Back

Include the roles and responsibilities involved in risk assessments in the risk assessment program.


CONTROL ID
06450
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain risk assessment procedures., CC ID: 06446

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • in addition, the AI should clearly specify the accountability of the management and staff of its second line of defense (e.g. risk management function, compliance function) in evaluating the adequacy of the risk management controls implemented by the first line of defense, as well as the role of the… (§ 3.2.1(ii), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • in addition, the AI should clearly specify the accountability of the management and staff of its second line of defence (e.g. risk management function, compliance function) in evaluating the adequacy of the risk management controls implemented by the first line of defence, as well as the role of the… (§ 3.2.1(ii), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • Roles and responsibilities in managing technology risks; (§ 4.0.1.a., Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • clearly defined roles and responsibilities regarding: (Title 3 3.3.4(b) 55.a, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Whether the organisational framework for ICT risk management is robust with clear responsibilities and a clear separation of tasks between risk owners and management and control functions; (Title 3 3.4 61.b(ii), Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • The frequency of occurrence must be assessed by suitable qualified staff and can be supported by statistics and own experiences. With respect to statistics, however, it must be taken into account under which framework conditions they were created, since statistics, too, have been compiled for a spec… (§ 5.1 ¶ 3, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • In practice, brainstorming involving all employees involved has proven effective in identifying additional threats. Information security officers, specialists responsible, administrators and users of the target object under review as well as external experts, if appropriate, should be involved. The … (§ 4.2 ¶ 10, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • Develop and maintain a risk response process designed to ensure that cost-effective controls mitigate exposure to risks on a continuing basis. The risk response process should identify risk strategies such as avoidance, reduction, sharing or acceptance; determine associated responsibilities; and con… (PO9.5 Risk Response, CobiT, Version 4.1)
  • Prioritise and plan the control activities at all levels to implement the risk responses identified as necessary, including identification of costs, benefits and responsibility for execution. Obtain approval for recommended actions and acceptance of any residual risks, and ensure that committed acti… (PO9.6 Maintenance and Monitoring of a Risk Action Plan, CobiT, Version 4.1)
  • Standards and/or procedures for performing information risk assessments shall cover the individuals that need to be involved, and their specific responsibilities. (SR.01.01.01d, The Standard of Good Practice for Information Security)
  • Responsibilities of owners should include understanding and identifying information risks. (CF.02.05.02a, The Standard of Good Practice for Information Security)
  • The responsibilities of owners should involve participating in information risk assessment activities (e.g., by helping to identify threats, vulnerabilities, and controls). (CF.02.05.03a, The Standard of Good Practice for Information Security)
  • Standards and/or procedures for performing information risk assessments shall cover the individuals that need to be involved, and their specific responsibilities. (SR.01.01.01d, The Standard of Good Practice for Information Security, 2013)
  • Responsibilities of owners should include understanding and identifying information risks. (CF.02.05.02a, The Standard of Good Practice for Information Security, 2013)
  • The responsibilities of owners should involve participating in information risk assessment activities (e.g., by helping to identify threats, vulnerabilities, and controls). (CF.02.05.03a, The Standard of Good Practice for Information Security, 2013)
  • The organization shall identify all responsible parties for Risk Management, along with their roles and responsibilities. (§ 6.3.4.3(a)(3), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • identify the risk owners; (§ 6.1.2 ¶ 1 c) 2), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Risk assessment should be conducted systematically, iteratively and collaboratively, drawing on the knowledge and views of stakeholders. It should use the best available information, supplemented by further enquiry as necessary. (§ 6.4.1 ¶ 2, ISO 31000 Risk management - Guidelines, 2018)
  • the identity of the person(s) and organization that carried out the risk assessment; (§ 6.7 ¶ 6 Bullet 4, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • identify the risk owners; (§ 6.1.2 ¶ 1 c) 2), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • Describe the risk assessment process. Identify the financial institution's participants (e.g., representation from such functions as credit, IT, compliance, deposit operations, internal audit, and legal). (App A Tier 2 Objectives and Procedures N.2 Bullet 3 Sub-Bullet 5, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)