Establishing a continual risk assessment commitment

Status: Live

The organization will update the risk assessment whenever there are significant changes to the system, facilities, or other conditions that may impact the accreditation status of the system. [UCF ID 00708]

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

AICPA Suitable Trust Services Principles and Criteria, ¶ .20 § 3.1, ¶ .24 § 3.17; Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework, ¶ 620(e), ¶ 666(e); FFIEC Guidance on Authentication in an Internet Banking Environment, Pg 3; FFIEC IT Examination Handbook – Audit, August 2003, Pg 11, Pg 16; FFIEC IT Examination Handbook – Information Security, Pg 16, Pg 95, Exam Tier I Obj 3.4, Exam Tier II Obj L.1; FFIEC IT Examination Handbook – Management, Pg 4, Pg 15, Pg 24, Exam Obj 5.3; FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003, Pg 3; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 5-6; Aviation and Transportation Security Act, Public Law 107 Released-71, November 2001, November 2001, § 112(b)(2); Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27, § 27.215(d); FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; The National Strategy to Secure Cyberspace, February 2003, § IV.A.1; TITLE 49, Subtitle VII - Aviation Programs, December 5, 2001, § 44912(b)(1); IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 5.6.4, § 5.6.13, Exhibit 4 CA-2, Exhibit 4 CA-7, Exhibit 4 RA-4; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, RA-4; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, RA-4; Business Continuity Institute (BCI) Good Practice Guidelines, 2005, Stage 1.3 Process; The Standard of Good Practice for Information Security, SM1.2.3(c), SM3.3.3, CB5.3.8, CI5.4.9, NW4.4.9; ISO 27001:2005, Information Security Management Systems - Requirements, § 4.2.3(d); The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003, ¶ III.1.8; Australian Government ICT Security Manual (ACSI 33), § 3.7.31; Australia Better Practice Guide - Business Continuity Management, January 2000, Pg 24; BIS Sound Practices for the Management and Supervision of Operational Risk, Principle 6; OMB Circular A-123 Management’s Responsibility for Internal Control, § II.E; The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002, ¶ 3.1.5, ¶ 3.2.2, ¶ 3.2.3, ¶ 4.2.3; Guide to Bluetooth Security, NIST Special Publication 800-121, September 2008, Table 4-2 Item 3; Guidelines on Cell Phone and PDA Security, NIST Special Publication 800-124, October 2008, § 4.2.3; Archer Control Table, ATCS-028, ATCS-032, ATCS-034, ATCS-499

Sarbanes Oxley Guidance

The organization should conduct and/or review the risk assessment on a regular basis or when a significant change occurs. [¶ .20 § 3.1, ¶ .24 § 3.17, AICPA Suitable Trust Services Principles and Criteria]

The organization should periodically assess the risks to the system from the implemented controls. [§ II.E, OMB Circular A-123 Management’s Responsibility for Internal Control]

Banking and Finance Guidance

The risk assessment process system should be validated and independently reviewed on a regular basis. The review should be conducted by external auditors. [¶ 620(e), ¶ 666(e), Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework]

The organization should continuously review the authentication technology and ensure any changes are implemented. [Pg 3, FFIEC Guidance on Authentication in an Internet Banking Environment]

Risk assessments should be updated by the auditors on an annual basis or more frequently, if necessary. [Pg 11, Pg 16, FFIEC IT Examination Handbook – Audit, August 2003]

Risk assessments should be updated whenever new security risks are identified (new threat or vulnerability, hardware or software change). Senior management should review the risk assessment at least annually. [Pg 16, Pg 95, Exam Tier I Obj 3.4, Exam Tier II Obj L.1, FFIEC IT Examination Handbook – Information Security]

Management should continuously monitor risks to determine the level of risk the organization will accept. The risk assessment process should be continuous and not a one-time or annual event. [Pg 4, Pg 15, Pg 24, Exam Obj 5.3, FFIEC IT Examination Handbook – Management]

The organization should monitor the service provider for changes in products, services, and/or risk management practices that could adversely affect the organization. [Pg 3, FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003]

The organization should periodically review control strategies and risk limitations and adjust the risk profile accordingly. [Principle 6, BIS Sound Practices for the Management and Supervision of Operational Risk]

US Federal Security Guidance

The effectiveness of security controls should be reviewed continuously. [§ 5-6, Army Regulation 380-19: Information Systems Security, February 27, 1998]

The Under Secretary must periodically review the threats to aviation using a systems analysis (vulnerability analysis, threat definitions) and considering future technologies that might be used to threaten aircraft. [§ 112(b)(2), Aviation and Transportation Security Act, Public Law 107 Released-71, November 2001, November 2001]

The Security Vulnerability Assessment must be updated and revised within 90 days of written notification from the Department. [§ 27.215(d), Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27]

Calls for Risk Assessment (RA): Organizations must periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of organizational information. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

[§ IV.A.1, The National Strategy to Secure Cyberspace, February 2003]

The Under Secretary must periodically review the threats to aviation and focus on a systems analysis (vulnerability analysis, threat definitions) and future technologies that might be used to threaten aircraft. [§ 44912(b)(1), TITLE 49, Subtitle VII - Aviation Programs, December 5, 2001]

US Internal Revenue Guidance

The organization must conduct an assessment of the security controls at least annually. The assessment must ensure the controls are operating correctly and producing the desired outcome. The risk assessment must be updated whenever there are significant changes to the system or any of the facilities or any other changes in conditions that might affect the security status of the system. [§ 5.6.4, § 5.6.13, Exhibit 4 CA-2, Exhibit 4 CA-7, Exhibit 4 RA-4, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

The organization should develop and document specific criteria for what is considered a significant change to the information system, and how that change should trigger an assessment update as a part of the ongoing risk assessment commitment. [RA-4, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]

Organizational records and documents should be examined to ensure risk assessments are performed routinely on a predetermined schedule or when significant changes are made; the risk assessment includes the latest changes to the system; and specific responsibilities and actions are defined for the implementation of the risk assessment update control. Any problems discovered during the implementation of the risk assessment update control should be documented and used to improve the controls.
Interviews should be conducted with personnel conducting risk assessments to ensure they are performed on a regular basis and include the all changes to the system. [RA-4, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

The organization should perform comprehensive security assessments on a regular basis to determine the security posture of Bluetooth. [Table 4-2 Item 3, Guide to Bluetooth Security, NIST Special Publication 800-121, September 2008]

The organization should maintain an ongoing risk assessment process. [§ 4.2.3, Guidelines on Cell Phone and PDA Security, NIST Special Publication 800-124, October 2008]

ISO Guidance

The organization should routinely review risk assessments, residual risks, and the acceptable level of risk. When reviewing these documents, the organization should determine if there are any changes to the following: the organization and its objectives; technology; threats; installed security controls; and legal requirements. [§ 4.2.3(d), ISO 27001:2005, Information Security Management Systems - Requirements]

General Guidance

Once a risk assessment has been conducted, obtain approval from the organization’s sponsor, sign-off and a budget for proposed risk management controls. [Stage 1.3 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005]

The information security policy should require a risk analysis to be performed on a regular basis. [SM1.2.3(c), SM3.3.3, CB5.3.8, CI5.4.9, NW4.4.9, The Standard of Good Practice for Information Security]

Other European and African Guidance

The Supervisory Board must review management's assessment of the internal risk management and control system at least annually. [¶ III.1.8, The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003]

The organization must assess its risks at least annually. Management should be committed to the risk management system. [¶ 3.1.5, ¶ 3.2.2, ¶ 3.2.3, ¶ 4.2.3, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002]

Asia and Pacific Rim Guidance

Vulnerability assessments should be performed before the system is used, after any major changes to the system, and as required by the Security Officer. [§ 3.7.31, Australian Government ICT Security Manual (ACSI 33)]

The organization’s commitment to carrying out a treatment for a risk is discussed. Any selected treatments should be documented with responsibilities for implementing it delegated and resources to be used listed. The budget for each treatment should be assigned, there should be a timetable for implementation and the details of mechanism and frequency of review of compliance should be worked out as well. [Pg 24, Australia Better Practice Guide - Business Continuity Management, January 2000]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of total systems that have been authorized for processing following certification and accreditation [UCF Control ID 02143]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.