Identifying risks and probability for various events

Status: Live

The organization will ensure that the risk approach identifies risks and probability for natural events, technical events, and malicious activity. [UCF ID 01173]

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, § 314.12; Safety and Soundness Standards, Appendix of OCC 12 CFR 30, App B § III.B.2, Supp A § I.B.1.b; Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework, ¶ 732; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg 11, Pg F-3, Exam Tier I Obj 3.4; FFIEC IT Examination Handbook – Information Security, Pg 13; FFIEC IT Examination Handbook – Management, Pg 22, Pg 23; VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business, Pg 47; NCUA Guidelines for Safeguarding Member Information, 12 CFR 748, July 1, 2001, Pg 81; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 5.6.13, Exhibit 4 RA-3; Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, June 2002, § 3.2.2; Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition, Ch 5.1, Ch 5.3.2; ISO 17799:2005 Code of Practice for Information Security Management, § 4.1, § 4.2; ISO 27001:2005, Information Security Management Systems - Requirements, § 4.2.1(e), Annex A.14.1.2; ISO/IEC 27002-2005 Code of practice for information security management, § 4.1, § 4.2; BIS Sound Practices for the Management and Supervision of Operational Risk, ¶ 24

Sarbanes Oxley Guidance

The auditor should assess the likelihood that material misstatements will occur in the financial statements due to fraud and should consider these risks when designing the audit procedures. [§ 314.12, SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement]

Banking and Finance Guidance

The organization should assess the chance that various threats will occur and the damage those threats will cause. [App B § III.B.2, Supp A § I.B.1.b, Safety and Soundness Standards, Appendix of OCC 12 CFR 30]

All risks faced by the organization should be identified and a process should be developed to estimate the probability of the risks. [¶ 732, Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework]

The organization should use factors, such as the geographic location of the site and the closeness to critical infrastructures, when determining probabilities. The likelihood of each threat occurring should be estimated. [Pg 11, Pg F-3, Exam Tier I Obj 3.4, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

The organization should use scenarios to estimate the probability of a threat occurring. [Pg 13, FFIEC IT Examination Handbook – Information Security]

A risk analysis should identify threats that might negatively affect the organization, evaluate the likelihood of the threat occurring, and rank the threats. Some threats that should be assessed are security breaches; technology investment mistakes; capacity shortages; system failures; external events; and system development and implementation problems. [Pg 22, Pg 23, FFIEC IT Examination Handbook – Management]

The organization should assess its vulnerability to each of the identified risks. [¶ 24, BIS Sound Practices for the Management and Supervision of Operational Risk]

Payment Card Guidance

The organization should be concerned about Internet fraud. The organization is at increased risk of fraud occurring when more than one of the following signs are present: the order is by a first-time shopper, larger than the typical web site order, comprised of more than one of the same item, shipped rush or overnight, shipped to an international address, made on several different cards but shipped to the same address, and/or from a customer using a free e-mail service; the order has several big-ticket items; there are several transactions that occur on similar account numbers; there are many transactions made on the same card in a short period of time; there are shipping transactions to multiple shipping addresses; and/or there are multiple cards used from the same Internet Protocol (IP) address. [Pg 47, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business]

US Federal Security Guidance

[Pg 81, NCUA Guidelines for Safeguarding Member Information, 12 CFR 748, July 1, 2001]

US Internal Revenue Guidance

The risk assessment process must determine the risks and magnitude of harm that could occur due to unauthorized use, unauthorized access, disruption, modification, disclosure, or destruction. [§ 5.6.13, Exhibit 4 RA-3, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

The contingency planning coordinator is required to analyze critical resources and determine the impact on IT operations if any of these resources are disrupted or damaged. There are two ways to evaluate resources. The first way is to track the effects of an outage over time. The second way is to track how an outage affects related resources and dependent systems. Both methods should be used. The information provided by the evaluation should then be used to figure out the best point to recover the IT system. [§ 3.2.2, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, June 2002]

ISO Guidance

For all identified risks, the probability of that risk occurring should be determined to help the organization decide if the risk is acceptable. [§ 4.1, § 4.2, ISO 17799:2005 Code of Practice for Information Security Management]

The organization should take a realistic look at the chances a security failure will occur based on the threats and vulnerabilities to the system and the controls the organization has in place. [§ 4.2.1(e), Annex A.14.1.2, ISO 27001:2005, Information Security Management Systems - Requirements]

For all identified risks, the probability of that risk occurring should be determined to help the organization decide if the risk is acceptable. [§ 4.1, § 4.2, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

[Ch 5.1, Ch 5.3.2, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of critical organizational information assets and functions that have been reviewed from the perspective of physical risks [UCF Control ID 02064]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.