Back

Include the environments that call for risk assessments in the risk assessment program.


CONTROL ID
06448
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain risk assessment procedures., CC ID: 06446

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The FI should conduct a Threat and Vulnerability Risk Assessment (TVRA) for its data centres (DCs) to identify potential vulnerabilities and weaknesses, and the protection that should be established to safeguard the DCs against physical and environmental threats. In addition, the TVRA should conside… (§ 8.5.1, Technology Risk Management Guidelines, January 2021)
  • The establishment and progress of ICT projects and their associated risks should be reported to the management body, individually or in aggregation, depending on the importance and size of the ICT projects, regularly and on an ad hoc basis as appropriate. Financial institutions should include projec… (3.6.1 66, Final Report EBA Guidelines on ICT and security risk management)
  • a project risk assessment; (3.6.1 63(c), Final Report EBA Guidelines on ICT and security risk management)
  • Establish the context in which the risk assessment framework is applied to ensure appropriate outcomes. This should include determining the internal and external context of each risk assessment, the goal of the assessment, and the criteria against which risks are evaluated. (PO9.2 Establishment of Risk Context, CobiT, Version 4.1)
  • Standards and/or procedures for performing information risk assessments shall cover the types of target environments that shall be assessed for information risks. (SR.01.01.01b, The Standard of Good Practice for Information Security)
  • Information risk assessment methodologies should be applicable to business environments. (SR.01.02.02e-1, The Standard of Good Practice for Information Security)
  • Information risk assessment methodologies should be applicable to business processes. (SR.01.02.02e-2, The Standard of Good Practice for Information Security)
  • Information risk assessment methodologies should be applicable to business systems of various sizes and types. (SR.01.02.02e-3, The Standard of Good Practice for Information Security)
  • Security monitoring should include obtaining information about the security condition of important environments (e.g., critical business environments, business applications, Information Systems, and networks) throughout the organization (e.g., via local security coordinators and Information Protecti… (SI.02.01.04a, The Standard of Good Practice for Information Security)
  • Security monitoring should include obtaining information about the security condition of important environments (e.g., critical business environments, business applications, Information Systems, and networks) throughout the organization (e.g., via local security coordinators and Information Protecti… (SI.02.01.04b, The Standard of Good Practice for Information Security)
  • Standards and/or procedures for performing information risk assessments shall cover the types of target environments that shall be assessed for information risks. (SR.01.01.01b, The Standard of Good Practice for Information Security, 2013)
  • Security monitoring should include obtaining information about the security condition of important environments (e.g., critical business environments, business applications, Information Systems, and networks) throughout the organization (e.g., via local security coordinators and Information Protecti… (SI.02.01.04a, The Standard of Good Practice for Information Security, 2013)
  • Security monitoring should include obtaining information about the security condition of important environments (e.g., critical business environments, business applications, Information Systems, and networks) throughout the organization (e.g., via local security coordinators and Information Protecti… (SI.02.01.04b, The Standard of Good Practice for Information Security, 2013)
  • Information risk assessment methodologies should be applicable to business environments, business processes and information systems of various sizes and types. (SR.01.02.02f, The Standard of Good Practice for Information Security, 2013)
  • The organization shall provide network documentation in order to plan the Risk Management of the medical Information Technology network. (§ 4.3.1 ¶ 1(b), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • The context of the risk management process should be established from the understanding of the external and internal environment in which the organization operates and should reflect the specific environment of the activity to which the risk management process is to be applied. (§ 6.3.3 ¶ 2, ISO 31000 Risk management - Guidelines, 2018)
  • Management should evaluate the likelihood and impact of potential disruptions and events. As part of this evaluation, management should consider the geographical area where the entity operates. Additionally, management should consider the risks and threats that could affect the entity's third-party … (III.B Action Summary ¶ 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Financial institution management should develop risk measurement processes that include the following elements: - Measuring risk using qualitative, quantitative, or a hybrid of methods. - Recognizing that risks do not exist in isolation. - Prioritizing the risks based on the results of risk measurem… (III.B Risk Measurement, FFIEC Information Technology Examination Handbook - Management, November 2015)