assessment Approach), IIA Global Technology Audit Guide (GTAG) 8: Auditing Application Controls)
  • The organization must create, implement, and maintain a formal and documented process of evaluation to systematically analyze and prioritize risk controls and treatments and associated costs. (§ 4.3.1 ¶ 1(d), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • Countermeasures should be developed for each identified risk and threat. (Pg 2-II-15, Protection of Assets Manual, ASIS International)
  • Options to treat information risk (risk treatment) should include mitigating the risk, typically by applying appropriate security controls (e.g., malware protection, digital rights management, or data leakage protection (dlp)). (SR.01.06.02d, The Standard of Good Practice for Information Security)
  • The implementation of access control mechanisms should be based on the results of a risk assessment. (CF.06.03.02a, The Standard of Good Practice for Information Security)
  • Applying security controls to mitigate information risk should include selecting security controls that will reduce the likelihood of serious information security incidents occurring – and reducing their impact if they do occur. (SR.01.06.06c, The Standard of Good Practice for Information Security)
  • Applying security controls to mitigate information risk may include selecting security controls that will satisfy relevant compliance requirements (e.g., those outlined in the Sarbanes-Oxley Act, legislation associated with European Union directives 2006/43/ec and 2006/46/ec, the Payment Card Indust… (SR.01.06.06d, The Standard of Good Practice for Information Security)
  • Applying security controls to mitigate information risk may include identifying specialized security controls required by particular business environments (e.g., data encryption or strong authentication). (SR.01.06.06f, The Standard of Good Practice for Information Security)
  • Options to treat information risk (risk treatment) should include mitigating the risk, typically by applying appropriate security controls (e.g., malware protection, digital rights management, or data leakage protection (dlp)). (SR.01.06.02d, The Standard of Good Practice for Information Security, 2013)
  • The implementation of access control mechanisms should be based on the results of a risk assessment. (CF.06.03.02a, The Standard of Good Practice for Information Security, 2013)
  • Applying security controls to mitigate information risk should include selecting security controls that will reduce the likelihood of serious information security incidents occurring – and reducing their impact if they do occur. (SR.01.06.06c, The Standard of Good Practice for Information Security, 2013)
  • Applying security controls to mitigate information risk may include selecting security controls that will satisfy relevant compliance requirements (e.g., those outlined in the Sarbanes-Oxley Act, legislation associated with European Union directives 2006/43/ec and 2006/46/ec, the Payment Card Indust… (SR.01.06.06d, The Standard of Good Practice for Information Security, 2013)
  • Applying security controls to mitigate information risk may include identifying specialized security controls required by particular business environments (e.g., data encryption or strong authentication). (SR.01.06.06f, The Standard of Good Practice for Information Security, 2013)
  • The organization should use the technical and organizational business risks to prioritize the vulnerable assets and address the most damaging vulnerabilities first. (Critical Control 4.12, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Risks shall be mitigated to an acceptable level. Acceptance levels based on risk criteria shall be established and documented in accordance with reasonable resolution time frames and executive approval. (GRM-12, Cloud Controls Matrix, v3.0)
  • The organization shall determine if the estimated risks are not acceptable and implement risk control measures. (§ 4.4.3 ¶ 1(b), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • The organization shall identify risk control measures for each unacceptable risk, until the residual risk is acceptable. (§ 4.4.4.1 ¶ 1, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • The risk control measures implemented to reduce residual risk shall be used in the following priority order: inherent control by design, such as physical isolation; protective measures, such as alarms; and information for assurance, such as user documentation and training. (§ 4.4.4.1 ¶ 2, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • The organization shall determine if risk control tradeoffs are needed for the key properties, and, if so, their priority order is safety, effectiveness, and data and systems security. (§ 4.4.4.1 ¶ 3, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • ¶ 6 An organization should identify and implement appropriate safeguards for each IT system to reduce the risks to an acceptable level. These safeguards are implemented as outlined in the IT security plan. The implementation should be supported by an awareness and training program, which is importa… (¶ 6, ¶ 9.2, ¶ 9.3.6, ¶ 9.4, ¶ 9.4.1, ¶ 9.4.3, ISO 13335-3 Information technology - Guidelines for the management of IT Security - Part 3: Techniques for the management of IT Security, 1998)
  • ¶ 7 Basic Assessments. An organization should perform a safeguard assessment and selection. The process of safeguard selection always requires identifying the type and characteristic of the IT system considered (for example, a standalone workstation, or a workstation connected to a network), since … (¶ 7, ¶ 8, ¶ 9, ¶ 9.1, ¶ 9.2, ¶ 10.2, ¶ 10.2.1, ¶ 10.2.2,¶ 10.2.3, ¶ 10.2.4, ¶ 10.2.5, ¶ 10.2.6, ¶ 10.2.7, ¶ 10.2.8, ¶ 10.2.9, ¶ 10.3, ¶ 10.3.1, ¶ 10.3.2, ¶ 10.3.3, ¶ 10.3.4, ¶ 10.3.5, ¶ 10.3.6, ¶ 10.3.7, ¶ 10.3.8, ¶ 10.3.9, ¶ 10.3.10, ¶ 10.3.11, ¶ 10.3.12, ¶ 10.3.13, ¶ 10.3.14, ¶ 10.4, ¶ 10.4.1 thru ¶ 10.4.20, ¶ 10.5, ¶ 10.5.1, ¶ 10.5.2, ¶ 10.5.3, ¶ 11.2, ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • ¶ 7.2 Identification Process. A recommended process for the identification and analysis of the communications related factors that should be taken into account to establish network security requirements, and the provision of an indication of the potential safeguard areas. When considering network c… (¶ 7.2, ¶ 9.1, ¶ 12 Table 5 Row "Loss of Confidentiality", ¶ 12 Table 5 Row "Loss of Integrity", ¶ 12 Table 5 Row "Loss of Availability", ¶ 12 Table 5 Row "Loss of Non-Repudiation", ¶ 12 Table 5 Row "Loss of Accountability", ¶ 12 Table 5 Row "Loss of Authenticity", ¶ 12 Table 5 Row "Loss of Reliability", ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • When determining necessary controls, or considering changes to existing controls, consideration should be given to risks and opportunities that need to be addressed, and to any unintended consequences that can result. The organization should control planned changes and review the consequences of uni… (8.1.1 ¶ 2, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • § 3.1: The medical device manufacturer shall establish, document, and maintain a process to identify hazards for medical devices, to estimate and evaluate the risks, to control the risks, and to monitor the effectiveness. § 6.7: The medical device manufacturer shall ensure that all identified haza… (§ 3.1, § 6.7, ISO 14971:2007 Medical devices -- Application of risk management to medical devices, 2007)
  • implementing control of the processes in accordance with the criteria; (§ 8.1 ¶ 1 Bullet 3, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • identify treatments commensurate with business continuity objectives and in accordance with the organization’s risk appetite. (§ 8.2.3 ¶ 2 d), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Determination and selection of strategy shall be based on the outputs from the business impact analysis and risk assessment. (§ 8.3.1 ¶ 1, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • implementing control of the processes in accordance with the criteria; (§ 8.1 ¶ 1 b), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • prioritize the analysed risks for risk treatment. (§ 6.1.2 ¶ 1 e) 2), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • determine all controls that are necessary to implement the information security risk treatment option(s) chosen; (§ 6.1.3 ¶ 1 b), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • When implementing controls, the organization should reduce risk to an acceptable level. Controls should take into account the requirements and constraints of regulations, organizational objectives and relationships, and the costs in relation to risk reduction. (§ 4.2, ISO 27002 Code of practice for information security management, 2005)
  • § 8.4: The organization should compare the level of risks against the risk evaluation criteria and risk acceptance criteria. The organization should compare the estimated risks with the defined risk evaluation criteria in order to evaluate the risks. § 9.2: The organization should select appropria… (§ 8.4, § 9.2, ISO 27005 Information technology -- Security techniques -- Information security risk management, 2011)
  • In addition to implementing the control given by ISO/IEC 27002, organizations processing health information shall assess the risks associated with access by external parties to these systems or the data they contain, and then implement security controls that are appropriate to the identified level o… (§ 15.1.1 Health-specific control, ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition)
  • When selecting risk treatment options, the organization should balance the implementation costs and efforts against the benefits, with regard to regulatory, legal, and other requirements, and consider the perceptions and values of stakeholders and how to communicate with them. (§ 5.5.2, ISO 31000 Risk management -- Principles and guidelines, 2009)
  • implementing control of the processes in accordance with the criteria. (§ 8.1 ¶ 1 bullet 2, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • For software systems assigned to Class B and Class C software safety classes, the medical device manufacturer shall define and document the risk control measures for each potential cause of a software item contributing to a hazardous situation. The measures can be implemented in software, hardware, … (§ 7.2.1, ISO 62304 - 2006 Medical device software - Software life cycle processes, 2006)
  • implementing control of the processes in accordance with the criteria; (§ 8.1 ¶ 1 bullet 2, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • AI risks should be identified, quantified or qualitatively described and prioritized against risk criteria and objectives relevant to the organization. Annex B provides a sample catalogue of AI-related risk sources. Such a sample catalogue cannot be considered comprehensive. However, experience has … (§ 6.4.1 ¶ 2, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • The organization should identify controls relevant to either the development or use of AI, or both. Controls should be identified during the risk management activities and documented (in internal systems, procedures, audit reports, etc.). (§ 6.4.2.5 ¶ 1, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • determine all controls that are necessary to implement the IT asset risk treatment option(s) chosen; (Section 6.1.3 ¶ 1(b), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • When the organization utilizes an IT infrastructure with responsibilities for IT assets or data and information shared by both the internal organization and external suppliers of IT services, the organizations shall assess the associated risks. The organization shall ensure that processes and IT inf… (Section 8.7 ¶ 2, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • When there is mixed ownership between the organization and its personnel of IT assets in scope and information held on those assets, it may have an impact on the achievement of the organization's IT asset management objectives. Where this is the case, the organization shall assess the associated ris… (Section 8.8 ¶ 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • prioritize the analysed risks for risk treatment. (Section 6.1.2 ¶ 1(e)(2), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • At planned intervals, the information security risks to the SMS and the services shall be assessed and documented. Information security controls shall be determined, implemented and operated to support the information security policy and address identified information security risks. Decisions about… (§ 8.7.3.2 ¶ 1, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • prioritize the analysed risks for risk treatment. (§ 6.1.2 ¶ 1 e) 2), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • determine all controls that are necessary to implement the information security risk treatment option(s) chosen; (§ 6.1.3 ¶ 1 b), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • To ensure that information security risk treatment is effective and efficient, it is therefore important to be able to demonstrate the relationship from the necessary controls back to the results of the risk assessment and risk treatment processes. (§ 6.1.3 Guidance ¶ 6, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Not every control within ISO/IEC 27001:2013, Annex A needs to be included. Any control within ISO/IEC 27001:2013, Annex A that does not contribute to modifying risk should be excluded and justification for the exclusion should be given. (§ 6.1.3 Guidance ¶ 11, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The effectiveness of the implemented controls should be examined within the scope of internal audits. An audit programme should be designed to ensure coverage of all necessary controls and should include evaluation of the effectiveness of selected controls over time. Key controls (according to the a… (§ 9.2 Guidance ¶ 3, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Additionally, risk evaluation criteria can be used to specify priorities for risk treatment. (§ 7.2.2 ¶ 2, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • Controls to reduce, retain, avoid, or share the risks should be selected and a risk treatment plan defined. (§ 9.1 Action:, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • Risks should be identified, quantified or qualitatively described, and prioritized against risk evaluation criteria and objectives relevant to the organization. (§ 8.1 Action:, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • Existing and planned controls should be identified. (§ 8.2.4 Action:, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • Where the use of PII for testing purposes cannot be avoided a risk assessment should be undertaken. Technical and organizational measures should be implemented to minimize the risks identified. (§ 12.1.4 ¶ 3, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Where the use of PII for testing purposes cannot be avoided a risk assessment should be undertaken. Technical and organizational measures should be implemented to minimize the risks identified. (§ 12.1.4 ¶ 3, ISO/IEC 27018:2019, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, Second edition)
  • On deletion by a cloud service user of data held in an information system, performance issues can mean that explicit erasure of those data is impractical. This creates the risk that another user can be able to read the data. Such risk should be avoided by specific technical measures. (§ A.11.13 ¶ 4, ISO/IEC 27018:2019, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, Second edition)
  • When assessing the applicability of control objectives and controls from ISO/IEC 27001:2013 Annex A for the treatment of risks, the control objectives and controls shall be considered in the context of both risks to information security as well as risks related to the processing of PII, including ri… (§ 5.4.1.3 ¶ 4, ISO/IEC 27701:2019, Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines)
  • In situations where there is a significant risk to the duty of care, the governing body should require additional organizational controls to effectively treat such risks and ensure they do not exceed the risk appetite of the organization (see 6.7.5 for examples). (§ 6.7.3 ¶ 1 Bullet 3 ¶ 2, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • Select the controls for the system and the environment of operation. (TASK S-1, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • Tailor the controls selected for the system and the environment of operation. (TASK S-2, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • Management considers control activities at various levels in the entity. (CC5.1 ¶ 2 Bullet 5 Considers at What Level Activities Are Applied, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The entity also selects and develops general control activities over technology to support the achievement of objectives. (CC5.2 ¶ 1 COSO Principle 11:, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Management selects and develops control activities over the technology infrastructure, which are designed and implemented to help ensure the completeness, accuracy, and availability of technology processing. (CC5.2 ¶ 2 Bullet 2 Establishes Relevant Technology Infrastructure Control Activities, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. (CC5.1 ¶ 1 COSO Principle 10:, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Management considers how the environment, complexity, nature, and scope of its operations, as well as the specific characteristics of its organization, affect the selection and development of control activities. (CC5.1 ¶ 2 Bullet 2 Considers Entity-Specific Factors, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The organization prioritizes risks as a basis for selecting responses to risks. (Principle 12: Prioritizes Risks, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The cyber risk management program and risk assessment process produce actionable recommendations that the organization uses to select, design, prioritize, implement, maintain, evaluate, and modify security controls. (GV.RM-1.5, CRI Profile, v1.2)
  • Based on a periodic risk assessment, the organization's cybersecurity program identifies and implements appropriate security controls to manage applicable cyber risks within the risk tolerance set by the governing authority (e.g., the Board or one of its committees). (GV.SP-1.2, CRI Profile, v1.2)
  • An independent risk management function frequently and recurrently assesses the organization's controls and cyber risk exposure, identifies opportunities for improvement based on assessment results, and proposes risk mitigation strategies and improvement actions when needed. (GV.IR-2.2, CRI Profile, v1.2)
  • Based on a periodic risk assessment, the organization's cybersecurity program identifies and implements appropriate security controls to manage applicable cyber risks within the risk tolerance set by the governing authority (e.g., the Board or one of its committees). (GV.SP-1.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The cyber risk management program and risk assessment process produce actionable recommendations that the organization uses to select, design, prioritize, implement, maintain, evaluate, and modify security controls. (GV.RM-1.5, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • An independent risk management function frequently and recurrently assesses the organization's controls and cyber risk exposure, identifies opportunities for improvement based on assessment results, and proposes risk mitigation strategies and improvement actions when needed. (GV.IR-2.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The selection of cryptographic protection should be based on a threat and risk analysis which covers the value of the information being protected, the consequences of the confidentiality and integrity of the information being breached, the time period during which the information is confidential and… (8.5.2 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • The organization should develop a plan to implement the responses to reduce the risks. Procedures should be in place to ensure the actions are taken to effectively implement the controls. (Pg 56, Pg 57, COSO Enterprise Risk Management (ERM) Integrated Framework (2004))
  • The organization should take corrective actions, in a timely way, for ineffective controls. (Table Ref 10.2.5, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • When considering the suitability of design, the service auditor may determine that some system components (such as network access points, databases, or transactions) are subject to greater threats or have vulnerabilities that are more likely to be exploited. In such instances, controls designed and … (¶ 3.87, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The auditor should evaluate if the organization has established effective controls to address the risks from IT. The controls are effective if they maintain the information's integrity and if they maintain data security. (§ 314.96, SAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement)
  • Because each system and the environment in which it operates are unique, the combination of risks that would prevent a service organization from achieving its service commitments and system requirements, and the controls necessary to address those risks, will be unique in each SOC 2 examination. Man… (¶ 1.52, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The entity also selects and develops general control activities over technology to support the achievement of objectives. (CC5.2 COSO Principle 11:, Trust Services Criteria)
  • The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. (CC5.1 COSO Principle 10:, Trust Services Criteria)
  • Management considers control activities at various levels in the entity. (CC5.1 Considers at What Level Activities Are Applied, Trust Services Criteria)
  • Management considers how the environment, complexity, nature, and scope of its operations, as well as the specific characteristics of its organization, affect the selection and development of control activities. (CC5.1 Considers Entity-Specific Factors, Trust Services Criteria)
  • Management selects and develops control activities over the technology infrastructure, which are designed and implemented to help ensure the completeness, accuracy, and availability of technology processing. (CC5.2 Establishes Relevant Technology Infrastructure Control Activities, Trust Services Criteria)
  • Management considers control activities at various levels in the entity. (CC5.1 ¶ 2 Bullet 5 Considers at What Level Activities Are Applied, Trust Services Criteria, (includes March 2020 updates))
  • The entity also selects and develops general control activities over technology to support the achievement of objectives. (CC5.2 ¶ 1 COSO Principle 11:, Trust Services Criteria, (includes March 2020 updates))
  • Management selects and develops control activities over the technology infrastructure, which are designed and implemented to help ensure the completeness, accuracy, and availability of technology processing. (CC5.2 ¶ 2 Bullet 2 Establishes Relevant Technology Infrastructure Control Activities, Trust Services Criteria, (includes March 2020 updates))
  • The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. (CC5.1 ¶ 1 COSO Principle 10:, Trust Services Criteria, (includes March 2020 updates))
  • Management considers how the environment, complexity, nature, and scope of its operations, as well as the specific characteristics of its organization, affect the selection and development of control activities. (CC5.1 ¶ 2 Bullet 2 Considers Entity-Specific Factors, Trust Services Criteria, (includes March 2020 updates))
  • Principle: Firms should conduct regular assessments to identify cybersecurity risks associated with firm assets and vendors and prioritize their remediation. Effective practices include establishing and implementing governance frameworks to: - identify and maintain an inventory of assets authorized… (Cybersecurity Risk Assessment, Report on Cybersecurity Practices)
  • Implement information safeguards to manage the threats identified in its ongoing assessment, and no less than annually, assess the effectiveness of the safeguards' key controls, systems, and procedures. (Section 4.C ¶ 1(5), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • Identified risks to the system should be countered with the use of cost-effective measures. The security controls selected may degrade operational efficiency. Management should take this disruption into account when determining if the implementation of the countermeasure is acceptable. (§ 1-5.a(1), § 5-4.b, Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • CMS business partners shall use a risk-based approach to determine adequate security and shall consider the major factors in management, including the value of the application or system, vulnerabilities, threats, and the effectiveness of the current or proposed safeguards. (§ 3.2 ¶ 3, CMS Business Partners Systems Security Manual, Rev. 10)
  • § 4.1 ¶ 3: The business owner must determine the level of each threat/vulnerability pair on the business function and/or the system's confidentiality, integrity, and availability and the likelihood that it will occur with the existing security controls. After the risk level has been determined, th… (§ 4.1 ¶ 3, § 4.4.1, § 4.5.1, § 4.5.2, CMS Information Security Risk Assessment (IS RA) Procedure, Version 1.0 Final)
  • CSR 1.8.2(3): The risk assessment must include safeguards, including policy, procedure, security awareness and security training, separation of duty, audit routines, computer system automatic controls, backup, encryption, testing/validating/editing, audit trails/logs, manual controls, secure disposa… (CSR 1.8.2(3), CSR 5.1.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • are based on the risk assessments required by paragraph (1); (§ 3554(b)(2)(A), Federal Information Security Modernization Act of 2014)
  • The personal data privacy and security program must be designed by the business entity to control the risks identified during the risk assessment described under Section 302(a)(3). (§ 302(a)(4)(A), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress)
  • The DISA PPSM office, along with the PPSM Change Control Board (CCB) and Technical Advisory Group (TAG) publish a Category Assignment List (CAL) which lists the PS permitted to cross certain DISN boundaries and Vulnerability Assessments (VAs) for each PS listed. Compliance with VAs is the key to the… (Section 5.15 ¶ 2, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Sufficient security measures that will reduce the risks and vulnerabilities to a reasonable and appropriate level in order to comply with § 164.306(a) shall be implemented. (§ 164.308(a)(1)(ii)(B), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • § 4.1 DIB assets are ranked according to the DoD Asset Prioritization Model (APM) for both analysis and reduction of risk. The APM is an index model where a higher score indicates a greater impact if the asset is lost and a method to support scheduling decisions. The impact score (the asset's "crit… (§ 4.1, § 4.2, Defense Industrial Base Information Assurance Standard)
  • Threat information is used to enhance internal risk management and controls. (Domain 2: Assessment Factor: Threat Intelligence, THREAT INTELLIGENCE AND INFORMATION Baseline 1 ¶ 3, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Issues identified in assessments are prioritized and resolved based on criticality and within the time frames established in the response to the assessment report. (Domain 3: Assessment Factor: Corrective Controls, REMEDIATION Baseline 2 ¶ 1, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Implements controls based on the institution's risk assessment to mitigate risk from information security threats and vulnerabilities, such as interconnectivity risk. (App A Objective 6.5.a, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Determine whether management measures the risk to guide its recommendations for and use of mitigating controls. (App A Objective 5, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Verification that information and cybersecurity risks are appropriately identified, measured, mitigated, monitored, and reported. (App A Objective 6.31.g, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should oversee outsourced operations through the following: - Appropriate due diligence in third-party research, selection, and relationship management. - Contractual assurances for security responsibilities, controls, and reporting. - Nondisclosure agreements regarding the institution'… (II.C.20 Oversight of Third-Party Service Providers, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Risk assessment, priority, and mitigation across the institution. (App A Objective 4:1 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The risks identified in the risk assessment should be ranked and prioritized. (Pg 23, FFIEC IT Examination Handbook - Management)
  • Management should prioritize the corrective actions that need to be taken based on the probability of the event occurring, the financial or legal impact to the organization, and the importance of the system to the organization. (Pg 13, Pg 14, FFIEC IT Examination Handbook - Operations, July 2004)
  • Discuss findings with management and obtain proposed corrective action for significant deficiencies. (Exam Tier I Obj 4.3, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • Specific retail payment instruments introduce risks that require effective internal controls and adherence to the relevant clearing house, association, interchange, and regulatory requirements. Financial institutions should address these risks in their information security and business continuity pl… (Retail Payment Instrument Specific Risk Management Controls, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Financial institution management effectively identifies and implements controls to mitigate identified and prioritized risks associated with the MFS offering. (AppE.7 Objective 5, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The organization should communicate to the service provider any findings, recommendations, and/or required corrective actions that need to be taken in a timely manner. (Pg 3, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, March 2003)
  • In cloud computing environments, financial institutions may outsource the management of different controls over information assets and operations to the cloud service provider. Careful review of the contract between the financial institution and the cloud service provider along with an understanding… (Risks ¶ 1, FFIEC Security in a Cloud Computing Environment)
  • The Agencies reiterate and stress the expectation described in the 2005 Guidance that financial institutions should perform periodic risk assessments and adjust their customer authentication controls as appropriate in response to new threats to customers' online accounts. Financial institutions shou… (Risk Assessments ¶ 1, Supplement to Authentication in an Internet Banking Environment)
  • All findings from the safeguard review must be addressed in a timely fashion and must be resolved before the next reporting cycle, as defined by the Safeguard Activity Report. (§ 2.7, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • § 4.1.3 Bullet 1: Implement security measures to reduce each risk to a reasonable and appropriate level. § 4.1.5 Bullet 1: Implement each control necessary to mitigate each identified risk. (§ 4.1.3 Bullet 1, § 4.1.5 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • AI risks based on assessments and other analytical output from the MAP and MEASURE functions are prioritized, responded to, and managed. (MANAGE 1, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
  • Treatment of documented AI risks is prioritized based on impact, likelihood, and available resources or methods. (MANAGE 1.2, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
  • Responses to the AI risks deemed high priority, as identified by the MAP function, are developed, planned, and documented. Risk response options can include mitigating, transferring, avoiding, or accepting. (MANAGE 1.3, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
  • AI risks and benefits from third-party resources are regularly monitored, and risk controls are applied and documented. (MANAGE 3.1, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
  • Level 3 activities focus on managing operational-level risk exposure resulting from any ICT/OT-related products and services provided through the supply chain that are in use by the enterprise or fall within the scope of the systems authorization boundary. Level 3 C-SCRM activities begin with an ana… (2.3.4. ¶ 3, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Identify alternative courses of action to respond to risks identified during the risk assessment. (Task 3-1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • The organization should base controls on identified potential risks and select them from the available controls. (§ 1 ¶ 5, FIPS Pub 140-2, Security Requirements for Cryptographic Modules, 2)
  • Risk responses are identified and prioritized. (ID.RA-6, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • (§ 3.3.2, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Organizations should plan to implement multiple types of mitigations to protect vulnerable unpatchable assets. In addition to using long-term risk mitigation methods for unpatchable assets, organizations should also implement mitigations as needed to prevent exploitation of specific vulnerabilities … (3.5.4 ¶ 2, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology, NIST SP 800-40, Revision 4)
  • Organizations should approach patching from a per-asset perspective. Software inventories should include information on each computing asset's technical characteristics and mission/business characteristics. Making decisions for risk responses and their prioritization should not be based solely on wh… (3.2 ¶ 4, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology, NIST SP 800-40, Revision 4)
  • For an ICS, encryption can be deployed as part of a comprehensive, enforced security policy. Organizations should select cryptographic protection based on a risk assessment and the identified value of the information being protected and ICS operating constraints. Specifically, a cryptographic key sh… (§ 6.2.16.1 ICS-specific Recommendations and Guidance ¶ 7, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Recommend new or revised security, resilience, and dependability measures based on the results of reviews. (T0218, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Ensure that cybersecurity-enabled products or other compensating security control technologies reduce identified risk to an acceptable level. (T0088, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Make recommendations regarding the selection of cost-effective security controls to mitigate risk (e.g., protection of information, systems and processes). (T0550, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Select the security controls for a system and document the functional description of the planned control implementations in a security plan. (T0946, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Problematic data actions, likelihoods, and impacts are used to determine and prioritize risk. (ID.RA-P4, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Organizations are required to adequately mitigate the risk arising from use of information and information systems in the execution of mission/business processes. The challenge for organizations is in implementing the right set of security controls. Guided by the RMF and in accordance with FIPS 199 … (§ 3.4 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Part of a successful contingency planning policy is making a system resilient to environmental and component-level failures that would otherwise cause system disruptions. There are several methods for making valuable hardware and software resilient. Determination of the appropriate methods should be… (§ 5.1.3 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Use results from the BIA. Impacts and priorities of associated information systems discovered through the BIA should be reviewed to determine related requirements. (§ 5.2.1 ¶ 1 Bullet 5, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Decide on the appropriate course of action for responding to risk. (Task 3-3, NIST SP 800-39, Managing Information Security Risk)
  • Ensure that cybersecurity-enabled products or other compensating security control technologies reduce identified risk to an acceptable level. (T0088, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Recommend new or revised security, resilience, and dependability measures based on the results of reviews. (T0218, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Make recommendations regarding the selection of cost-effective security controls to mitigate risk (e.g., protection of information, systems and processes). (T0550, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Select the security controls for a system and document the functional description of the planned control implementations in a security plan. (T0946, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • § 3.8: The organization should consider the following factors when recommended controls and alternative solutions for minimizing or eliminating risks: legislation and regulation; operational impact; organizational policy; the effectiveness of the recommended options; and safety and reliability. §… (§ 3.8, § 4.1, § 4.3 ¶ 1, § 4.3 ¶ 2, Risk Management Guide for Information Technology Systems, NIST SP 800-30, July 2002)
  • Decide on the appropriate course of action for responding to risk. (2.2.3 TASK 3-3:, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization (ID.RA-05, The NIST Cybersecurity Framework, v2.0)
  • The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship (GV.SC-07, The NIST Cybersecurity Framework, v2.0)
  • Risk responses are chosen, prioritized, planned, tracked, and communicated (ID.RA-06, The NIST Cybersecurity Framework, v2.0)
  • The organization should prioritize the corrective action to be taken to reduce the effect of risks on the system. The corrective action plan should include a description of the deficiency, when it was first discovered, when it should be fixed by, who is responsible for fixing the it, and how to meas… (Pg 44, Implementation Guide for OMB Circular A-123 Management's Responsibility for Internal Control)
  • Organizations should provide the appropriate controls to reduce the risks. These controls should be proportionate to the risk of not having a control in place. (§ III (FISMA), OMB Circular A-123, Management's Responsibility for Internal Control)
  • record the assessment of risk in a way which facilitates monitoring and the identification of risk priorities; and (Section II (B2) ¶ 3 (2), OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • As part of developing the risk profile, management must determine those risks for which the appropriate response includes implementation of formal internal control activities as described in Section III of this guidance and which conform to the standards published by GAO in the Green Book. These inc… (Section II (B4) ¶ 3, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • Federal managers must carefully consider the appropriate balance between risk, controls, costs, and benefits in their mission-support operations. Too many controls can result in inefficiencies, while too few controls might increase risk to an unacceptable level. (Section III ¶ 4, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • Federal managers must carefully consider the appropriate balance between controls and risk in their programs and operations. To emphasize, too many controls can result in inefficient and ineffective government; agency managers must ensure an appropriate balance between the strength of controls and t… (Section III ¶ 9, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • Employees who directly manage third party relationships must respond to any material weaknesses that are identified during independent reviews. ("Bank Employees Who Directly Manage Third-Party Relationships" Bullet 10, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • Establish a process to identify and evaluate vulnerabilities and compensating security controls. (Table 2: Risk Assessment Baseline Security Measures Cell 1, Pipeline Security Guidelines)
  • Adoption of appropriate information safeguards to address identified risks of a breach of security and assess the effectiveness of such safeguards. (§ 8-38-3 (b)(3), Code of Alabama Title 8 Chapter 38 Section 8-38-1 thru 8-38-12, Alabama Data Breach Notification Act of 2018)
  • Implement information safeguards to manage the threats identified in its ongoing assessment, and no less than annually, assess the effectiveness of the key controls, systems, and procedures of the safeguards. (Section 27-62-4(c)(5), Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • Implement information safeguards to manage the threats identified in such licensee's ongoing assessment; and (Part VI(c)(3)(E), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • Implement information safeguards to manage the threats identified in the licensee's ongoing assessment under paragraph (c)(2) of this section and, at least annually, assess the effectiveness of the safeguards' key controls, systems, and procedures. (§ 8604.(c)(5), Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • Determine if a security measure listed in paragraphs (d)(2)a. through k. of this section is appropriate and implement each appropriate security measure. (§ 8604.(d)(2), Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • Implement information safeguards to manage the threats identified in its ongoing assessment, and no less than annually, assess the effectiveness of the safeguards' key controls, systems, and procedures. (§431:3B-202(b)(5), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • Implementing information safeguards to manage the threats identified under subdivision (2), and assessing the effectiveness of the safeguards' key controls, systems, and procedures at least one (1) time each year. (Sec. 17.(5), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • Implements information safeguards to manage threats identified in the licensee’s ongoing risk assessments and, at least annually, assesses the effectiveness of the information safeguards’ key controls, systems, and procedures. (507F.4 3.e., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • Implement information safeguards to manage the threats identified in its ongoing assessment, and, no less than annually, assess the effectiveness of the safeguards' key controls, systems, and procedures. (§2504.C.(5), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • Implement information safeguards to manage the threats identified in its ongoing assessment, and, no less than annually, assess the effectiveness of the safeguards' key controls, systems, and procedures. (Sec. 555.(3)(e), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • implement information safeguards to manage the threats identified in its ongoing assessment, and no less than annually, assess the effectiveness of the safeguards' key controls, systems, and procedures. (§ 60A.9851 Subdivision 3(5), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • Implement information safeguards to manage the threats identified in its ongoing assessment, and no less than annually, assess the effectiveness of the safeguards’ key controls, systems and procedures. (§ 83-5-807 (3)(e), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • Implement information safeguards to manage the threats identified in its ongoing assessment, and no less than annually, assess the effectiveness of the safeguards' key controls, systems, and procedures. (§ 420-P:4 III.(e), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • Each covered entity shall conduct a periodic risk assessment of the covered entity's information systems sufficient to inform the design of the cybersecurity program as required by this Part. Such risk assessment shall be reviewed and updated as reasonably necessary, but at a minimum annually, and w… (§ 500.9 Risk Assessment (a), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • Implement information safeguards to manage the threats identified in the licensee's ongoing assessment and assess the effectiveness of the safeguards' key controls, systems, and procedures on an annual basis. (26.1-02.2-03. 3.e., North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • Implement information safeguards to manage the threats identified in its ongoing assessment; (Section 3965.02 (C)(5), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • implement information safeguards to manage the threats identified in its ongoing assessment, and at least annually assess the effectiveness of the safeguards' key controls, systems, and procedures. (SECTION 38-99-20. (C)(5), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • Implement information safeguards to manage the threats identified in the licensee's risk assessment and, no less than annually, assess the effectiveness of the safeguards' key controls, systems, and procedures; (§ 56-2-1004 (3)(E), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • establish adequate policies and safeguards based on a process of systematic evaluation of the impacts on and risks to privacy; (Art. 50 § 2 I(d), Brazilian Law No. 13709, of August 14, 2018)