UCF ID: 01173 |
Control Type: Process or Activity |
Status: Live |
Supporting and supported controls
This control directly supports:
- • Establish the risk profiling process for internal risk assessments. [UCF Control ID 01157]
There are no supporting controls.
Authority documents complied with:
SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, § 314.12; Safety and Soundness Standards, Appendix of OCC 12 CFR 30, App B § III.B.2, Supp A § I.B.1.b; Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework, ¶ 732; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg 11, Pg F-3, Exam Tier I Obj 3.4; FFIEC IT Examination Handbook – Information Security, Pg 13; FFIEC IT Examination Handbook – Management, Pg 22, Pg 23; VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business, Pg 47; NCUA Guidelines for Safeguarding Member Information, 12 CFR 748, July 1, 2001, Pg 81; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 5.6.13, Exhibit 4 RA-3; ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 4.1, § 4.2; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, § 4.2.1(e), Annex A.14.1.2; ISO/IEC 27002 Code of practice for information security management, 2005, § 4.1, § 4.2; BIS Sound Practices for the Management and Supervision of Operational Risk, ¶ 24; BS 25999-1, Business continuity management. Code of practice, 2006, § 6.5.1, § 6.5.6; Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress, § 302(a)(3)(B); ISO/IEC 13335-3 Information technology — Guidelines for the management of IT Security — Part 3: Techniques for the management of IT Security, 1998, ¶ 9.3
Sarbanes Oxley Guidance
The auditor should assess the likelihood that material misstatements will occur in the financial statements due to fraud and should consider these risks when designing the audit procedures. [§ 314.12, SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement]
Banking and Finance Guidance
The organization should assess the chance that various threats will occur and the damage those threats will cause. [App B § III.B.2, Supp A § I.B.1.b, Safety and Soundness Standards, Appendix of OCC 12 CFR 30]
All risks faced by the organization should be identified and a process should be developed to estimate the probability of the risks. [¶ 732, Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework]
The organization should use factors, such as the geographic location of the site and the closeness to critical infrastructures, when determining probabilities. The likelihood of each threat occurring should be estimated. [Pg 11, Pg F-3, Exam Tier I Obj 3.4, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]
The organization should use scenarios to estimate the probability of a threat occurring. [Pg 13, FFIEC IT Examination Handbook – Information Security]
A risk analysis should identify threats that might negatively affect the organization, evaluate the likelihood of the threat occurring, and rank the threats. Some threats that should be assessed are security breaches; technology investment mistakes; capacity shortages; system failures; external events; and system development and implementation problems. [Pg 22, Pg 23, FFIEC IT Examination Handbook – Management]
The organization should assess its vulnerability to each of the identified risks. [¶ 24, BIS Sound Practices for the Management and Supervision of Operational Risk]
Payment Card Guidance
The organization should be concerned about Internet fraud. The organization is at increased risk of fraud occurring when more than one of the following signs are present: the order is by a first-time shopper, larger than the typical web site order, comprised of more than one of the same item, shipped rush or overnight, shipped to an international address, made on several different cards but shipped to the same address, and/or from a customer using a free e-mail service; the order has several big-ticket items; there are several transactions that occur on similar account numbers; there are many transactions made on the same card in a short period of time; there are shipping transactions to multiple shipping addresses; and/or there are multiple cards used from the same Internet Protocol (IP) address. [Pg 47, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business]
US Federal Security Guidance
[Pg 81, NCUA Guidelines for Safeguarding Member Information, 12 CFR 748, July 1, 2001]
US Federal Privacy Guidance
A risk assessment must be performed by a business entity to determine the likelihood of and potential damage from unauthorized disclosure, alteration, or use of or access to sensitive personally identifiable information. [§ 302(a)(3)(B), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress]
US Internal Revenue Guidance
The risk assessment process must determine the risks and magnitude of harm that could occur due to unauthorized use, unauthorized access, disruption, modification, disclosure, or destruction. [§ 5.6.13, Exhibit 4 RA-3, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]
ISO Guidance
For all identified risks, the probability of that risk occurring should be determined to help the organization decide if the risk is acceptable. [§ 4.1, § 4.2, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]
The organization should take a realistic look at the chances a security failure will occur based on the threats and vulnerabilities to the system and the controls the organization has in place. [§ 4.2.1(e), Annex A.14.1.2, ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]
For all identified risks, the probability of that risk occurring should be determined to help the organization decide if the risk is acceptable. [§ 4.1, § 4.2, ISO/IEC 27002 Code of practice for information security management, 2005]
Detailed Risk Analysis. A detailed risk analysis for an IT system involves the identification of the related risks, and an assessment of their magnitude. The need for a detailed risk analysis can be determined without unnecessary investment in time and money when high level reviews are conducted for all systems, followed by detailed risk analysis reviews only on high risk or critical systems.
The risk analysis is done by an identification of potential adverse business impacts of unwanted events and the likelihood of their occurrence. Unwanted events can adversely impact the business, persons or any other valuable entity of the organization. The adverse impact of an unwanted event is a composite of possible damages related to the value of the assets at risk. The likelihood of occurrence is dependent on how attractive the asset is for a potential attacker, the likelihood of threats occurring, and the ease with which the vulnerabilities can be exploited. The results of the risk analysis lead to the identification and selection of safeguards which can be used to reduce the identified risks to an acceptable level.
Detailed risk analysis involves in-depth reviews. It leads to the selection of justified safeguards as part of the risk management process. The requirements for these safeguards are documented in the IT system security policy and the related IT security plan. A number of incidents and external influences which may affect the security requirements of the system can make it necessary to reconsider parts of or the whole risk analysis. Those influences could be: recent significant changes to the system, planned changes, or the consequences of incidents which need to be dealt with.
A variety of methods exist for the performance of a risk analysis ranging from check list based approaches to structured analysis based techniques. Automated (computer assisted) or manual based products can be used. Whatever method or product is used by the organization, it should at least address the topics identified in the following clauses. It is also important that the methods used fit with the organization's culture.
Once a detailed risk analysis review for a system has been completed for the first time, the results of the review - asset and their values, threat, vulnerability and risk levels, and safeguards identified - should be saved, for example, in a database. Methods with software support tools make this activity much easier. This representation, sometimes referred to as a model, can be utilized to significant effect as changes occur over time, be they to configuration, information types processed, threat scenarios etc. Only the changes are needed as input in order to ascertain the effect on the necessary safeguards. Further, such models can be quickly used to examine different options, say during the development of a new system, as well as being used for other systems which are similar in nature. [¶ 9.3, ISO/IEC 13335-3 Information technology — Guidelines for the management of IT Security — Part 3: Techniques for the management of IT Security, 1998]
UK and Canadian Guidance
The organization should understand the impact a threat would have if it became an incident and caused a disruption to the business. Impacts could be the result of a vulnerability being exploited by a threat. [§ 6.5.1, § 6.5.6, BS 25999-1, Business continuity management. Code of practice, 2006]
Metrics
The metrics associated with this control are as follows:
- • Report on the percentage of critical organizational information assets and functions that have been reviewed from the perspective of physical risks. [UCF Control ID 02064]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.