Establish the risk profiling process for internal risk assessments.

UCF ID: 01157

Control Type: Process or Activity

Status: Live

Supporting and supported controls

This control directly supports:

Establish a risk assessment approach to handle internal and external threats. [UCF Control ID 00687]

This control has the following supporting controls:

Identify the risks and probability for natural events, technical events, and malicious activity. [UCF Control ID 01173]

Authority documents complied with:

PCAOB Auditing Standard No. 5, ¶ 47, ¶ 62; SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, § 314.72; FFIEC IT Examination Handbook – Audit, August 2003, Pg 15, Exam Tier II Obj D.2; FFIEC IT Examination Handbook – Information Security, Pg 11, Pg 12; FFIEC IT Examination Handbook – Management, Pg 22; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Exam Tier I Obj 2.1; FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003, Pg 3; VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business, Pg 45, Pg 46; FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security, § 3.1; CobiT, Version 4.1, PO1.3; The Standard of Good Practice for Information Security, SM3.3.2; Australia Better Practice Guide - Business Continuity Management, January 2000, Pg 18, Pg 19; OMB Circular A-123 Management’s Responsibility for Internal Control, § App A § IV.B; Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control, Pg 31; ISO/IEC 13335-3 Information technology — Guidelines for the management of IT Security — Part 3: Techniques for the management of IT Security, 1998, ¶ 9.3.7

Sarbanes Oxley Guidance

Each control has risk associated with it. Some of the factors that affect the amount of risk are the nature of misstatements the control is preventing or detecting; whether or not the account has a history of errors; the effectiveness of the controls; the frequency that the control operates; the degree the control depends on other controls; changes in the volume of transactions that might affect the design or operating effectiveness; the competence of the personnel operating the controls; whether the operation of the control is automatic or manual; and the complexity of the controls. The auditor should evaluate all identified deficiencies to determine if the deficiencies are material weaknesses. The severity of the deficiency depends on the magnitude of the potential misstatement and if there is a reasonable possibility that the controls will fail to prevent or detect a misstatement. [¶ 47, ¶ 62, PCAOB Auditing Standard No. 5]

The auditor should determine if the control environment elements have been implemented by obtaining evidence based on inquiries and other risk assessment procedures. [§ 314.72, SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement]

The assessment of the controls should be documented and should contain the following: a list of the members of the senior assessment team; the assessment methodology; the tests and results of the tests; any communications with management or employees; if contractors are used, the contracting agreement; and identified deficiencies, along with improvement suggestions. [§ App A § IV.B, OMB Circular A-123 Management’s Responsibility for Internal Control]

The organization should identify all risks to the systems. The specific information the risks affect and how the risks occur should be documented. The impact of the risk on the system should be determined. [Pg 31, Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control]

Banking and Finance Guidance

The risk assessment should identify the organization's data, applications, operating systems, technology, facilities, personnel, business activities, and business processes. [Pg 15, Exam Tier II Obj D.2, FFIEC IT Examination Handbook – Audit, August 2003]

The organization should assess the importance of systems based on the criticality and sensitivity of the data they store and/or transmit. [Pg 11, Pg 12, FFIEC IT Examination Handbook – Information Security]

The organization should gather data from system inventories, strategic plans, continuity plans, the monitoring of service providers, audit findings, self-assessments, and call center tracking reports to aid in the development of a formal risk assessment. [Pg 22, FFIEC IT Examination Handbook – Management]

[Exam Tier I Obj 2.1, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]

An initial risk profile should be developed by the examiners for each service provider based on information gathered during the examination and from reports from other external audits. [Pg 3, FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003]

Payment Card Guidance

The organization should use fraud screening tools to help identify high-risk transactions. Examples of high-risk transactions include transactions that match data stored in negative files, do not receive an Address Verification Service (AVS) match, and/or use international Internet Protocol (IP) addresses. Other methods for determining high-risk transactions include examining the type of goods purchased, the amount of the transaction, and the country the card was issued from, and comparing the shipping address to a database of third-party, high-risk shipping addresses. [Pg 45, Pg 46, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business]

US Federal Security Guidance

[§ 3.1, FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security]

ISO Guidance

Assessment of Risks. The organization should identify and assess the risks to which the IT system and its assets are exposed, in order to identify and select appropriate and justified security safeguards. Risks are a function of the values of the assets at risk, the likelihood of threats occurring to cause the potential adverse business impacts, the ease of exploitation of the vulnerabilities by the identified threats, and any existing or planned safeguards which might reduce the risk.
There are different ways of relating these factors; for example, the values assigned to the assets, vulnerabilities and threats are combined to obtain values measuring the risk.
Whatever way is taken to assess the measures of risk, the result of this step should be a list of measured risks for each of the impacts of disclosure, modification, non-availability, and destruction for the considered IT system. Further, the measures of risk help identify which risks should be dealt with first when selecting safeguards. The method used should be repeatable and traceable.
Automated software tools may be used to support all or parts of the risk analysis process. If an organization decides to use a tool, care should be taken that the approach used is in line with the organization's IT security strategy and policy. Also, effort should be made to obtain accurate input, since a tool can only work as precisely as its input allows. [¶ 9.3.7, ISO/IEC 13335-3 Information technology — Guidelines for the management of IT Security — Part 3: Techniques for the management of IT Security, 1998]

General Guidance

[PO1.3, CobiT, Version 4.1]

A risk analysis should be performed on critical information and systems belonging to the organization at an early stage of development of new systems, before new technology is introduced, prior to allowing access to the system by external sources, and at an early stage of significant changes to the system or information. [SM3.3.2, The Standard of Good Practice for Information Security]

Asia and Pacific Rim Guidance

Establishing context to make risk profiling more accurate is called for. By understanding an organization’s environment, it’s easier to figure out what types of risks the organization will face as a result. Then all risks can more easily be identified. Ideally, risk identification should begin with spotting risks, then analyzing them to see if they are likely or would have a big impact, then treating those risks that seem the worst and finally, documenting all prescribed treatments. [Pg 18, Pg 19, Australia Better Practice Guide - Business Continuity Management, January 2000]