Back

Conduct a risk assessment to determine operational risks as a part of the acquisition feasibility study.


CONTROL ID
01135
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Conduct an acquisition feasibility study prior to acquiring assets., CC ID: 01129

This Control has the following implementation support Control(s):
  • Refrain from implementing systems that are beyond the organization's risk acceptance level., CC ID: 13054


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization should use caution when determining if new technologies are to be introduced. (¶ 62, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The organization should develop a process to authorize new technologies that includes conducting a risk assessment to assess the benefits against the risk. (¶ 64, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • New technologies potentially introduce a set of additional risk exposures (both known and unknown). A regulated institution would normally apply appropriate caution when considering the introduction of new technologies. (¶ 62, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • A regulated institution may find it useful to develop a technology authorisation process and maintain an approved technology register to facilitate this. The authorisation process would typically involve a risk assessment balancing the benefits of the new technology with the risk (including an allow… (¶ 64, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • IT services encompass all forms of IT procurement; in particular, this includes the provision of IT systems, projects/computer-aided construction projects or staff. Outsourcing of IT services shall meet the requirements pursuant to AT 9 of MaRisk. This shall also apply to the outsourcing of IT servi… (II.8.52, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • The contracting authority, the contractor, and, if necessary, the local special branch must perform a risk assessment. The contracting authority must advise if any additional security controls are required. (¶ 35, The Contractual process, Version 5.0 October 2010)
  • Prior to new products or services being introduced in the organization, the operational risks should be assessed. (Principle 4, BIS Sound Practices for the Management and Supervision of Operational Risk)
  • The regulated user should conduct a documented supplier assessment and risk analysis for each of the various options before selecting a commercial off the shelf, standard, or proprietary system for gxp regulated applications. (¶ 4.3, Good Practices For Computerized systems In Regulated GXP Environments)
  • A document risk assessment is required when supply chain traceability is unavailable or the documentation is suspected of being falsified. (§ 4.1.4.a, SAE AS 5553: Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition, Revision A)
  • A risk analysis shall be required for each supply chain intermediary which does not have a counterfeit/fraudulent part control plan. (§ 4.1.4.b, SAE AS 5553: Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition, Revision A)
  • Information risk assessments shall be performed prior to the introduction of major new technologies (e.g., Radio Frequency Identification, virtualisation, consumerisation, and Internet Protocol version 6 networking). (SR.01.01.05a, The Standard of Good Practice for Information Security)
  • The system development methodology should require that the security implications of implementing vendor solutions are assessed. (CF.17.01.04d, The Standard of Good Practice for Information Security)
  • The risk of potential security weaknesses in hardware / software should be reduced by obtaining external assessments from trusted sources (e.g., external auditor's opinions and specified security criteria, such as the Information Technology Security Evaluation Criteria, 'common criteria', Federal In… (CF.16.02.06a, The Standard of Good Practice for Information Security)
  • The risk of potential security weaknesses in hardware / software should be reduced by identifying security deficiencies (e.g., by detailed inspection, reference to published sources, or by participating in user / discussion groups). (CF.16.02.06b, The Standard of Good Practice for Information Security)
  • When determining the requirements for outsourcing, the organization should evaluate information risks associated with outsourcing arrangements and the particular business functions that may be outsourced. (CF.16.03.02a, The Standard of Good Practice for Information Security)
  • Prior to purchasing or using cloud services, an information risk assessment should be performed, which takes into account the type, classification, and importance of information that may be handled in the cloud. (CF.16.04.04a, The Standard of Good Practice for Information Security)
  • Prior to purchasing or using cloud services, an information risk assessment should be performed, which takes into account legal / regulatory risks to the organization (e.g., copyright, data protection, financial regulation, privacy breach, and corporate governance). (CF.16.04.04b, The Standard of Good Practice for Information Security)
  • The information risk assessment should help to identify the security arrangements required to protect information handled in the cloud, throughout its full lifecycle, including creation of information (e.g., classifying information as top secret, company-in-confidence, or public). (CF.16.04.05a, The Standard of Good Practice for Information Security)
  • The information risk assessment should help to identify the security arrangements required to protect information handled in the cloud, throughout its full lifecycle, including processing (eg input validation and integrity checking). (CF.16.04.05b, The Standard of Good Practice for Information Security)
  • The information risk assessment should help to identify the security arrangements required to protect information handled in the cloud, throughout its full lifecycle, including storage (e.g., segregation and resilience). (CF.16.04.05c, The Standard of Good Practice for Information Security)
  • The information risk assessment should help to identify the security arrangements required to protect information handled in the cloud, throughout its full lifecycle, including transmission (e.g., encryption, non-repudiation, and cross-border requirements). (CF.16.04.05d, The Standard of Good Practice for Information Security)
  • The information risk assessment should help to identify the security arrangements required to protect information handled in the cloud, throughout its full lifecycle, including destruction (e.g., 'secure erasure' and physical destruction). (CF.16.04.05e, The Standard of Good Practice for Information Security)
  • Based on the results of the information risk assessment and the classification of information that may be handled in the cloud, a decision should be made on whether information needs to be prevented from entering the cloud (e.g., it has a very high-level of classification, such as top secret or is s… (CF.16.04.06a, The Standard of Good Practice for Information Security)
  • Based on the results of the information risk assessment and the classification of information that may be handled in the cloud, a decision should be made on whether information needs to be encrypted when stored and transmitted to / from the cloud. (CF.16.04.06b, The Standard of Good Practice for Information Security)
  • Based on the results of the information risk assessment and the classification of information that may be handled in the cloud, a decision should be made on whether information needs to be subject to restrictions when storing and processing in particular jurisdictions. (CF.16.04.06c, The Standard of Good Practice for Information Security)
  • Information risk assessments shall be performed prior to the introduction of major new technologies (e.g., Radio Frequency Identification, virtualisation, consumerisation, and Internet Protocol version 6 networking). (SR.01.01.05a, The Standard of Good Practice for Information Security, 2013)
  • The system development methodology should require that the security implications of implementing vendor solutions are assessed. (CF.17.01.04d, The Standard of Good Practice for Information Security, 2013)
  • The risk of potential security weaknesses in hardware / software should be reduced by obtaining external assessments from trusted sources (e.g., external auditor's opinions and specified security criteria, such as the Information Technology Security Evaluation Criteria, 'common criteria', Federal In… (CF.16.02.06a, The Standard of Good Practice for Information Security, 2013)
  • The risk of potential security weaknesses in hardware / software should be reduced by identifying security deficiencies (e.g., by detailed inspection, reference to published sources, or by participating in user / discussion groups). (CF.16.02.06b, The Standard of Good Practice for Information Security, 2013)
  • When determining the requirements for outsourcing, the organization should evaluate information risks associated with outsourcing arrangements and the particular business functions that may be outsourced. (CF.16.03.02a, The Standard of Good Practice for Information Security, 2013)
  • Prior to purchasing or using cloud services, an information risk assessment should be performed, which takes into account the type, classification, and importance of information that may be handled in the cloud. (CF.16.04.04a, The Standard of Good Practice for Information Security, 2013)
  • Prior to purchasing or using cloud services, an information risk assessment should be performed, which takes into account legal / regulatory risks to the organization (e.g., copyright, data protection, financial regulation, privacy breach, and corporate governance). (CF.16.04.04b, The Standard of Good Practice for Information Security, 2013)
  • The information risk assessment should help to identify the security arrangements required to protect information handled in the cloud, throughout its full lifecycle, including creation of information (e.g., classifying information as top secret, company-in-confidence, or public). (CF.16.04.05a, The Standard of Good Practice for Information Security, 2013)
  • The information risk assessment should help to identify the security arrangements required to protect information handled in the cloud, throughout its full lifecycle, including processing (eg input validation and integrity checking). (CF.16.04.05b, The Standard of Good Practice for Information Security, 2013)
  • The information risk assessment should help to identify the security arrangements required to protect information handled in the cloud, throughout its full lifecycle, including storage (e.g., segregation and resilience). (CF.16.04.05c, The Standard of Good Practice for Information Security, 2013)
  • The information risk assessment should help to identify the security arrangements required to protect information handled in the cloud, throughout its full lifecycle, including transmission (e.g., encryption, non-repudiation, and cross-border requirements). (CF.16.04.05d, The Standard of Good Practice for Information Security, 2013)
  • The information risk assessment should help to identify the security arrangements required to protect information handled in the cloud, throughout its full lifecycle, including destruction (e.g., 'secure erasure' and physical destruction). (CF.16.04.05e, The Standard of Good Practice for Information Security, 2013)
  • Based on the results of the information risk assessment and the classification of information that may be handled in the cloud, a decision should be made on whether information needs to be prevented from entering the cloud (e.g., it has a very high-level of classification, such as top secret or is s… (CF.16.04.06a, The Standard of Good Practice for Information Security, 2013)
  • Based on the results of the information risk assessment and the classification of information that may be handled in the cloud, a decision should be made on whether information needs to be encrypted when stored and transmitted to / from the cloud. (CF.16.04.06b, The Standard of Good Practice for Information Security, 2013)
  • Based on the results of the information risk assessment and the classification of information that may be handled in the cloud, a decision should be made on whether information needs to be subject to restrictions when storing and processing in particular jurisdictions. (CF.16.04.06c, The Standard of Good Practice for Information Security, 2013)
  • The process for managing the information risks associated with external suppliers should include identifying critical and sensitive information being shared with external suppliers. (CF.16.01.01a, The Standard of Good Practice for Information Security, 2013)
  • The process for managing the information risks associated with external suppliers should include performing relationship assessments of external suppliers that handle critical or sensitive information. (CF.16.01.01c, The Standard of Good Practice for Information Security, 2013)
  • The process for managing the information risks associated with external suppliers should include assessing risks to information handled by external suppliers. (CF.16.01.01d, The Standard of Good Practice for Information Security, 2013)
  • Information that is (or may be) shared with external suppliers should be subject to an information risk assessment (e.g., using the Information security forum's Information Risk Analysis Methodology). (CF.16.01.02b, The Standard of Good Practice for Information Security, 2013)
  • An evaluation must be conducted during the authentication solution selection to determine the lifecycle requirements in relation to the product being protected. (§ 4.5.3 ¶ 1, ISO 12931:2012, Performance Criteria for Authentication Solutions Used to Combat Counterfeiting of Material Goods, First Edition)
  • An evaluation shall be made to determine the lifecycle capabilities of authentication tools. (§ 4.5.3 ¶ 1, ISO 12931:2012, Performance Criteria for Authentication Solutions Used to Combat Counterfeiting of Material Goods, First Edition)
  • The organization shall ensure that externally provided processes, products and services do not adversely affect the organization's ability to consistently deliver conforming products and services to its customers. (8.4.2 ¶ 1, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The organization implements a process for evaluating (e.g., assessing or testing) externally developed applications. (PR.IP-2.2, CRI Profile, v1.2)
  • The organization implements a process for evaluating (e.g., assessing or testing) externally developed applications. (PR.IP-2.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and (SA-9(1)(a), StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and (SA-9(1)(a), StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and (SA-9(1)(a), StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Adopt secure development practices for in-house developed applications utilized by the Licensee and procedures for evaluating, assessing or testing the security of externally developed applications utilized by the Licensee; (Section 4.D ¶ 1(2)(e), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • If business information systems are used to transmit scoped systems and data, are Information Security reviews conducted and approved for the use or installation of open source software (Linux, Apache, etc.)? (§ I.1.2, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • If business information systems are used to process scoped systems and data, are Information Security reviews conducted and approved for the use or installation of open source software (Linux, Apache, etc.)? (§ I.1.2, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • If business information systems are used to store scoped systems and data, are Information Security reviews conducted and approved for the use or installation of open source software (Linux, Apache, etc.)? (§ I.1.2, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • The executive agency must develop and implement a process to maximize the value and assess and manage the risks of all information technology acquisitions. (§ 5122(a), Clinger-Cohen Act (Information Technology Management Reform Act))
  • A formal Risk Analysis must be used to support the outsourcing or acquisition of dedicated Information Assurance services, such as incident monitoring, incident analysis, and Incident Response. (DCDS-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • A formal Risk Analysis must be used to support the outsourcing or acquisition of the operation of Information Assurance devices, such as firewalls. (DCDS-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • A formal Risk Analysis must be used to support the outsourcing or acquisition of key management services. (DCDS-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Emerging mobile code technology that is acquired, developed, and/or used in Department of Defense systems must have had a risk assessment completed by the National Security Agency and been assigned a risk category by the Chief Information Officer. (DCMC-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Development and acquisition issues. (App A Objective 11:2 d., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether management assesses and mitigates the operational risks associated with the development or acquisition of software. Appropriate management of the risks should include the following: (App A Objective 12:10, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Systems development and support. (App A Objective 8:1 c., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The volume, nature, and extent of risk exposure to the institution in the area of systems development and acquisition; (TIER II OBJECTIVES AND PROCEDURES B.1 Bullet 3, FFIEC IT Examination Handbook - Audit, April 2012)
  • Assess the adequacy of acquisition activities by evaluating: ▪ The adequacy of, and adherence to, acquisition standards and controls; ▪ The applicability and effectiveness of project management methodologies; ▪ The experience of project managers; ▪ The adequacy of project plans, particularly… (Exam Obj 6.1, FFIEC IT Examination Handbook - Development and Acquisition)
  • The organization should analyze each Request for Proposal (RFP) response to ensure it meets the organization's needs. The following information should be confirmed and assessed to ensure the service provider meets the RFP requirements: corporate history; qualifications and backgrounds of principal(s… (Pg 11, Exam Tier I Obj 3.3, Exam Tier II Obj B.1, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • Review policies and procedures for acquisition of originating customers and determine the appropriateness of these policies for the risk profile and risk management capabilities of the financial institution. Determine whether the policies identify and seek to limit exposure to higher risk customers;… (App A Tier 1 Objectives and Procedures Objective 8:8, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Adopt secure development practices for in-house developed applications utilized by you for transmitting, accessing, or storing customer information and procedures for evaluating, assessing, or testing the security of externally developed applications you utilize to transmit, access, or store custome… (§ 314.4 ¶ 1(c)(4), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
  • (SP-1, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • (§ 260.44, GAO/PCIE Financial Audit Manual (FAM))
  • The service provider must conduct a risk assessment on all future outsourced security services. (Column F: SA-9(1), FedRAMP Baseline Security Controls)
  • Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and (SA-9(1)(a) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and (SA-9(1)(a) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and (SA-9(1)(a), FedRAMP Security Controls High Baseline, Version 5)
  • Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and (SA-9(1)(a), FedRAMP Security Controls Moderate Baseline, Version 5)
  • Policies and procedures are in place to address AI risks and benefits arising from third-party software and data and other supply chain issues (GOVERN 6, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
  • Policies and procedures are in place that address AI risks associated with third-party entities, including risks of infringement of a third-party's intellectual property or other rights. (GOVERN 6.1, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
  • In addition to addressing cybersecurity risks throughout the supply chain and performing C-SCRM activities during each phase of the acquisition process, enterprises should develop and execute an acquisition strategy that drives reductions in their overall risk exposure. By applying such strategies, … (3.1. ¶ 3, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and (SA-9(1)(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and (SA-9(1)(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The organization should require the smart grid Information System developers and integrators to conduct a vulnerability analysis and document any vulnerabilities, potential exploits, and ways to correct the risks. (SG.SA-10 Additional Considerations A2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should conduct a risk assessment before acquiring or outsourcing dedicated Information Security services. (App F § SA-9(1)(a), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services. (SA-9(1)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization conducts an assessment of the information system, system component, or information system service prior to selection, acceptance, or update. (SA-12(7), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and (SA-9(1)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and (SA-9(1)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and (SA-9(1)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and (SA-9(1) ¶ 1(a), Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The bank should conduct quality assurance reviews whenever it engages in a significant combination with another institution or acquires another business. (¶ 44, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)
  • Adoption of secure development practices for in-house developed applications utilized by such licensee and procedures for evaluating, assessing or testing the security of externally developed applications utilized by such licensee; (Part VI(c)(4)(B)(v), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • Procedures for evaluating, assessing, or testing the security of an application that a licensee uses and was developed externally. (§ 8604.(d)(2) e. 2., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • Adopt secure development practices for in-house developed applications used by the licensee and procedures for evaluating, assessing, or testing the security of externally developed applications used by the licensee; (§431:3B-203(2)(E), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • Adopt secure development practices for in-house developed applications utilized by the licensee, and procedures for evaluating, assessing, and testing the security of externally developed applications utilized by the licensee. (507F.4 4.b.(5), Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • Adopt secure development practices for in-house developed applications used by the licensee and procedures for evaluating, assessing, or testing the security of externally developed applications used by the licensee. (§2504.D.(2)(e), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • Adopt secure development practices for applications developed and used by the licensee and procedures for evaluating, assessing or testing the security of externally developed applications used by the licensee; (§2264 4.B.(5), Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • Adding procedures for evaluating, assessing, or testing the security of externally developed applications used by the licensee. (Sec. 555.(4)(b)(vi), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • Adopt secure development practices for in-house developed applications utilized by the licensee and procedures for evaluating, assessing, or testing the security of externally developed applications utilized by the licensee; (Section 3965.02 (D)(2)(e), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • adopting secure development practices for in-house developed applications used by the licensee and procedures for evaluating, assessing, and testing the security of externally developed applications used by the licensee; (SECTION 38-99-20. (D)(2)(e), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • Adopt secure development practices for internally developed applications utilized by the licensee and procedures for evaluating, assessing, or testing the security of externally developed applications utilized by the licensee; (§ 56-2-1004 (4)(B)(v), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and (SA-9(1)(a), TX-RAMP Security Controls Baseline Level 2)