Employ risk assessment procedures that take into account both electronic records and printed records., CC ID: 06476
Employ risk assessment procedures that align with strategic objectives., CC ID: 06474
Engage appropriate parties to assist with risk assessments, as necessary., CC ID: 12153
Employ risk assessment procedures that take into account prior risk assessment findings of the same scope., CC ID: 06478
Employ risk assessment procedures that take into account the target environment., CC ID: 06479
Employ risk assessment procedures that take into account incidents associated with the target environment., CC ID: 06480
Employ risk assessment procedures that take into account risk factors., CC ID: 16560
Include compliance with disposition requirements in the risk assessment procedures., CC ID: 12342
Include compliance with retention requirements in the risk assessment procedures., CC ID: 12341
Employ risk assessment procedures that include appropriate risk treatment options for each identified risk., CC ID: 06484
Establish, implement, and maintain a threat and risk classification scheme., CC ID: 07183
Establish, implement, and maintain risk profiling procedures for internal risk assessments., CC ID: 01157
Include language that is easy to understand in the risk assessment report., CC ID: 06461
Include the environments that call for risk assessments in the risk assessment program., CC ID: 06448
Include the process for defining the scope of each risk assessment in the risk assessment program., CC ID: 06462
Include the circumstances that call for risk assessments in the risk assessment program., CC ID: 06449
Include the roles and responsibilities involved in risk assessments in the risk assessment program., CC ID: 06450
Include the methods of managing and responding to the risk assessment report in the risk assessment program., CC ID: 06451
Automate as much of the risk assessment program, as necessary., CC ID: 06459
Disseminate and communicate the risk assessment procedures to interested personnel and affected parties., CC ID: 14136
Approve the risk assessment program and associated risk assessment procedures at the senior management level., CC ID: 06458
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
If wireless local area networks (WLANs) are to be deployed, AIs should develop policies and procedures for approval, installation, operation and administration of WLANs. A risk assessment process for evaluating the sensitivity of information to be accessible via a WLAN should be formulated before a … (6.3.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 â 24.06.03)
Qualitative analysis involves the use of scenarios and attempts to determine the seriousness of threats and the effectiveness of controls. Qualitative analysis is by definition subjective, relying upon judgment, knowledge, prior experience and industry information. Qualitative techniques may include… (Critical components of information security 2) 6), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Conducting a vulnerability assessment for each vulnerability and calculating the probability that it will be exploited. Evaluating policies, procedures, standards, training, physical security, quality control and technical security in this regard (Critical components of information security 2) 3) Bullet 3, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
In establishing the security requirements, the FI should assess the potential threats and risks related to the IT system, and determine the acceptable level of security required to meet its business needs. (§ 5.5.2, Technology Risk Management Guidelines, January 2021)
An APRA-regulated entity would typically ensure that existing and emerging information security vulnerabilities and threats pertaining to critical and sensitive information assets are identified, assessed and remediated in a timely manner. This includes information assets which are not critical or s… (39., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
In APRA's view, IT security risk (as with the broader set of IT risks) will ultimately result in a business risk exposure. Regulated institutions would benefit from clearly defining both IT risk and IT security risk. In addition, allocation mechanisms would typically be developed for mapping these r… (¶ 14, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, rep… (3.3.1 10, Final Report EBA Guidelines on ICT and security risk management)
ICT risk management policy, processes and risk tolerance thresholds; (Title 3 3.3 46.a, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
the institution has implemented a process and underlying procedures for the identification (e.g. 'risk control self-assessments' (RCSA), risk scenario analysis) and monitoring of the involved material ICT risks; and (Title 3 3.3.1 49.c, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
Competent authorities may rely on and take into consideration work already undertaken by the institution or by the competent authority in the context of the assessments of other risks or SREP elements in order to have an update of the assessment. Specifically, in conducting the assessments specified… (Title 1 12., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
Financial entities shall have a sound, comprehensive and well-documented ICT risk management framework as part of their overall risk management system, which enables them to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience. (Art. 6.1., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
Depending on the selected method for risk analysis, the information security management must define how basic threats, potentials for causing damage, probabilities of occurrence, and the risks resulting thereof should be classified and assessed. However, it is difficult, complex, and moreover prone … (§ 8.1 Subsection 2 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
The risks that may be caused through damages for the business activity and tasks of an organisation by security incidents must be analysed. Thus, a method for risk analysis is an integral part of every information security management system. In order to be able to determine a risk, the basic threats… (§ 8.1 Subsection 1 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
Supplement the security analysis by documenting the basic procedure used in an organization for performing risk analyses in a guideline and submit the guideline to management for approval. (4.6 Bullet 1, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
Supplement the security analysis by writing a management report as a supplementary security analysis. (4.6 Bullet 3, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
Exceptions of policies and instructions for information security are approved by committees or bodies of the cloud provider authorised to do so in a documented form. The appropriateness of approved exceptions and the assessment of the risks resulting from this are reviewed by specialists of the clou… (Section 5.2 SA-03 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
Note: Every organisation should coordinate the descriptions of the categories in particular with the specialised departments so that all employees can easily understand their meaning. If a specific risk is assessed by two different employees of an organisation, the same result should be obtained. (§ 5.1 ¶ 6, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
A procedure is in place defining how to identify, assess and address information security risks within the organization. (1.4.1 Requirements (should) Bullet 1, Information Security Assessment, Version 5.1)
The organization must use a Risk Management approach to counter-terrorism protective security. Counterterrorism measures should be considered in conjunction with general protective security risk management. (Security Policy No. 6 ¶ 4, HMG Security Policy Framework, Version 6.0 May 2011)
The upstream company should review the principles and standards of its supply chain policy when assessing the supply chain risks. (Supplement on Tin, Tantalum, and Tungsten Step 2: I.C.1(a), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
The upstream company should determine if the actual conditions meet the standard, and if there is a reasonable inconsistency it should be considered a risk with potential adverse impacts. (Supplement on Tin, Tantalum, and Tungsten Step 2: I.C.2, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
Upstream companies should use an evidence-based approach when conducting the supply chain risk assessment. (Supplement on Tin, Tantalum, and Tungsten App: A.1, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
The organization should provide for data confidentiality and security of its information system(s)(electronic and paper) by implementing written policies and/or documented procedures that address assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability… (CORE - 15(a), URAC Health Utilization Management Standards, Version 6)
A risk assessment process that identifies the critical assets, vulnerabilities, and threats must be implemented. (PCI DSS Requirements § 12.2 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
Performance of the targeted analysis of risk at least once every 12 months. (12.3.2 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
If the mechanism functions are performed at an entity-defined frequency, examine the entity's targeted risk analysis for determining the frequency to verify the risk analysis was performed in accordance with all elements specified at Requirement 12.3.1. (11.6.1.c, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Examine the entity's targeted risk analysis that defines the risk for addressing all other applicable vulnerabilities (those not ranked as high-risk or critical per the entity's vulnerability risk rankings at Requirement 6.3.1) to verify the risk analysis was performed in accordance with all element… (11.3.1.1.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Is an annual risk assessment process implemented that identifies assets, threats, and vulnerabilities? (PCI DSS Question 12.2(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
Is an annual risk assessment process implemented that identifies assets, threats, and vulnerabilities? (PCI DSS Question 12.2(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. (§ 3 Principle 7 ¶ 1, COSO Internal Control - Integrated Framework (2013))
The organization identifies and assesses risks at the entity, subsidiary, division, operating unit, and functional levels relevant to the achievement of objectives. (§ 3 Principle 7 Points of Focus: Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels, COSO Internal Control - Integrated Framework (2013))
There should be formal, documented standards and/or procedures for performing information risk assessments, which apply across the organization. (SR.01.01.01, The Standard of Good Practice for Information Security)
Information risk assessment methodologies should be reviewed regularly to ensure that they meet business needs. (SR.01.02.02d, The Standard of Good Practice for Information Security)
There should be documented standards / procedures for reporting information risks (e.g., to executive management). (SI.02.02.01, The Standard of Good Practice for Information Security)
Information risk reporting mechanisms should be developed, which are relevant to each audience, and take into account requirements, such as frequency of publication (e.g., monthly or quarterly). (SI.02.02.04d, The Standard of Good Practice for Information Security)
There should be formal, documented standards and/or procedures for performing information risk assessments, which apply across the organization. (SR.01.01.01, The Standard of Good Practice for Information Security, 2013)
There should be documented standards / procedures for reporting information risks (e.g., to executive management). (SI.02.02.01, The Standard of Good Practice for Information Security, 2013)
Information risk reporting mechanisms should be developed, which are relevant to each audience, and take into account requirements, such as frequency of publication (e.g., monthly or quarterly). (SI.02.02.04d, The Standard of Good Practice for Information Security, 2013)
Information risk assessment methodologies should be reviewed regularly to ensure that they meet business needs. (SR.01.02.02e, The Standard of Good Practice for Information Security, 2013)
Information risk assessments should be supported by reviewing intelligence information about emerging and changing threats (e.g., cybercrime, identity theft, spear phishing, watering holes, and cyber-espionage attacks). (SR.01.01.07a, The Standard of Good Practice for Information Security, 2013)
Information risks associated with target environments (e.g., critical business environments, business processes, business applications (including those under development), information systems and networks) should be assessed using structured information risk assessment methodologies (e.g., the Infor… (SR.01.02.01, The Standard of Good Practice for Information Security, 2013)
[Information] [risk assessments] {should} {be} {supported} by {reviewing} [intelligence information] about known vulnerabilities and exploits associated with key operating systems, applications and other software (e.g., by monitoring security vendor websites, tracking Computer Emergency Response Tea… (SR.01.01.07b, The Standard of Good Practice for Information Security, 2013)
Establish and maintain standards and procedures for risk assessments.
(organizations shall develop and maintain an enterprise risk management framework to manage risk to an acceptable level). (RI-01, The Cloud Security Alliance Controls Matrix, Version 1.3)
Risk assessment results shall include updates to security policies, procedures, standards and controls to ensure they remain relevant and effective. (RI-04, The Cloud Security Alliance Controls Matrix, Version 1.3)
The Risk Management policy shall include a description of the event management processes. (§ 4.2.1 ¶ 1(c)(1), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
The Risk Management policy shall include a description of the Change Management process and release management process. (§ 4.2.1 ¶ 1(c)(2), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
The Risk Management policy shall include a description of the Configuration Management processes. (§ 4.2.1 ¶ 1(c)(3), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
The Risk Management policy shall include a description of the monitoring processes. (§ 4.2.1 ¶ 1(c)(4), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
The organization shall establish and maintain a Risk Management plan. (§ 4.3.5, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
The Risk Management plan shall include the medical Information Technology network description, including the use and expected benefits of the network. (§ 4.3.5 ¶ 1(a)(2), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
The Risk Management plan shall include the medical Information Technology network description, including the reason for the incorporation of each medical device. (§ 4.3.5 ¶ 1(a)(3), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
The Risk Management plan shall include the medical Information Technology network description, including the use of each medical device that is not included in the manufacturer's intended use. (§ 4.3.5 ¶ 1(a)(4), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
The Risk Management plan shall include the monitoring requirements. (§ 4.3.5 ¶ 1(c), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
The organization should define an assessment strategy in relation with the compliance specifications and with consideration of the counterfeiting status. (§ 5.1.1 ¶ 1, ISO 12931:2012, Performance Criteria for Authentication Solutions Used to Combat Counterfeiting of Material Goods, First Edition)
The medical device manufacturer shall review the risk management process before medical devices are released for commercial distribution. The review shall ensure the appropriate implementation of the risk management plan; the acceptability of the overall residual risk; and methods are implemented to… (§ 8, ISO 14971:2007 Medical devices -- Application of risk management to medical devices, 2007)
The organization shall define the Risk Management policy. (§ 6.3.4.3(a)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
The organization shall define how to evaluate and improve the Risk Management process. (§ 6.3.4.3(a)(5), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
The organization shall define and document what is included in the Risk Management process. (§ 6.3.4.3(b)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
The organization shall review the Risk Management process periodically. (§ 6.3.4.3(f)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
The organization shall review risk information periodically. (§ 6.3.4.3(f)(3), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
The organization shall establish, implement, and maintain a formal documented risk assessment process that systematically identifies, analyses, and evaluates the risk of disruptive incidents to the organization. (§ 8.2.3 ¶ 1, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
defines the required output from the business impact analysis and risk assessment, and (§ 8.2.1 ¶ 1 d), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
establishing criteria for the processes, (§ 8.1 ¶ 1 a), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that (8.2.1 ¶ 1, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
implement and maintain systematic processes for analysing the business impact and assessing the risks of disruption; (§ 8.2.1 ¶ 1 a), ISO 22301:2019, Security and resilience â Business continuity management systems â Requirements, Second Edition)
The organization shall implement and maintain a risk assessment process. (§ 8.2.3 ¶ 1, ISO 22301:2019, Security and resilience â Business continuity management systems â Requirements, Second Edition)
The organization should continually monitor, review, and improve the information security risk management process in order to ensure the risk assessment and risk treatment outcomes, context, and management plans stay relevant and appropriate for the circumstances. The organization should routinely v… (§ 12.2, ISO 27005 Information technology -- Security techniques -- Information security risk management, 2011)
The organization should continually improve the risk management process by setting organizational performance goals, measurements, reviews, and subsequently modifying, systems, processes, resources, capabilities, and skills. (App A § A.3.1, ISO 31000 Risk management -- Principles and guidelines, 2009)
the process for assessing risk is consistent throughout the organization, enabling effective comparison and prioritization of risk; (§ 6.9.3.4 ¶ 1 e), ISO 37000:2021, Governance of organizations â Guidance, First Edition)
unintended outcomes are adequately identified, understood, monitored and appropriate action taken; (§ 6.2.3.4 ¶ 1 a), ISO 37000:2021, Governance of organizations â Guidance, First Edition)
the process(es) and actions needed to determine and address its risks and opportunities (see 6.1.2 to 6.1.4) to the extent necessary to have confidence that they are carried out as planned. (§ 6.1.1 ¶ 4 Bullet 2, ISO 45001:2018, Occupational health and safety management systems â Requirements with guidance for use, First Edition)
determine and assess the other risks related to the establishment, implementation, operation and maintenance of the OH&S management system. (§ 6.1.2.2 ¶ 1 b), ISO 45001:2018, Occupational health and safety management systems â Requirements with guidance for use, First Edition)
The organization, in its planning process(es), shall determine and assess the risks and opportunities that are relevant to the intended outcomes of the OH&S management system associated with changes in the organization, its processes or the OH&S management system. In the case of planned changes, per… (§ 6.1.1 ¶ 3, ISO 45001:2018, Occupational health and safety management systems â Requirements with guidance for use, First Edition)
assess OH&S risks that relate to new or changed hazards, prior to taking action; (§ 10.2 ¶ 2 e), ISO 45001:2018, Occupational health and safety management systems â Requirements with guidance for use, First Edition)
methodology applied; (§ 6.7 ¶ 6 Bullet 2, ISO/IEC 23894:2023, Information technology â Artificial intelligence â Guidance on risk management)
The organization shall define and apply an IT asset risk assessment process that: (Section 6.1.2 ¶ 1, ISO/IEC 19770-1, Information technology â IT asset management â Part 1: IT asset management systems â Requirements, Third Edition, 2017-12)
The entity identifies and assesses risk at the entity, subsidiary, division, operating unit, and functional levels relevant to the achievement of objectives. (CC3.2 ¶ 3 Bullet 1 Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus â 2022))
The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. (CC3.2 ¶ 1 COSO Principle 7:, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus â 2022))
As a part of the cyber risk management program, the organization has documented its cyber risk assessment process and methodology, which are periodically updated to address changes to the risk profile and risk appetite (e.g., new technologies, products, services, interdependencies, and the evolving … (GV.RM-1.3, CRI Profile, v1.2)
As a part of the cyber risk management program, the organization has documented its cyber risk assessment process and methodology, which are periodically updated to address changes to the risk profile and risk appetite (e.g., new technologies, products, services, interdependencies, and the evolving … (GV.RM-1.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and (RA-1a.2., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and (RA-1a.2., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and (RA-1a.2., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
Risk assessment procedures [Assignment: organization-defined frequency]. (RA-1b.2., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and (RA-1a.2., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
After the service auditor has assessed the risks of material misstatement, paragraphs .20â.21 of AT-C section 205, Examination Engagements, require the service auditor to respond to the assessed risks when designing and performing examination procedures. Specifically, they require the service audi… (¶ 3.04, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
Identifying and analyzing risks that could prevent the service organization from achieving its service commitments and system requirements (¶ 2.168 Bullet 3, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
Identifying and analyzing risks that could prevent the service organization from achieving its service commitments and system requirements (¶ 2.04 Bullet 4, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
The service organization's control environment, risk assessment, information and communications, and monitoring components of internal control related to the service provided to user entities and business partners may enhance or mitigate the effectiveness of specific controls. If the service auditor… (¶ 3.111, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
When obtaining an understanding of the internal audit function's responsibilities and activities, the service auditor makes inquiries of internal audit personnel and reads information about the internal audit function stated in the description. Ordinarily, the service auditor also requests and reads… (¶ 2.136, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
Service organization management is responsible for designing and implementing controls to provide reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable trust services criteria, identifying the risks that threaten the ac… (¶ 3.80, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
Inspecting documentation supporting the service organization's identification and assessment of risks, including the determination of how the service organization plans to mitigate such risks (¶ 3.59 Bullet 4, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
Obtains an understanding of management's risk assessment process as discussed in the subsequent paragraph and assesses the completeness and accuracy of management's identification of those risks (¶ 3.81 Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
As discussed beginning in paragraph 2.56, service organization management may document controls in a variety of ways. The nature and extent of documentation usually varies, depending on the size and complexity of the service organization and its monitoring activities. In some cases, the service audi… (¶ 3.97, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
Establishing an overall strategy for the examination that sets the scope, timing, and direction of the engagement and guides the development of the engagement plan, including the consideration of materiality and the identification of the risks of material misstatement (see paragraph 2.97) (¶ 2.36 Bullet 4, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
As discussed in paragraph 2.58, service organization management would usually be unable to make an assertion about the suitability of design and, in a type 2 engagement, operating effectiveness of controls without first having performed a risk assessment. The risk assessment enables management to id… (¶ 2.117, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
The practitioner should design and perform further procedures whose nature, timing, and extent are based on, and responsive to, the assessed risks of material misstatement. (AT-C Section 205.21, SSAE No. 18, Attestation Standards: Clarification and Recodification)
The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. (CC3.2 COSO Principle 7:, Trust Services Criteria)
The entity identifies and assesses risk at the entity, subsidiary, division, operating unit, and functional levels relevant to the achievement of objectives. (CC3.2 Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels, Trust Services Criteria)
The entity identifies and assesses risk at the entity, subsidiary, division, operating unit, and functional levels relevant to the achievement of objectives. (CC3.2 ¶ 3 Bullet 1 Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels, Trust Services Criteria, (includes March 2020 updates))
The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. (CC3.2 ¶ 1 COSO Principle 7:, Trust Services Criteria, (includes March 2020 updates))
Each Transmission Owner shall have an unaffiliated third party verify the risk assessment performed under Requirement R1. The verification may occur concurrent with or after the risk assessment performed under Requirement R1. [VRF: Medium; Time-Horizon: Long-term Planning] (B. R2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-2, Version 2)
Each Transmission Owner shall have an unaffiliated third party verify the risk assessment performed under Requirement R1. The verification may occur concurrent with or after the risk assessment performed under Requirement R1. [VRF: Medium; Time-Horizon: Long-term Planning] (B. R2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-3, Version 3)
Financial institutions and creditors should update the Program (including the Red Flags determined to be relevant) periodically, to reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft, based on factors such as: (Appendix A-V. ¶ 1, 17 CFR Part 248 Subpart C, Regulation S-ID - Identity Theft Red Flags)
The reasonableness and comprehensiveness of the BIA and business continuity risk assessment(s). (App A Objective 3:5a, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
Audits, assessments, and operational performance reports are obtained and reviewed regularly validating security controls for critical third parties. (Domain 4: Assessment Factor: Relationship Management, ONGOING MONITORING Baseline 3 ¶ 2, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
As part of the information security program, determine whether management has established risk identification processes. (App A Objective 4, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Determine whether management uses tools to perform threat analysis and analyzes information security events to help do the following: (App A Objective 5.1, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Identifying and assessing threats (e.g., threat information is often ad hoc, although some providers present threat information within a defined framework that readily lends itself to analytical operations). (App A Objective 8.3.b, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Determine whether management has effective risk monitoring and reporting processes. (App A Objective 7, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Determine whether management comprehensively and effectively identifies, measures, mitigates, monitors, and reports interconnectivity risk. Review whether management does the following: (App A Objective 6.7, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
IT risks are adequately identified, measured, and mitigated. (App A Objective 2:1 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
Financial institution management should develop risk measurement processes that include the following elements:
- Measuring risk using qualitative, quantitative, or a hybrid of methods.
- Recognizing that risks do not exist in isolation.
- Prioritizing the risks based on the results of risk measurem… (III.B Risk Measurement, FFIEC Information Technology Examination Handbook - Management, November 2015)
Determine whether the institution's risk management program facilitates effective risk identification and measurement and provides support for risk decisions within ITRM. (App A Objective 7, FFIEC Information Technology Examination Handbook - Management, November 2015)
Determine whether the institution maintains a risk assessment process to perform the following: (App A Objective 7:4, FFIEC Information Technology Examination Handbook - Management, November 2015)
Internal controls and processes. (App A Objective 8:1 d., FFIEC Information Technology Examination Handbook - Management, November 2015)
Determine whether institution management maintains a risk measurement process that is coordinated and consistent across the enterprise. (App A Objective 11, FFIEC Information Technology Examination Handbook - Management, November 2015)
Determine whether management's risk measurement process includes the determination of risk factors (such as adverse events, threats, and controls) and the affected assets. Determine whether management develops inventories of those risk factors. Specifically, determine whether management does the fol… (App A Objective 11:1, FFIEC Information Technology Examination Handbook - Management, November 2015)
Determine whether the risk measurement process is comprehensive and includes the following types of risks that affect the institution: (App A Objective 11:2, FFIEC Information Technology Examination Handbook - Management, November 2015)
Risk assessment. (App A Objective 12:4 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
Obtain and review the most recent risk assessment related to RDC. Evaluate the quality of the risk assessment and whether it encompasses factors such as: (App A Tier 2 Objectives and Procedures N.2 Bullet 3 Sub-Bullet 6, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Describe the process and criteria used by financial institution management to evaluate the RDC customers' information security infrastructure and risk management processes. (App A Tier 2 Objectives and Procedures N.3 Bullet 1 Sub-Bullet 4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Determine whether any of the financial institution's RDC customers use a service provider in the RDC process. If so, evaluate how the financial institution manages risks, and whether the process is adequate. (App A Tier 2 Objectives and Procedures N.4 Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Risk assessment procedures [FedRAMP Assignment: at least annually or whenever a significant change occurs]. (RA-1b.2. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and (RA-1a.2. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Risk assessment procedures [FedRAMP Assignment: at least annually]. (RA-1b.2. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and (RA-1a.2. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Risk assessment procedures [FedRAMP Assignment: at least annually]. (RA-1b.2. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and (RA-1a.2. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls; (RA-1a.2., FedRAMP Security Controls High Baseline, Version 5)
Procedures [FedRAMP Assignment: at least annually] and following [FedRAMP Assignment: significant changes]. (RA-1c.2., FedRAMP Security Controls High Baseline, Version 5)
Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls; (RA-1a.2., FedRAMP Security Controls Low Baseline, Version 5)
Procedures [FedRAMP Assignment: at least annually] and following [FedRAMP Assignment: significant changes]. (RA-1c.2., FedRAMP Security Controls Low Baseline, Version 5)
Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls; (RA-1a.2., FedRAMP Security Controls Moderate Baseline, Version 5)
Procedures [FedRAMP Assignment: at least annually] and following [FedRAMP Assignment: significant changes]. (RA-1c.2., FedRAMP Security Controls Moderate Baseline, Version 5)
Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (RA-1c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls; (RA-1a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (RA-1c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls; (RA-1a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls; (RA-1a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (RA-1c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (RA-1c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls; (RA-1a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
Constraints affecting risk assessments, risk responses, and risk monitoring; (PM-28a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
When conducting a procurement, enterprises should designate experts from different subject matter areas to participate in the acquisition process as members of the Acquisition Team and/or Integrated Project Team. This includes program officials, personnel with technical and security expertise, and r… (3.1.2. ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
Once the contract is executed, the enterprise should monitor for changes that alter its exposure to cybersecurity risks throughout the supply chain. Such changes may include internal enterprise or system changes, supplier operational or structural changes, product updates, and geopolitical or enviro… (3.1.2. ¶ 8, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
Adopt quantitative risk analyses that apply probabilistic approaches (e.g., Bayesian analysis) to reduce uncertainty about the likelihood and impact of cybersecurity risks throughout the supply chain, optimize the allocation of resources to risk response, and measure return on investment (i.e., resp… (3.4.3. ¶ 1 Bullet 2, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
Finally, the enterprise will complete the procurement step by releasing a statement of work (SOW), performance work statement (PWS), or statement of objective (SOO) for the release of a request for proposal (RFP) or request for quotes (RFQ). Any bidders responding to the RFP or RFQ should be evaluat… (3.1.2. ¶ 7, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls; (RA-1a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (RA-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (RA-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls; (RA-1a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
Constraints affecting risk assessments, risk responses, and risk monitoring; (PM-28a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (RA-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls; (RA-1a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (RA-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls; (RA-1a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
The CSP SHALL maintain a record, including audit logs, of all steps taken to verify the identity of the applicant and SHALL record the types of identity evidence presented in the proofing process. The CSP SHALL conduct a risk management process, including assessments of privacy and security risks to… (4.2 ¶ 1.7, Digital Identity Guidelines: Enrollment and Identity Proofing, NIST SP 800-63A)
Organizations should define a maintenance plan for each maintenance group for each applicable risk response scenario. A maintenance plan defines the actions to be taken when a scenario occurs for a maintenance group, including the timeframes for beginning and ending each action, along with any other… (3.5 ¶ 1, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology, NIST SP 800-40, Revision 4)
Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and (RA-1a.2. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and (RA-1a.2. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and (RA-1a.2. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Risk assessment procedures [Assignment: organization-defined frequency]. (RA-1b.2. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Risk assessment procedures [Assignment: organization-defined frequency]. (RA-1b.2. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Risk assessment procedures [Assignment: organization-defined frequency]. (RA-1b.2. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
The organization must develop a Risk Management plan. (SG.RA-2 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
Management must review and approve the Risk Management plan. (SG.PS-2 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls. (RA-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization reviews and updates the current risk assessment policy {organizationally documented frequency}. (RA-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization reviews and updates the current risk assessment procedures {organizationally documented frequency}. (RA-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization implements the risk management strategy consistently across the organization. (PM-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization reviews and updates the risk management strategy {organizationally documented frequency} or as required, to address organizational changes. (PM-9c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization fully integrates the security authorization processes into an organization-wide risk management program. (PM-10c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls. (RA-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization reviews and updates the current risk assessment policy {organizationally documented frequency}. (RA-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization reviews and updates the current risk assessment procedures {organizationally documented frequency}. (RA-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls. (RA-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization reviews and updates the current risk assessment policy {organizationally documented frequency}. (RA-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization reviews and updates the current risk assessment procedures {organizationally documented frequency}. (RA-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls. (RA-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization reviews and updates the current risk assessment policy {organizationally documented frequency}. (RA-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization reviews and updates the current risk assessment procedures {organizationally documented frequency}. (RA-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
Risk assessment procedures [Assignment: organization-defined frequency]. (RA-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and (RA-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
Risk assessment procedures [Assignment: organization-defined frequency]. (RA-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and (RA-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and (RA-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
Risk assessment procedures [Assignment: organization-defined frequency]. (RA-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and (RA-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Risk assessment procedures [Assignment: organization-defined frequency]. (RA-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (RA-1c.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls; (RA-1a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Constraints affecting risk assessments, risk responses, and risk monitoring; (PM-28a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (RA-1c.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls; (RA-1a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Constraints affecting risk assessments, risk responses, and risk monitoring; (PM-28a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and (RA-1a.2., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
Risk assessment procedures [Assignment: organization-defined frequency]. (RA-1b.2., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
Examiners may assess whether registrants have cybersecurity governance and risk assessment processes relative to the key areas of focus discussed below. Examiners also may assess whether firms are periodically evaluating cybersecurity risks and whether their controls and risk assessment processes ar… (Bullet 1: Governance and Risk Assessment, OCIEâs 2015 Cybersecurity Examination Initiative, Volume IV, Issue 8)
Document the assessment methodology used and make the documentation available for TSA review upon request. (4.3 ¶ 2 Bullet 5, Pipeline Security Guidelines)
The Risk Assessment shall be carried out in accordance with written policies and procedures and shall be documented. Such policies and procedures shall include: (§ 500.09 Risk Assessment (b), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
The risk assessment shall be carried out in accordance with written policies and procedures and shall be documented. Such policies and procedures shall include: (§ 500.9 Risk Assessment (b), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and (RA-1a.2., TX-RAMP Security Controls Baseline Level 1)
Risk assessment procedures [TX-RAMP Assignment: at least annually]. (RA-1b.2., TX-RAMP Security Controls Baseline Level 1)
Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and (RA-1a.2., TX-RAMP Security Controls Baseline Level 2)
Risk assessment procedures [TX-RAMP Assignment: at least annually]. (RA-1b.2., TX-RAMP Security Controls Baseline Level 2)
