Risk Analysis report and decision approval.

Status: Live

The organization will identify, document and analyze risks associated with the project. [UCF ID 01135]

Supporting and supported controls

This control directly supports:

Acquisition of, facilities, technology, and services [UCF Control ID 01123]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Development and Acquisition, Exam Obj 6.1; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Pg 11, Exam Tier I Obj 3.3, Exam Tier II Obj B.1; Clinger-Cohen Act (Information Technology Management Reform Act), § 5122(b)(5); Federal Information Security Management Act of 2002 (FISMA), § 3544(b)(1)(c); Federal Information System Controls Audit Manual (FISCAM), February 2009, SP-1; GAO/PCIE Financial Audit Manual (FAM), § 260.44; CobiT 4.1, AI1.2, AI1.4; The Standard of Good Practice for Information Security, SM3.3.2(b), SM4.3.4, CB5.3.8, CI5.4.9, NW4.4.9; BIS Sound Practices for the Management and Supervision of Operational Risk, Principle 4; Archer Control Table, ATCS-016, ATCS-408, ATCS-609, ATCS-796

Banking and Finance Guidance

[Exam Obj 6.1, FFIEC IT Examination Handbook – Development and Acquisition]

The organization should analyze each Request for Proposal (RFP) response to ensure it meets the organization's needs. The following information should be confirmed and assessed to ensure the service provider meets the RFP requirements: corporate history; qualifications and backgrounds of principal(s); references; reviews of financial statements; reputation; delivery capability; technology architectures; security history; legal and regulatory compliance; insurance coverage; and the ability to meet disaster recovery and business continuity requirements. [Pg 11, Exam Tier I Obj 3.3, Exam Tier II Obj B.1, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]

Prior to new products or services being introduced in the organization, the operational risks should be assessed. [Principle 4, BIS Sound Practices for the Management and Supervision of Operational Risk]

US Federal Security Guidance

[§ 5122(b)(5), Clinger-Cohen Act (Information Technology Management Reform Act)]

[§ 3544(b)(1)(c), Federal Information Security Management Act of 2002 (FISMA)]

[SP-1, Federal Information System Controls Audit Manual (FISCAM), February 2009]

[§ 260.44, GAO/PCIE Financial Audit Manual (FAM)]

General Guidance

The organization is called upon to identify, document and analyze risks associated with the business processes as part of the organization's process for the development of requirements. Risks include threats to data integrity, security, availability, privacy, and compliance with laws and regulations. Required internal control measures and audit trails should be identified as part of these requirements.
The organization is called upon to not move forward with any projects until the business sponsor approves and signs off on business functional and technical requirements and feasibility study reports at predetermined key stages. Each sign-off follows successful completion of quality reviews. The business sponsor has the final decision with respect to choice of solution and acquisition approach. [AI1.2, AI1.4, CobiT 4.1]

A risk analysis should be performed at an early stage of development for all systems and networks and prior to major application or network changes to determine if the changes will pose risk. All new hardware and software should be approved by appropriate personnel. [SM3.3.2(b), SM4.3.4, CB5.3.8, CI5.4.9, NW4.4.9, The Standard of Good Practice for Information Security]

Metrics

The metrics associated with this control are as follows:

Report on the percentage of systems that have had risk levels reviewed by management [UCF Control ID 02138]