Back

Establish, implement, and maintain the risk assessment framework.


CONTROL ID
00685
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a risk management program., CC ID: 12051

This Control has the following implementation support Control(s):
  • Analyze the risk management strategy for addressing requirements., CC ID: 12926
  • Analyze the risk management strategy for addressing threats., CC ID: 12925
  • Analyze the risk management strategy for addressing opportunities., CC ID: 12924
  • Define and assign the roles and responsibilities for the risk assessment framework, as necessary., CC ID: 06456
  • Establish, implement, and maintain a risk assessment program., CC ID: 00687
  • Correlate the business impact of identified risks in the risk assessment report., CC ID: 00686
  • Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary., CC ID: 00704
  • Establish, implement, and maintain a risk treatment plan., CC ID: 11983
  • Integrate the corrective action plan based on the risk assessment findings with other risk management activities., CC ID: 06457
  • Document and communicate a corrective action plan based on the risk assessment findings., CC ID: 00705


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The Board of Directors is responsible for the risk management process. The Board must regularly identify and monitor the key risk areas and the key performance criteria for the organization, especially systems and technology. Management is responsible for designing, implementing, and monitoring the … (¶ 2.1.11, ¶ 3.1.1, ¶ 3.1.5, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002)
  • Practice Standard § II.3(4)[1].C.a: Company-level control deficiencies are very likely to have material impacts on internal control effectiveness. The following is a company-level control deficiency that may constitute a material weakness: not conducting a risk assessment on the reliability of fina… (Practice Standard § II.3(4)[1].C.a, Exhibit 1 (Risk Assessment and Response), On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • The organization must have procedures in place to inform the Board of Directors about the risk assessment procedures. The procedures must be reviewed periodically to ensure risk is managed within a defined framework. (§ IV(C), Corporate Governance in listed Companies - Clause 49 of the Listing Agreement)
  • Conducting a vulnerability assessment for each vulnerability and calculating the probability that it will be exploited. Evaluating policies, procedures, standards, training, physical security, quality control and technical security in this regard (Critical components of information security 2) 3) Bullet 3, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • In order to be satisfied that an outsourcing arrangement does not result in the risk management, internal control, business conduct or reputation of an institution being compromised or weakened, the board and senior management would need to be fully aware of and understand the risks arising from out… (5.3.1, Guidelines on Outsourcing)
  • The board of directors and senior management should ensure that a sound and robust technology risk management framework is established and maintained. They should also be involved in key IT decisions. (§ 3.1.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • A technology risk management framework should be established to manage technology risks in a systematic and consistent manner. The framework should encompass the following attributes: (§ 4.0.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Periodic update and monitoring of risk assessment to include changes in systems, environmental or operating conditions that would affect risk analysis. (§ 4.0.1.e, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The organization must ensure that each system is covered by a Security Risk Management Plan. (Control: 0040, Australian Government Information Security Manual: Controls)
  • The organization should incorporate the Security Risk Management Plan into its organizational Risk Management plan. (Control: 0893, Australian Government Information Security Manual: Controls)
  • The results of risk assessments should be used by the organization to determine an appropriate balance between prevention and detection for security measures. The risk assessment should include site-specific physical security threats. (§ 2.8.17, § 3.1.6, Australian Government ICT Security Manual (ACSI 33))
  • (§ B.4.5, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003)
  • Competent authorities should assess whether the institution has an effective framework in place for identifying, understanding, measuring and mitigating ICT security risk. For this assessment competent authorities should, in particular, take into account whether the framework considers: (Title 3 3.3.4(b) 55., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Competent authorities should assess whether the institution has an effective framework in place for identifying understanding, measuring and mitigating ICT data integrity risk commensurate with the nature, scale and complexity of the institution's activities and the ICT risk profile of the instituti… (Title 3 3.3.4(d) 57., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • the ICT risk control framework is audited with the required quality, depth and frequency and commensurate with the size, activities and the ICT risk profile of the institution; (Title 3 3.3.3 51.a, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Risk management should be used throughout the lifecycle and should take into account patient safety, data integrity, and product quality. (¶ 1, EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4 Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use Annex 11: Computerised Systems, SANCO/C8/AM/sl/ares(2010)1064599)
  • The organization's internal risk management and control system must include risk analyses of the operational and financial objectives. (¶ II.1.3, The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003)
  • Scope ¶ 3: If it is not feasible to conduct the risk assessment on all information the organization and its delivery partners handle, the organization must at a minimum conduct a risk assessment on all protected personal data and information that is labeled as Protectively Marked. Content ¶ 4: At … (Scope ¶ 3, Content ¶ 4, Guidance on the scope of Quarterly Risk Assessments, March 2009)
  • The organization must implement a Risk Management approach, including a detailed risk register, that covers all areas of protective security. (Mandatory Requirement 5, HMG Security Policy Framework, Version 6.0 May 2011)
  • (§ 1.1, OGC ITIL: Security Management)
  • Management should develop a system to assess risk. The risk assessment system should track risk data. The adequacy of the risk assessment process should be reviewed. (¶ 663(b), ¶ 744, ¶ 748, Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework)
  • Risk assessments should be used to assess potential risk vulnerabilities. (¶ 25, BIS Sound Practices for the Management and Supervision of Operational Risk)
  • The organization should establish and implement a Risk Management plan. (Annex I ¶ 3(B), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The organization should implement a Risk Management plan. (Annex I ¶ 3(C), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The inspectors will look at the approach that was taken to identify the gxp risks and the criteria that was used to assess the fitness for the purpose of the application. (¶ 15.2, Good Practices For Computerized systems In Regulated GXP Environments)
  • Develop and maintain a framework that defines the enterprise's overall approach to IT risk and control and that aligns with the IT policy and control environment and the enterprise risk and control framework. (PO6.2 Enterprise IT Risk and Control Framework, CobiT, Version 4.1)
  • Analyze the existing climate and individual mindsets about how the workforce perceives risk, its impact on their work and the organization as a whole, and how effectively risk management is integrated with the decision-making and running of the business. (OCEG GRC Capability Model, v 3.0, L3.3 Analyze Risk Culture, OCEG GRC Capability Model, v 3.0)
  • The organization should have a thorough understanding of the risks associated with Internet transactions and have an established approach to risk management. (Pg 17, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business)
  • The organization must have a defined, documented, and appropriate risk assessment method to enable the organization to understand the vulnerabilities and threats to its critical activities and supporting resources, including outsourced ones. The organization must understand what the impact would be,… (§ 4.1.2, BS 25999-2, Business continuity management. Specification, 2007)
  • Risk assessments and dependency modeling (internal and external) should be reassessed regularly. The nature of the environment will help to decide on the quantity and quality of the regular dependency modeling exercises. The risk assessment should review the IT infrastructure's exposure in terms of:… (§ 5.2 ¶ 3(c), § 6.2, Annex A, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • The risk management committee is responsible for overseeing all risk analyses and assessments, risk responses, and risk monitoring; assessing if management has established effective enterprise risk management; being aware of and agreeing with the risk appetite and tolerance of the organization; valu… (§ 7.1.4, § 8.2.4 ¶ 2, § 7.3.1, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • Business continuity risk assessment should be completed by the business unit or regional management for each business function and associated sites. Participants should include staff from the business; staff from the health, safety, and environment group; legal; facilities management; human resource… (§ 5.2 ¶ 1, IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management)
  • Chief Audit Executives (CAEs) must perform a risk assessment to develop a risk-based audit plan. Properly executing an IT risk assessment is vital for risk management practices and a critical element to develop an effective audit plan. Risk assessments should not be performed until the CAE and inter… (§ 2 ¶ 2, § 2.1 ¶ 4, § 5 ¶ 1, § 6.3, IIA Global Technology Audit Guide (GTAG) 11: Developing the IT Audit Plan)
  • Risks can be identified and assessed on an ongoing basis when continuous risk assessments are implemented. Performing continuous risk assessments allows for a more strategic context in developing audit plans and making ongoing adjustments when risk profiles change to keep the audit plan current and … (§ 5 (Applications for Continuous Risk Assessment) ¶ 2, § 5 (Applications for Continuous Risk Assessment) ¶ 3, § 5 (Development of the Audit Plan) ¶ 2, § 6 (Continuous Risk Assessment), IIA Global Technology Audit Guide (GTAG) 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment)
  • The Chief Audit Executive (CAE) should perform independent IT risk assessments annually; analyze how the IT short-term plans impact the IT risk assessment; refresh the IT risk assessment for the given audit before beginning an IT audit; be flexible about the IT audit; monitor IT-related risk profile… (§ 4.2 ¶ 3, § 4.5 (Robust IT Risk Assessment), App A.3 (Recommendations for Interfaces), IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • Good privacy management is supported by conducting risk assessments of physical security access restrictions, access controls, and change controls. (§ 4.5 (Privacy Best Practices), IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
  • Because a large number of vulnerabilities are discovered with each scan, the organization will likely perform many mini-risk assessments. The organization must have a well-defined procedure for measuring risk that can be applied accurately and quickly. (§ 3.2 (Assessing Risks), IIA Global Technology Audit Guide (GTAG) 6: Managing and Auditing IT Vulnerabilities)
  • Risk assessments that take into account various factors affecting the services provided to the client must be performed periodically by service organizations. Factors that should be considered when performing the risk assessment are as follows: operating environment changes; new or changed/upgraded … (§ 5.1 ¶ 3, IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • Prior to developing an identity and access management (IAM) audit approach or assisting with the creation of IAM processes, identity management procedures and policies should be reviewed. After the current processes have been identified, the internal auditors can help management by conducting a risk… (§ 4.2.1 ¶ 1 thru ¶ 2, IIA Global Technology Audit Guide (GTAG) 9: Identity and Access Management)
  • The risk analysis results and other security measures should be formally recorded. (Pg 2-II-3 thru Pg 2-II-5, Pg 12-IV-10, Protection of Assets Manual, ASIS International)
  • Standards / procedures should cover performing a risk assessment of Information Systems that support or enable critical infrastructure. (CF.08.03.02c, The Standard of Good Practice for Information Security)
  • Standards / procedures should cover performing a risk assessment of Information Systems that support or enable critical infrastructure. (CF.08.03.02c, The Standard of Good Practice for Information Security, 2013)
  • The organization should conduct risk assessments to identify critical computing assets and determine the impact the unavailability of the assets would have on the organization. (Action 1.1.9, SANS Computer Security Incident Handling, Version 2.3.1)
  • Organizations shall develop and maintain an enterprise risk management framework to mitigate risk to an acceptable level. (GRM-11, Cloud Controls Matrix, v3.0)
  • Establish a formal, documented, and leadership-sponsored Enterprise Risk Management (ERM) program that includes policies and procedures for identification, evaluation, ownership, treatment, and acceptance of cloud security and privacy risks. (GRC-02, Cloud Controls Matrix, v4.0)
  • Aligned with the enterprise-wide framework, formal risk assessments shall be performed at least annually, or at planned intervals, determining the likelihood and impact of all identified risks, using qualitative and quantitative methods. (RI-02, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Top management shall define and document a Risk Management policy that includes adding medical devices to the Information Technology network. (§ 4.2.1, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • The organization shall provide a description of the risk-relevant assets in order to plan the Risk Management for the medical Information Technology network. (§ 4.3.1 ¶ 1(a), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • The network's current state and any planned changes shall be considered when planning Risk Management. (§ 4.3.1 ¶ 2, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • § 3.6 Risk. An organization should assess risk as part of its ICT security program. Risk is the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. Single or multiple threats may exploit single or multiple vulnerabili… (§ 3.6, § 6.3, ISO 13335-1 Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security management, 2004)
  • Identification of Safeguards. An organization should use the identified measures of risks as the basis for identifying all safeguards that are necessary for appropriate protection. In order to select safeguards which effectively protect against the assessed risks, the results of the risk analysis sh… (¶ 9.4.1, ISO 13335-3 Information technology - Guidelines for the management of IT Security - Part 3: Techniques for the management of IT Security, 1998)
  • ¶ 10 Selection of Safeguards According to Security Concerns and Threats. An organization should select safeguards according to security concerns and threats in the following way. • The first step is to identify and assess the security concerns. The requirements for confidentiality, integrity, ava… (¶ 10, ¶ 11, ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • § 3.1: The medical device manufacturer shall establish, document, and maintain a process to identify medical device hazards, to estimate and evaluate the risks, to control the risks, and to monitor the effectiveness. The process shall include risk evaluation, risk analysis, risk control, and produc… (§ 3.1, § 3.4, § 4.1 ¶ 2, Annex I, ISO 14971:2007 Medical devices -- Application of risk management to medical devices, 2007)
  • A risk assessment should be completed to identify all the threats to the product and identify the likelihood for each threat that the threat will occur. (§ 6.3.1, ISO 15408-1 Common Criteria for Information Technology Security Evaluation Part 1, 2005)
  • Risk management involves developing a Disaster Recovery Plan that defines a prioritized and organized disaster response, plans the continuance of the business operations, and plans for the recovery. (§ 4.3.7.1 ¶ 4, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • Top management shall ensure risks to services are assessed and managed. (§ 4.1.1 ¶ 1(g), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The service provider shall implement and operate the service management system by identifying, assessing, and managing risks to services. (§ 4.5.3 ¶ 1(d), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • specifies the requirements for this information to be kept up-to-date and confidential. (§ 8.2.1 ¶ 1 e), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • A risk assessment should identify, quantify, and prioritize risks. Risk assessments should be performed periodically and should have a clearly defined scope. The information security coordination group should approve the methodologies and processes used for the risk assessments. (§ 4.1, § 6.1.2, ISO 27002 Code of practice for information security management, 2005)
  • The organization should consider the following when developing risk evaluation criteria: strategic value of the information process; criticality of the information assets; contractual obligations; legal and regulatory requirements; stakeholder expectations and perceptions; negative consequences for … (§ 7.2.2, ISO 27005 Information technology -- Security techniques -- Information security risk management, 2011)
  • When planning the approach, considerations include: - objectives and decisions that need to be made; - outcomes expected from the steps to be taken in the process; - time, location, specific inclusions and exclusions; - appropriate risk assessment tools and techniques; - resources required, responsi… (§ 6.3.2 ¶ 3, ISO 31000 Risk management - Guidelines, 2018)
  • The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in Clause 6, by: (§ 8.1 ¶ 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • ensures that repeated IT asset risk assessments produce consistent, valid and comparable results; (Section 6.1.2 ¶ 1(b), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The risk assessment process should be based on methods and tools designed in sufficient detail so that it leads to consistent, valid and comparable results. (§ 6.1.2 Guidance ¶ 8, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • the results of repeated risk assessments are comparable (i.e. it is possible to understand if the levels of risk are increased or decreased). (§ 6.1.2 Guidance ¶ 9 Bullet 3, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • An appropriate risk management approach should be selected or developed that addresses basic criteria such as: risk evaluation criteria, impact criteria, risk acceptance criteria. (§ 7.2.1 ¶ 2, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • The form of analysis should be consistent with the risk evaluation criteria developed as part of establishing the context. (§ 8.3.1 ¶ 2, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • The organization should periodically assess potential vulnerabilities and threats, along with consequences, should the vulnerabilities and threats occur. (Pg 2, Responsible Care Security Code of Management Practices, American Chemistry Council)
  • The risk assessment process determines the impact an event might have on achieving organizational objectives. Each manager should assess the risk for his/her business unit, either qualitatively or quantitatively. Using the results, senior management should determine if the risk portfolio of the orga… (Pg 9, Ch 6, COSO Enterprise Risk Management (ERM) Integrated Framework (2004))
  • To obtain an understanding of the organization, the auditor should use the following risk assessment procedures: observe and inspect the internal controls, analyze the transaction procedures, and interview management and other members of the organization. The size and complexity of the organization … (§ 314.06 thru § 314.10, § 314.23, § 314.40, § 314.102, SAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement)
  • The organization must assess and manage risks and plan for contingencies. (§ 6, Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives)
  • The organization must identify and monitor hazards, determine the likelihood of that they will occur, and determine the vulnerability of property, people, the environment, and the organization. See Annex A.5.3.1 for information techniques and methodologies for performing a risk assessment. (§ 5.3.1, Annex A.5.3.1, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition)
  • The risk analysis results and other security measures should be formally recorded. (§ 5-7, Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • § 3.2 ¶ 1: CMS business partners are required to conduct an annual risk assessment. § 3.2 ¶ 3: Information and business owners shall develop, implement, and maintain risk management programs and use the CMS Information Security (IS) Risk Assessment (RA) Methodology to prepare the annual IS RA. Â… (§ 3.2 ¶ 1, § 3.2 ¶ 3, § 3.10.2 ¶ 2, CMS Business Partners Systems Security Manual, Rev. 10)
  • § 1.1: The organization shall prepare a risk assessment for each general support system (GSS), GSS subsystem, major application (MA), and MA individual application. § 3: The business owner shall plan how to use technology, assess the technology risks, determine how to implement technology, and imp… (§ 1.1, § 3, § 3.1 ¶ 1, § 4.1, App A, CMS Information Security Risk Assessment (IS RA) Procedure, Version 1.0 Final)
  • The organization must assess periodically local information system risk factors in accordance with the CMS IS RA Methodology, the CMS Business RA Methodology, and NIST SP 800-30. The organization must review and update its risk assessment annually or when significant modifications are made to the ne… (CSR 1.8.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The agency head must ensure senior agency officials assess the risk and magnitude of harm that could result from unauthorized access to or modification, unauthorized disclosure, modification, use, disruption, or destruction of information and information systems that support operations and assets un… (§ 3544(a)(2)(A), § 3544(b)(1), Federal Information Security Management Act of 2002)
  • A risk assessment must be performed by a business entity to identify internal and external vulnerabilities that could lead to unauthorized disclosure, alteration, or use of or access to sensitive personally identifiable information or systems that contain sensitive personally identifiable informatio… (§ 302(a)(3), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress)
  • The organization must keep and record information about the policies, procedures, and systems that monitor and control financial and operational risks. (§ 78o-5(b)(2)(A), § 78q(h)(1), Securities Exchange Act of 1934)
  • DoD component CIO must approve a formal Risk Analysis regarding the acquisition or outsourcing of dedicated ia services. (DCDS-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • A risk analysis program must be used to minimize the loss of classified information or assets in a cost-effective manner. The program should counter threats, reduce vulnerabilities, and implement countermeasures. (§ 9-302.f, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • If a chemical facility is determined to be a high-risk facility by the Assistant Secretary, the facility must complete a Security Vulnerability Assessment (SVA). The SVA must include identifying and characterizing assets; identifying hazards and their consequences to the facility and assets; a descr… (§ 27.215(a), § 27.240(a), 6 CFR Part 27, Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security)
  • § 4.1 DIB assets are ranked according to the DoD Asset Prioritization Model (APM) for both analysis and reduction of risk. The APM is an index model where a higher score indicates a greater impact if the asset is lost and a method to support scheduling decisions. The impact score (the asset's "crit… (§ 4.1, § 4.2, Defense Industrial Base Information Assurance Standard)
  • An integrated, enterprise-wide approach to a risk assessment includes inputs from a range of business functions or units. For example, fraud research, customer service, and cybersecurity can provide data and perspectives to enhance the risk assessment. Data from these business functions, as well as … (Section 3 ¶ 2, Authentication and Access to Financial Institution Services and Systems)
  • Risk assessment. (IX Action Summary ¶ 2 Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • The organization should perform a risk assessment to determine the risks associated with the Internet. The risks should be evaluated based on the type of customer; the sensitivity of the customer information; the transaction volume; and the type of business the customer will be doing on the Internet… (Pg 3, Pg 4, FFIEC Guidance on Authentication in an Internet Banking Environment)
  • Financial institution management should maintain a risk identification process that is coordinated and consistent throughout the institution. Risk identification includes ongoing data collection from existing activities and new initiatives. (III.A Risk Identification, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine the adequacy of the institution's IT operations planning and investment. Assess the adequacy of the risk assessment and the overall alignment with the institution's business strategy, including planning for IT resources and budgeting. (App A Objective 4, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • A risk identification process to identify risks to information assets within the institution and information assets controlled by third-party providers. (App A Objective 9:2 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether the institution maintains a risk identification process that is coordinated and consistent across the enterprise. (App A Objective 10, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether the institution has a comprehensive IT risk identification process that includes the identification of cybersecurity risks. Specifically, determine whether management performs the following: (App A Objective 10:1, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The audit program should include a risk assessment process to describe and analyze the risks to the organization. (Pg 11, Exam Tier I Obj 8.2, FFIEC IT Examination Handbook - Audit, August 2003)
  • The organization should conduct a risk assessment and should evaluate business processes and Business Impact Analysis (BIA) assumptions with various threat scenarios. The risk assessment should consider the impact of a pandemic. (Pg 11, Pg D-2, Exam Tier I Obj 2.1, Exam Tier I Obj 2.5, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The organization should conduct a risk assessment to determine the appropriate level of security controls needed based on the information sensitivity level and the risk tolerance level of the organization. (Pg 13, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • The risk assessment should identify where confidential information is located, identify internal and external threats, determine the likelihood of the threats occurring, and determine if the policies and procedures can mitigate the threats. (Pg 21, Exam Obj 5.1, FFIEC IT Examination Handbook - Management)
  • Management should decide on a process or technique to identify and assess risks to the organization and the systems, including imaging systems. The organization should conduct control self-assessments to validate the effectiveness and adequacy of implemented controls, and they should be coordinated … (Pg 12, Pg 32, Pg 41, Exam Tier I Obj 3.1, FFIEC IT Examination Handbook - Operations, July 2004)
  • Determine whether management effectively prioritizes measured risks. (AppE.7 Objective 4:2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Risk assessments should consider both physical and logical security controls for origination, approval, transmission, and storage of transaction data. The risk assessment should also review the security of all third-party providers. (Pg 33, Exam Tier II Obj 10.9, Exam Tier II Obj 11.4, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • The examiner-in-charge (EIC) should develop a plan to effectively examine each service provider. The plan should include an assessment of current and anticipated risks. Prior to the onsite visit, the EIC should gather and analyze information from prior examination reports and recommendations, risk a… (Pg 11, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, March 2003)
  • The organization's information security program should include risk assessments to evaluate high-risk activities. (Pg 33, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • The organization should conduct a risk assessment and, at a minimum, consider the risks associated with employee training; detecting, preventing, and responding to attacks or intrusions; and the information systems. (§ 314.4(b), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule)
  • Financial institutions or creditors must perform a risk assessment to determine if they maintain or offer any covered accounts. The risk assessment should consider the methods used to open and access accounts and any previous experiences with identity theft. (§ 41.90(c), § 222.90(c), § 334.90(c), § 571.90(c), § 681.2(c), § 717.90(c), Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, Final Rule, November 9, 2007)
  • (SP-1, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • (§ 260.44, GAO/PCIE Financial Audit Manual (FAM))
  • The organization must develop, document, distribute, and continuously update a risk assessment policy and procedures for implementing the risk assessment security controls. The organization must conduct a formal assessment of the system, including data warehousing environments, to ensure the securit… (§ 5.6.4, § 5.6.13, § 5.6.17.4, Exhibit 4 CA-4, Exhibit 4 RA-1, Exhibit 4 RA-3, Exhibit 6, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Does the Credit Union have a documented risk assessment process? (IT - 748 Compliance Q 4, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Do the audit policies and procedures include an Information Technology risk assessment, to include part 748 appendix a? (IT - Audit Program Q 2d, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the risk assessment program include Wireless Local Area Networks? (IT - WLANS Q 2, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Periodic risk assessments should be conducted to improve the organization's security posture and prevent incidents from occurring. The risk assessment should determine the risks posed by threats and vulnerabilities, prioritize those risks; risks can then be mitigated, transferred, or accepted until … (§ 3.1.2, Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1)
  • In addition to defining C-SCRM governance structures and operating models, Level 1 carries out the activities necessary to frame C-SCRM for the enterprise. C-SCRM framing is the process by which the enterprise makes explicit the assumptions about cybersecurity risks throughout the supply chain (e.g.… (2.3.2. ¶ 8, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Using a framework, such as NIST CSF to assess their C-SCRM capabilities (3.5. ¶ 1 Bullet 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Identify constraints on the conduct of risk assessment, risk response, and risk monitoring activities within the enterprise. (Task 1-2, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • A critical first step is to ensure that there is a current and accurate inventory of the enterprise's supplier relationships, contracts, and any products or services those suppliers provide. This information allows for a mapping of these suppliers into strategically relevant groupings as determined … (3.1.1. ¶ 5, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • The organization should perform risk assessments to determine potential threats to the WLAN, the likelihood of those threats occurring, and the impact the threats could have on the organization's assets. (Table 8-1 Item 1, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007)
  • The organization should identify its information resources and determine the potential impact of and their sensitivity to loss. (§ 1 ¶ 5, FIPS Pub 140-2, Security Requirements for Cryptographic Modules, 2)
  • When an organization decides to implement an advanced authentication system, the organization should conduct a thorough risk analysis to determine the vulnerabilities to the system and to prioritize them according to their severity and likelihood. (§ 8.1, FIPS Pub 190, Guideline for the use of Advanced Authentication Technology Alternatives)
  • § 3.3 ¶ 1: The organization should address the following when assessing LAN security: which assets to protect; the potential threats; the likelihood of the threats occurring; the immediate damage if a threat is realized; the long-term effects if a threat is realized; the security services and mech… (§ 3.3 ¶ 1, § 3.4, FIPS Pub 191, Guideline for the Analysis of Local Area Network (LAN) Security)
  • Calls for Risk Assessment (RA): Organizations must periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing,… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • At a high level, there are three parts to a risk assessment, determining an assessment's scope and methodology, collecting and analyzing data and interpreting risk assessment results. Each of these three things is discussed in greater detail. This section is work reviewing directly. (§ 3.3.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Organizational records and documents should be examined to ensure the risk assessment policy and procedures are documented, disseminated, reviewed, updated, and continuously applied and that specific responsibilities and actions are defined for the implementation of the risk assessment policy and pr… (RA-1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization's risk assessment practices should include handheld devices and should identify threats and vulnerabilities, assess the likelihood of success, and estimate damage from successful attacks. (Pg ES-2, § 4.2.3, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008)
  • The organization must develop and implement a risk assessment security policy. (SG.RA-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The risk assessment security policy must include the objectives, roles, and responsibilities of the program. (SG.RA-1 Requirement 1.a.i, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The risk assessment security policy must include the scope of the program. (SG.RA-1 Requirement 1.a.ii, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must develop, disseminate, review, and update, on a predefined frequency, a formal, documented risk assessment policy that addresses purposes, roles, responsibilities, scope, coordination among entities, compliance, and management commitment. (App F § RA-1.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop a comprehensive risk management strategy for operations, assets, individuals, other organizations, and the nation associated with the operation and use of Information Systems. (App G § PM-9.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop, disseminate, review, and update, on a predefined frequency, formal, documented procedures for implementing the risk assessment policy and its associated controls. (App F § RA-1.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} a risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (RA-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems. (PM-9a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} a risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (RA-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} a risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (RA-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} a risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (RA-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Licensees must analyze their digital computer and communications systems and networks to identify all assets that need to be protected against cyber attacks. (§ 73.54(b)(1), 10 CFR Part 73.54, Protection of digital computer and communication systems and networks)
  • The organization's management should develop a risk assessment policy to meet the objectives of the organization. (Pg 3, Pg 19, Pg 24, Implementation Guide for OMB Circular A-123 Management's Responsibility for Internal Control)
  • Risk assessments should be performed to identify areas where controls should be implemented or improved. Internal and external risks, along with interactions between organizations, should be identified. Events that can affect the risk to the system include the following: personnel changes; upgraded … (§ I.A, § II.B, App A § III.B.2, OMB Circular A-123, Management's Responsibility for Internal Control)
  • The organization should perform a risk analysis on new and established relationships. (Third-Party Senders, ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58, December 2004)
  • Management should adopt and enforce appropriate policies and procedures to manage risk related to a bank's use of technology. The bank should implement testing for compliance with these policies and procedures. The bank should ensure that policies and procedures to manage risk related to a bank's us… (¶ 35, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)
  • A bank should implement a Risk Management process that is commensurate with the complexity and level of risk of the third party relationships. ("Risk Management Life Cycle" ¶ 1, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • The auditor should evaluate the organization's risk assessment process to ensure all risks have been identified and controls have been implemented. (¶ 49, PCAOB Auditing Standard No. 2)
  • The risk assessment should identify the significant accounts and disclosures, the relevant assertions, which controls to test, and what evidence is necessary to demonstrate each control is working. The areas of highest risk should have the most focus by the auditor. The organization's complexity als… (¶ 10 thru ¶ 12, PCAOB Auditing Standard No. 5)
  • Threat and vulnerability security assessments must be performed periodically at all airports. The assessment must evaluate the security procedures for checked baggage; the space requirements for security personnel; how screened and unscreened individuals are separated; how controlled and uncontrolle… (§ 44904(b), TITLE 49, Subtitle VII - Aviation Programs, December 5, 2001)