Back

Update the risk assessment upon discovery of a new threat.


CONTROL ID
00708
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Perform risk assessments for all target environments, as necessary., CC ID: 06452

This Control has the following implementation support Control(s):
  • Review risks to the organization's audit function when changes in the supply chain occur., CC ID: 01154


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization must assess its risks at least annually. Management should be committed to the risk management system. (¶ 3.1.5, ¶ 3.2.2, ¶ 3.2.3, ¶ 4.2.3, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002)
  • Periodic update and monitoring of risk assessment to include changes in systems, environmental or operating conditions that would affect risk analysis. (§ 4.0.1.e, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should conduct a Threat and Vulnerability Risk Assessment (TVRA) for its data centres (DCs) to identify potential vulnerabilities and weaknesses, and the protection that should be established to safeguard the DCs against physical and environmental threats. In addition, the TVRA should conside… (§ 8.5.1, Technology Risk Management Guidelines, January 2021)
  • The organization's commitment to carrying out a treatment for a risk is discussed. Any selected treatments should be documented with responsibilities for implementing it delegated and resources to be used listed. The budget for each treatment should be assigned, there should be a timetable for imple… (Pg 24, Australia Better Practice Guide - Business Continuity Management, January 2000)
  • Do you have a way of reviewing and monitoring changes to these issues on a regular basis? (Context of the organization ¶ 2, ISO 22301: Self-assessment questionnaire)
  • Risk assessments are carried out both at regular intervals and in response to events. (1.4.1 Requirements (must) Bullet 1, Information Security Assessment, Version 5.1)
  • The Supervisory Board must review management's assessment of the internal risk management and control system at least annually. (¶ III.1.8, The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003)
  • The organization should review the risk assessment at least every 12 months. (Purpose ¶ 1, Guidance on the scope of Quarterly Risk Assessments, March 2009)
  • The risk assessment process system should be validated and independently reviewed on a regular basis. The review should be conducted by external auditors. (¶ 620(e), ¶ 666(e), Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework)
  • Implement a risk-assessment process that: - Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), - Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk. (12.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Implement a risk-assessment process that: - Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), - Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk. (12.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Implement a risk-assessment process that: - Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), - Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk. (12.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Is the risk assessment process performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.)? (12.2(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Is the risk assessment process performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.)? (12.2(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Review risk-assessment documentation to verify that the risk-assessment process is performed at least annually and upon significant changes to the environment. (12.2.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Verify that an annual risk-assessment process is documented that: - Identifies critical assets, threats, and vulnerabilities - Results in a formal, documented analysis of risk (12.2.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Resulting analysis that determines, and includes justification for, how frequently the requirement must be performed to minimize the likelihood of the threat being realized. (12.3.1 Bullet 4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Resulting analysis that determines, and includes justification for, how frequently the requirement must be performed to minimize the likelihood of the threat being realized. (12.3.1 Bullet 4, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Resulting analysis that determines, and includes justification for, how frequently the requirement must be performed to minimize the likelihood of the threat being realized. (12.3.1 Bullet 4, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Resulting analysis that determines, and includes justification for, how frequently the requirement must be performed to minimize the likelihood of the threat being realized. (12.3.1 Bullet 4, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Resulting analysis that determines, and includes justification for, how frequently the requirement must be performed to minimize the likelihood of the threat being realized. (12.3.1 Bullet 4, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Once a risk assessment has been conducted, obtain approval from the organization's sponsor, sign-off and a budget for proposed risk management controls. (Stage 1.3 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005)
  • The medical device manufacturer shall maintain a record of all changes to the risk management plan in the risk management file. (§ 3.4 ¶ 2, ISO 14971:2007 Medical devices -- Application of risk management to medical devices, 2007)
  • noncompliance(s). (§ 4.6 ¶ 5 Bullet 5, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Outsourced service providers should conduct a risk assessment on their recovery equipment and facilities at least once every three years. (§ 7.15.5.2, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • achieve continual improvement. (§ 6.1.1 ¶ 1 c), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Update plans, assessment reports, and plans of action and milestones based on the results of the continuous monitoring process. (Task M-4, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • Reassess severity of risk results: An organization may re-do the risk assessment for relevant risks, and results may alter based on changes in the business context, the availability of new data or information that enables a more accurate assessment, or challenges to the assumptions underpinning the … (Integrating Reviews into Business Practices ¶ 2 Bullet 5, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The organization regularly reviews and updates results of its cyber threat analysis. (ID.RA-3.3, CRI Profile, v1.2)
  • An independent audit function updates its procedures to adjust to the evolving cybersecurity environment. (GV.AU-2, CRI Profile, v1.2)
  • The organization regularly reviews and updates results of its cyber threat analysis. (ID.RA-3.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization must update the risk assessment responses when the organization identifies new or changed risks. (Table Ref 1.2.4, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • In performing his or her procedures, the service auditor may become aware of a system incident that has affected a system of the service organization that is not the system under examination. For example, the service organization may experience a breach in an IT system that is not a component of the… (¶ 3.159, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • In performing procedures, the service auditor may become aware of a system incident that has affected a system of the service organization that is not the system under examination. For example, the service organization may experience a breach in an IT system that is not a component of the system und… (¶ 3.185, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The practitioner's assessment of the risks of material misstatement may change during the course of the engagement as additional evidence is obtained. In circumstances in which the practitioner obtains evidence from performing further procedures, or if new information is obtained, either of which is… (AT-C Section 205.34, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Does the risk assessment program include a management update? (§ A.1.10, Shared Assessments Standardized Information Gathering Questionnaire - A. Risk Management, 7.0)
  • The effectiveness of security controls should be reviewed continuously. (§ 5-6, Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • § 3.2 ¶ 4: CMS business partners shall recertify risk assessments (RAs) within 365 days of the previous certification. Before the recertification, the RA shall be reviewed to determine if it needs to be updated. The RA shall be updated when the security posture has changed or there has been a sign… (§ 3.2 ¶ 4 thru § 3.2 ¶ 6, CMS Business Partners Systems Security Manual, Rev. 10)
  • The business owner must develop or update the risk assessment for new systems; after major modifications; every 3 years a system is operational; after an increase in security risks/exposures or system security level; and/or after a serious security violation. (§ 1.2 ¶ 3, CMS Information Security Risk Assessment (IS RA) Procedure, Version 1.0 Final)
  • The Access Control risk assessment should not be older than the System Security Authorization Agreement and, preferably be updated annually. (§ 5.2 ¶ 4, DISA Access Control STIG, Version 2, Release 3)
  • The Security Vulnerability Assessment must be updated and revised within 90 days of written notification from the Department. (§ 27.215(d), 6 CFR Part 27, Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security)
  • (§ IV.A.1, The National Strategy to Secure Cyberspace, February 2003)
  • Threat information is used to enhance internal risk management and controls. (Domain 2: Assessment Factor: Threat Intelligence, THREAT INTELLIGENCE AND INFORMATION Baseline 1 ¶ 3, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • The organization should continuously review the authentication technology and ensure any changes are implemented. (Pg 3, FFIEC Guidance on Authentication in an Internet Banking Environment)
  • Management should continuously monitor risks to determine the level of risk the organization will accept. The risk assessment process should be continuous and not a one-time or annual event. (Pg 4, Pg 15, Pg 24, Exam Obj 5.3, FFIEC IT Examination Handbook - Management)
  • The Agencies reiterate and stress the expectation described in the 2005 Guidance that financial institutions should perform periodic risk assessments and adjust their customer authentication controls as appropriate in response to new threats to customers' online accounts. Financial institutions shou… (Risk Assessments ¶ 1, Supplement to Authentication in an Internet Banking Environment)
  • changes in the internal and external threat environment, including those discussed in the Appendix to this Supplement; (Risk Assessments ¶ 1 Bullet 1, Supplement to Authentication in an Internet Banking Environment)
  • Calls for Risk Assessment (RA): Organizations must periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing,… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizational records and documents should be examined to ensure risk assessments are performed routinely on a predetermined schedule or when significant changes are made; the risk assessment includes the latest changes to the system; and specific responsibilities and actions are defined for the im… (RA-4, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization should perform comprehensive security assessments on a regular basis to determine the security posture of Bluetooth. (Table 4-2 Item 3, Guide to Bluetooth Security, NIST SP 800-121, September 2008)
  • The organization should maintain an ongoing risk assessment process. (§ 4.2.3, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008)
  • Monitor and report changes in threat dispositions, activities, tactics, capabilities, objectives, etc. as related to designated cyber operations warning problem sets. (T0748, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Conduct an initial risk assessment of stakeholder assets and update the risk assessment on an ongoing basis. (T0935, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Conduct an initial risk assessment of stakeholder assets and update the risk assessment on an ongoing basis. (T0935, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Monitor and report changes in threat dispositions, activities, tactics, capabilities, objectives, etc. as related to designated cyber operations warning problem sets. (T0748, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization should develop a security requirements checklist to help analyze controls in an efficient and systematic manner. This checklist can be used to validate security non-compliance and compliance, so the checklists needs to be updated whenever changes are made to the organization's contr… (§ 3.4.3, Risk Management Guide for Information Technology Systems, NIST SP 800-30, July 2002)
  • The organization reviews and updates the current risk assessment policy {organizationally documented frequency}. (RA-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current risk assessment procedures {organizationally documented frequency}. (RA-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current risk assessment policy {organizationally documented frequency}. (RA-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current risk assessment procedures {organizationally documented frequency}. (RA-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current risk assessment policy {organizationally documented frequency}. (RA-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current risk assessment procedures {organizationally documented frequency}. (RA-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current risk assessment policy {organizationally documented frequency}. (RA-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current risk assessment procedures {organizationally documented frequency}. (RA-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization should periodically assess the risks to the system from the implemented controls. (§ II.E, OMB Circular A-123, Management's Responsibility for Internal Control)
  • Update risk assessment techniques, risk mitigation controls, and policies and procedures . (¶ 3, Internet Security: Distributed Denial of Service Attacks - OCC Alert 2000-1)
  • The Under Secretary must periodically review the threats to aviation using a systems analysis (vulnerability analysis, threat definitions) and considering future technologies that might be used to threaten aircraft. (§ 112(b)(2), Aviation and Transportation Security Act, Public Law 107 Released-71, November 2001, November 2001)