Back

Include the circumstances that call for risk assessments in the risk assessment program.


CONTROL ID
06449
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain risk assessment procedures., CC ID: 06446

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • As part of the risk governance for e-banking, AIs' senior management should establish clear policies and accountability to ensure that a rigorous independent assessment is performed before the launch of any new electronic delivery channel of e-banking service, or a major enhancement to existing serv… (§ 3.3.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • The FI should conduct a Threat and Vulnerability Risk Assessment (TVRA) for its data centres (DCs) to identify potential vulnerabilities and weaknesses, and the protection that should be established to safeguard the DCs against physical and environmental threats. In addition, the TVRA should conside… (§ 8.5.1, Technology Risk Management Guidelines, January 2021)
  • identify and assess whether there are any ICT and security risks resulting from any major change in ICT system or ICT services, processes or procedures, and/or after any significant operational or security incident. (3.3.1 13(f), Final Report EBA Guidelines on ICT and security risk management)
  • Financial institutions should identify the ICT and security risks that impact the identified and classified business functions, supporting processes and information assets, according to their criticality. This risk assessment should be carried out and documented annually or at shorter intervals if r… (3.3.3 20, Final Report EBA Guidelines on ICT and security risk management)
  • The assessment of fraud risk considers incentives and pressures. (§ 3 Principle 8 Points of Focus: Assesses Incentive and Pressures, COSO Internal Control - Integrated Framework (2013))
  • Standards and/or procedures for performing information risk assessments shall cover the circumstances in which information risk assessments shall be performed. (SR.01.01.01c, The Standard of Good Practice for Information Security)
  • Standards and/or procedures for performing information risk assessments shall cover the circumstances in which information risk assessments shall be performed. (SR.01.01.01c, The Standard of Good Practice for Information Security, 2013)
  • Establish and maintain an encryption and key management risk program that includes provisions for risk assessment, risk treatment, risk context, monitoring, and feedback. (CEK-07, Cloud Controls Matrix, v4.0)
  • criteria for performing IT asset risk assessments; (Section 6.1.2 ¶ 1(a)(2), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)