Perform risk assessments for all target environments, as necessary.

Back

CONTROL ID
06452

CONTROL TYPE
Testing

CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS

This Control directly supports the implied Control(s):

Establish, implement, and maintain a risk assessment program., CC ID: 00687

This Control has the following implementation support Control(s):

Include the probability and potential impact of pandemics in the scope of the risk assessment., CC ID: 13241
Include physical assets in the scope of the risk assessment., CC ID: 13075
Include the results of the risk assessment in the risk assessment report., CC ID: 06481
Approve the results of the risk assessment as documented in the risk assessment report., CC ID: 07109
Update the risk assessment upon discovery of a new threat., CC ID: 00708
Update the risk assessment upon changes to the risk profile., CC ID: 11627
Create a risk assessment report based on the risk assessment results., CC ID: 15695
Disseminate and communicate the approved risk assessment report to interested personnel and affected parties., CC ID: 10633
Conduct external audits of risk assessments, as necessary., CC ID: 13308

SELECTED AUTHORITY DOCUMENTS COMPLIED WITH

right of access to customers' data by overseas authorities such as the police and tax authorities - AIs should generally obtain a legal opinion from an international or other reputable legal firm in the relevant jurisdiction on this matter. This will enable them to be informed of the extent and the … (2.9.1 Bullet 2, Hong Kong Monetary Authority Supervisory Policy Manual SA-2 Outsourcing, V.1-28.12.01)
formal risk assessment is conducted periodically by, for instance, the function(s) designated by the senior management under subsection 3.3.1(i) above or an independent party (such as the assessor), to determine whether any independent assessment should be performed during the year, and if so, the s… (§ 3.3.1(iv), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
AIs should conduct regular assessment to identify and evaluate the relevant risks associated with self-service terminals. Proper risk management measures should be implemented to address the relevant risks. Furthermore, AIs should also closely monitor the emerging cyber attacks and vulnerabilities r… (§ 7.3.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
Apart from independent assessment and penetration tests mentioned in subsections 3.3.1 and 3.3.2, formal risk assessment should be conducted periodically, at least on an annual basis, to ensure that adequate risk management controls have been implemented for Internet banking and financial services d… (§ 3.3.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
Factors to be considered include technologies and delivery channels adopted, activities, products, services, infrastructures, operating environment, both individually and collectively (II. Step 1: Bullet 2, Hong Kong Monetary Authority The Cyber Resilience Assessment Framework, Cybersecurity Summit 2016)
Conducting a risk assessment and granting access rights based on the same. For example, contractors and temporary staff would have higher inherent risks (Critical components of information security 5) (vi)(b), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Risk assessment is the core competence of information security management. The risk assessment must, for each asset within its scope, identify the threat/vulnerability combinations that have a likelihood of impacting the confidentiality, availability or integrity of that asset - from a business, com… (Critical components of information security 2) 2), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Periodic risk assessments and ensuring adequate, effective and tested controls for people, processes and technology to enhance information security (Information Security Governance ¶ 4 Bullet 5, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Unlike wired networks, unauthorized monitoring and denial of service attacks can be performed without a physical wire connection. Additionally, unauthorized devices can potentially connect to the network, perform man-in-the- middle attacks, or connect to other wireless devices. To mitigate those ris… (Critical components of information security 28) ii., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Conducting physical security surveys and assessing all remote sites connected to the critical network to evaluate their security. Any location that has a connection to the critical network is a target, especially unmanned or unguarded remote sites. There is also a need to identify and assess any sou… (Critical components of information security 24) viii. ¶ 1 h., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Risk assessments should consider the changing risks that appear in business continuity scenarios and the different security posture that may be established. Strategies should consider the different risk environment and the degree of risk mitigation necessary to protect the institution in the event t… (Critical components of information security 29) ¶ 2, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Following risk identification, the FI should perform an analysis and quantification of the potential impact and consequences of these risks on the overall business and operations. (§ 4.3.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
For FIs which provide online financial systems servicing institutional investors, accredited investors or corporate entities, where alternate controls and processes are implemented to authorise transactions, the FI should perform a risk assessment on such systems to ensure that the level of security… (§ 12.1.8, Monetary Authority of Singapore: Technology Risk Management Guidelines)
The FI should establish a technology refresh plan to ensure that systems and software are replaced in a timely manner. The FI should conduct a risk assessment for systems approaching EOS dates to assess the risks of continued usage and establish effective risk mitigation controls where necessary. (§ 9.2.3, Monetary Authority of Singapore: Technology Risk Management Guidelines)
Mobile online services and payments are extensions of the online financial services and payments services which are offered by FIs and accessible from the internet via computers or laptops. The FI should implement security measures which are similar to those of online financial and payment systems o… (§ 12.2.3, Monetary Authority of Singapore: Technology Risk Management Guidelines)
When selecting a DC provider, the FI should obtain and assess the TVRA report on the DC facility. The FI should verify that TVRA reports are current and that the DC provider is committed to address all material vulnerabilities identified. For the FI that chooses to build its own DC, an assessment of… (§ 10.1.4, Monetary Authority of Singapore: Technology Risk Management Guidelines)
A technology refresh plan for the replacement of hardware and software should be developed before they reach EOS. A risk assessment for hardware and software approaching EOS date should be conducted to evaluate the risks of their continued use, and effective risk mitigation measures should be implem… (§ 7.3.2, Technology Risk Management Guidelines, January 2021)
If a project involves a commercial off-the-shelf (COTS) solution that does not meet the FI's security requirements, the FI should assess the risks and ensure adequate mitigating controls are implemented to address the risks before the solution is deployed. (§ 5.3.3, Technology Risk Management Guidelines, January 2021)
The FI should conduct a Threat and Vulnerability Risk Assessment (TVRA) for its data centres (DCs) to identify potential vulnerabilities and weaknesses, and the protection that should be established to safeguard the DCs against physical and environmental threats. In addition, the TVRA should conside… (§ 8.5.1, Technology Risk Management Guidelines, January 2021)
When implementing Bring Your Own Device (BYOD), the FI should conduct a comprehensive risk assessment and implement appropriate measures to secure its BYOD environment before allowing staff to use their personal devices to access the corporate network. Refer to Annex B on the security measures for B… (§ 11.3.7, Technology Risk Management Guidelines, January 2021)
Where alternate controls and processes (e.g. maker-checker function) are implemented for corporate or institutional customers to authorise transactions, the FI should perform a security risk assessment of controls or processes to ensure they are commensurate with the risk of the activities that are … (§ 14.2.10, Technology Risk Management Guidelines, January 2021)
Institute a risk management framework to identify the security threats to the protection of personal data, assess the risks involved and determine the controls to remove or reduce them. (Annex A1: Risk Management 6, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
The Security Risk Management Plan should include a Security Risk Assessment and the risk treatment strategy. (Control: 0788, Australian Government Information Security Manual: Controls)
The organization must conduct a Security Risk Assessment that includes the necessity for the unevaluated configuration, if the organization wishes to use the evaluated product in an unevaluated configuration. (Control: 0291 Bullet 1, Australian Government Information Security Manual: Controls)
The organization must conduct a risk assessment that includes testing the unevaluated configuration in the organization's environment, if the organization wishes to use the evaluated product in an unevaluated configuration. (Control: 0291 Bullet 2, Australian Government Information Security Manual: Controls)
The organization must conduct a risk assessment that includes the new vulnerabilities that are introduced because the product is not in the evaluated configuration, if the organization wishes to use the evaluated product in an unevaluated configuration. (Control: 0291 Bullet 3, Australian Government Information Security Manual: Controls)
The organization must conduct security risk assessments on gateways and their configuration before they are implemented. (Control: 0598, Australian Government Information Security Manual: Controls)
Financial institutions should identify the ICT and security risks that impact the identified and classified business functions, supporting processes and information assets, according to their criticality. This risk assessment should be carried out and documented annually or at shorter intervals if r… (3.3.3 20, Final Report EBA Guidelines on ICT and security risk management)
Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, rep… (3.3.1 10, Final Report EBA Guidelines on ICT and security risk management)
the frequency of the ICT risk assessment would depend on the minimum engagement model driven by the SREP category an institution is assigned to and its specific supervisory examination programme; and (Title 1 10.a, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
Competent authorities should perform the assessment of ICT risk and the governance arrangement and ICT strategy as part of the SREP process following the minimum engagement model and proportionality criteria specified in Title 2 of the EBA SREP Guidelines. In particular, this means that: (Title 1 10., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
Competent authorities should conduct the assessment under point (a) above having regard to both expected and adverse scenarios, e.g. scenarios included in the institution-specific or supervisory stress test. (Title 2 2.4 31., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
providing dynamic risk and incident analysis and situational awareness; (ANNEX I ¶ 1(2)(a)(iv), Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
collecting and analysing forensic data and providing dynamic risk and incident analysis and situational awareness regarding cybersecurity; (Article 11 3 ¶ 1(d), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
Financial entities shall, on a continuous basis, identify all sources of ICT risk, in particular the risk exposure to and from other financial entities, and assess cyber threats and ICT vulnerabilities relevant to their ICT supported business functions, information assets and ICT assets. Financial e… (Art. 8.2., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
Financial entities, other than microenterprises, shall on a regular basis, and at least yearly, conduct a specific ICT risk assessment on all legacy ICT systems and, in any case before and after connecting technologies, applications or systems. (Art. 8.7., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
Various types of risk assessment are described in the ISO/IEC 31010 and ISO/IEC 27005 standards. The BSI developed a two-stage method derived thereof. When the methodology according to IT-Grundschutz is used, a risk assessment is performed implicitly for areas with normal protection requirements whe… (§ 8.1 Subsection 1 ¶ 2, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
In practice, the risk assessment and risk handling steps are performed until the risk acceptance criteria of the organisation have been fulfilled and the remaining risk ("residual risk") is thus in accordance with the organisation's objectives and specifications. The residual risk must then be submi… (§ 8.1 Subsection 4 ¶ 4, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
In the designing and planning the security process implementers should perform a rough assessment of the value of the information, business processes, and specialized tasks. (3.2 Bullet 2, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
Supplement the security analysis by determining for which target objects or groups of target objects a risk analysis should be performed. (4.6 Bullet 2, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
Usually, appropriate and sufficient protection of an information domain is achieved by implementing the security requirements of the Standard Protection. However, if the protection needs are high or very high, it may be appropriate to check whether more stringent security measures are needed. This w… (§ 8 Subsection 6 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Determine the target objects or groups of target objects for which a risk analysis should be performed (§ 8.5 Subsection 2 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
In certain cases, however, an explicit risk analysis must be carried out, for example if the information domain considered includes target objects which (§ 8.5 Subsection 1 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
If the hypervisor was installed directly on the physical hardware (bare metal virtualisation), this will represent a target object not included in the IT-Grundschutz Compendium as this is a very special target object. Thus, a risk analysis must be performed for the corresponding target object and th… (§ 8.3.5 ¶ 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
cannot be adequately depicted (modelled) with the existing IT-Grundschutz modules or (§ 8.2.9 ¶ 2 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
are used in operating scenarios (environment, application) that are not planned in the scope of IT- Grundschutz. (§ 8.2.9 ¶ 2 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Identification of threats to critical products and services (Section 5.14 BCM-02 Basic requirement ¶ 2 Bullet 4, Cloud Computing Compliance Controls Catalogue (C5))
The procedures for the identification, analysis, assessment and handling of risks, including the IT risks relevant to the cloud service are done at least once a year in order to take internal and external changes and influencing factors into account. The identified risks are comprehensibly documente… (Section 5.1 OIS-07 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
The aim of the following work steps is to produce, as a starting point for the risk analysis, a summary of the threats to which the information system's target objects under review are subject. The result of this preliminary work (see Section 2) is a list of (prioritised) target objects for which a … (§ 4 ¶ 1, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
The risk analysis on the basis of the defined risk criteria shall be conducted by comparing the target measures and the measures that have been successfully implemented in each case. Other risk-reducing measures due to target measures that have not been implemented completely shall be effectively co… (II.3.13, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
Risk assessments are carried out both at regular intervals and in response to events. (1.4.1 Requirements (must) Bullet 1, Information Security Assessment, Version 5.1)
The IT systems have been subjected to risk assessment in order to determine the necessity of their separation into development, testing and operational systems. (5.2.2 Requirements (must) Bullet 1, Information Security Assessment, Version 5.1)
Risk assessment for the operation of external software within the shared environment. (5.3.4 Requirements (should) Bullet 1 Sub-Bullet 2, Information Security Assessment, Version 5.1)
The PRA expects firms to carry out risk assessments in the circumstances referred to in paragraph 5.6 and also if they consider that there may have been a significant change to an outsourcing arrangement's risks due to, for instance, a serious breach/continued breaches of the agreement or a crystall… (§ 5.22, SS2/21 Outsourcing and third party risk management, March 2021)
concentration risks or vendor lock-in at the firm or group, due to: (§ 5.24 Bullet 2, SS2/21 Outsourcing and third party risk management, March 2021)
How often are risk assessments performed? (Table Row I.19, OECD / World Bank Technology Risk Checklist, Version 7.3)
Perform a Security Risk Assessment and privacy risk assessment. (§ 2.3, Microsoft Simplified Implementation of the Security Development Lifecycle (SDL), 1.0)
Pursuant to federal statutory authority, including the Federal Information Security Modernisation Act of 2014, the OMB and the National Institute of Standards and Technology (NIST) have developed standards which are binding on federal agencies (including criminal law enforcement authorities) and tha… (3.1.1.2 (104), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
The user requirement specifications should form the basis of a risk assessment for gxp compliance requirements. (¶ 9.4, Good Practices For Computerized systems In Regulated GXP Environments)
The organization should document the risk analysis and the results, including the reasoning for the critical or non-critical classifications and identifying the risks that could potentially impact gxp compliance. (¶ 14.3, Good Practices For Computerized systems In Regulated GXP Environments)
An impact risk assessment should be completed to check for Quality Assurance and safety issues before converting from a manual process to automated controls. (¶ 22.4, Good Practices For Computerized systems In Regulated GXP Environments)
Review the risk assessment documentation to verify a risk assessment is performed at least annually and after significant changes to the environment. (Testing Procedures § 12.2.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
A risk assessment must be conducted at least annually and after significant changes to the environment. (PCI DSS Requirements § 12.2 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
Implement a risk-assessment process that: - Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), - Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk. (12.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
Implement a risk-assessment process that: - Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), - Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk. (12.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Implement a risk-assessment process that: - Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), - Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk. (12.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
Is the risk assessment process performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.)? (12.2 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Is the risk assessment process performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.)? (12.2(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Is the risk assessment process performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.)? (12.2 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
Is the risk assessment process performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.)? (12.2(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Verify that an annual risk-assessment process is documented that: - Identifies critical assets, threats, and vulnerabilities - Results in a formal, documented analysis of risk (12.2.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. (5.2.3.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
If periodic malware scans are performed to meet Requirement 5.3.2, the frequency of scans is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. (5.3.2.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Periodically (at the frequency defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1). (7.2.5.1 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
A targeted risk analysis is performed for each PCI DSS requirement that the entity meets with the customized approach, to include: (12.3.2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Performance of updated risk analyses when needed, as determined by the annual review. (12.3.1 Bullet 6, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
The frequency of periodic training for incident response personnel is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. (12.10.4.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
The frequency of periodic log reviews for all other system components (not defined in Requirement 10.4.1) is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1 (10.4.2.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
The frequency of periodic POI device inspections and the type of inspections performed is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. (9.5.1.2.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Examine the entity's targeted risk analysis for the frequency of periodic evaluations of system components identified as not at risk for malware to verify the risk analysis was performed in accordance with all elements specified in Requirement 12.3.1. (5.2.3.1.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Examine the entity's targeted risk analysis for the frequency of periodic malware scans to verify the risk analysis was performed in accordance with all elements specified in Requirement 12.3.1. (5.3.2.1.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Examine the entity's targeted risk analysis for the frequency of periodic reviews of application and system accounts and related access privileges to verify the risk analysis was performed in accordance with all elements specified in Requirement 12.3.1. (7.2.5.1.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Examine the entity's targeted risk analysis for the change frequency and complexity for passwords/passphrases used for interactive login to application and system accounts to verify the risk analysis was performed in accordance with all elements specified in Requirement 12.3.1 and addresses: (8.6.3.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Examine documented policies and procedures to verify a process is defined for performing targeted risk analyses for each PCI DSS requirement that provides flexibility for how frequently the requirement is performed, and that the process includes all elements specified in this requirement. (12.3.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Examine the entity's targeted risk analysis for the frequency of training for incident response personnel to verify the risk analysis was performed in accordance with all elements specified in Requirement 12.3.1. (12.10.4.1.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Examine the entity's targeted risk analysis for the frequency of periodic log reviews for all other system components (not defined in Requirement 10.4.1) to verify the risk analysis was performed in accordance with all elements specified at Requirement 12.3.1. (10.4.2.1.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Examine the entity's targeted risk analysis for the frequency of periodic POI device inspections and type of inspections performed to verify the risk analysis was performed in accordance with all elements specified in Requirement 12.3.1. (9.5.1.2.1.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. (5.2.3.1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
If periodic malware scans are performed to meet Requirement 5.3.2, the frequency of scans is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. (5.3.2.1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
The frequency of periodic log reviews for all other system components (not defined in Requirement 10.4.1) is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1 (10.4.2.1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
Performance of updated risk analyses when needed, as determined by the annual review. (12.3.1 Bullet 6, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. (5.2.3.1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
If periodic malware scans are performed to meet Requirement 5.3.2, the frequency of scans is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. (5.3.2.1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
The frequency of periodic log reviews for all other system components (not defined in Requirement 10.4.1) is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1 (10.4.2.1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
Performance of updated risk analyses when needed, as determined by the annual review. (12.3.1 Bullet 6, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
If periodic malware scans are performed to meet Requirement 5.3.2, the frequency of scans is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. (5.3.2.1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. (5.2.3.1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
The frequency of periodic POI device inspections and the type of inspections performed is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. (9.5.1.2.1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
The frequency of periodic log reviews for all other system components (not defined in Requirement 10.4.1) is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1 (10.4.2.1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
Performance of updated risk analyses when needed, as determined by the annual review. (12.3.1 Bullet 6, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. (5.2.3.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
If periodic malware scans are performed to meet Requirement 5.3.2, the frequency of scans is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. (5.3.2.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
Periodically (at the frequency defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1). (7.2.5.1 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
The frequency of periodic POI device inspections and the type of inspections performed is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. (9.5.1.2.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
The frequency of periodic log reviews for all other system components (not defined in Requirement 10.4.1) is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1 (10.4.2.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
Performance of updated risk analyses when needed, as determined by the annual review. (12.3.1 Bullet 6, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
The frequency of periodic training for incident response personnel is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. (12.10.4.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
Information risk assessments shall be performed for target environments, including business environments (e.g., business administration offices, trading floors, call centers, warehouses, and retail environments). (SR.01.01.02a, The Standard of Good Practice for Information Security)
Information risk assessments shall be performed for target environments, including business processes (e.g., processing high value transactions, manufacturing goods, handling medical records). (SR.01.01.02b, The Standard of Good Practice for Information Security)
Information risk assessments shall be performed for target environments, including computer systems and networks that support critical business processes. (SR.01.01.02d, The Standard of Good Practice for Information Security)
Information risk assessments shall be performed for target environments, including specialist systems that are important to the organization (e.g., systems that support or enable critical infrastructure, such as Supervisory Control and Data Acquisition systems, Process Control systems, and embedded … (SR.01.01.02e, The Standard of Good Practice for Information Security)
Information risk assessments shall be performed for target environments, including business applications (including those under development). (SR.01.01.02c, The Standard of Good Practice for Information Security)
Information risk assessments shall be performed regularly. (SR.01.01.05, The Standard of Good Practice for Information Security)
Information risk assessments shall be performed prior to granting remote access (e.g., from employees' homes, third party premises, or public places). (SR.01.01.05d, The Standard of Good Practice for Information Security)
Information risk assessment methodologies should be performed consistently across the organization. (SR.01.02.02b, The Standard of Good Practice for Information Security)
The information security policy should require that important information be subject to an information risk assessment on a regular basis. (CF.01.01.03c-1, The Standard of Good Practice for Information Security)
Information Systems that support or enable critical infrastructure should be subject to a rigorous information risk assessment (e.g., using the isf's information risk analysis methodology) to determine the security requirements for the supporting Information Systems. (CF.08.03.06, The Standard of Good Practice for Information Security)
Wireless access to the network should be subject to an information risk assessment and signed off by an appropriate business representative (e.g., the network owner), prior to its implementation. (CF.09.06.01, The Standard of Good Practice for Information Security)
Security audits should assess the business risks associated with target environments. (SI.01.01.02a, The Standard of Good Practice for Information Security)
Security audits should be planned, and involve identifying the information risks associated with target environments (i.e., criticality of information, potential business impacts, level of threats, and identified vulnerabilities (e.g., security control weaknesses)). (SI.01.02.01a, The Standard of Good Practice for Information Security)
Information risk assessments shall be performed for target environments, including business environments (e.g., business administration offices, trading floors, call centers, warehouses, and retail environments). (SR.01.01.02a, The Standard of Good Practice for Information Security, 2013)
Information risk assessments shall be performed for target environments, including business processes (e.g., processing high value transactions, manufacturing goods, handling medical records). (SR.01.01.02b, The Standard of Good Practice for Information Security, 2013)
Information risk assessments shall be performed for target environments, including computer systems and networks that support critical business processes. (SR.01.01.02d, The Standard of Good Practice for Information Security, 2013)
Information risk assessments shall be performed for target environments, including specialist systems that are important to the organization (e.g., systems that support or enable critical infrastructure, such as Supervisory Control and Data Acquisition systems, Process Control systems, and embedded … (SR.01.01.02e, The Standard of Good Practice for Information Security, 2013)
Information risk assessments shall be performed for target environments, including business applications (including those under development). (SR.01.01.02c, The Standard of Good Practice for Information Security, 2013)
Information risk assessments shall be performed regularly. (SR.01.01.05, The Standard of Good Practice for Information Security, 2013)
Information risk assessments shall be performed prior to granting remote access (e.g., from employees' homes, third party premises, or public places). (SR.01.01.05d, The Standard of Good Practice for Information Security, 2013)
The information security policy should require that important information be subject to an information risk assessment on a regular basis. (CF.01.01.03c-1, The Standard of Good Practice for Information Security, 2013)
Information Systems that support or enable critical infrastructure should be subject to a rigorous information risk assessment (e.g., using the isf's information risk analysis methodology) to determine the security requirements for the supporting Information Systems. (CF.08.03.06, The Standard of Good Practice for Information Security, 2013)
Wireless access to the network should be subject to an information risk assessment and signed off by an appropriate business representative (e.g., the network owner), prior to its implementation. (CF.09.06.01, The Standard of Good Practice for Information Security, 2013)
Security audits should assess the business risks associated with target environments. (SI.01.01.02a, The Standard of Good Practice for Information Security, 2013)
Security audits should be planned, and involve identifying the information risks associated with target environments (i.e., criticality of information, potential business impacts, level of threats, and identified vulnerabilities (e.g., security control weaknesses)). (SI.01.02.01a, The Standard of Good Practice for Information Security, 2013)
Information risk assessment methodologies should be performed consistently across the organization. (SR.01.02.02c, The Standard of Good Practice for Information Security, 2013)
Risk assessments associated with data governance requirements shall be conducted at planned intervals and shall consider the following: - Awareness of where sensitive data is stored and transmitted across applications, databases, servers, and network infrastructure - Compliance with defined retent… (GRM-02, Cloud Controls Matrix, v3.0)
Aligned with the enterprise-wide framework, formal risk assessments shall be performed at least annually or at planned intervals, to determine the likelihood and impact of all identified risks using qualitative and quantitative methods. The likelihood and impact associated with inherent and residual… (GRM-10, Cloud Controls Matrix, v3.0)
Perform independent audit and assurance assessments according to risk-based plans and policies. (A&A-03, Cloud Controls Matrix, v4.0)
Evaluate the risk and readiness of the organisation based on plausible cyber attack scenarios. (7.4A Control Objective, Swift Customer Security Controls Framework (CSCF), v2019)
A risk analysis should be performed to determine the counterfeiting threat and if there are legal, safety, health, financial, regulatory, or social issues that need to be considered. (§ 5.1.1(b) ¶ 4, ISO 12931:2012, Performance Criteria for Authentication Solutions Used to Combat Counterfeiting of Material Goods, First Edition)
A risk analysis should be performed before introducing a product to the market to determine the counterfeiting threat and if there are legal, safety, health, financial, regulatory, or social issues that need to be considered. (§ 5.1.1(c) ¶ 5, ISO 12931:2012, Performance Criteria for Authentication Solutions Used to Combat Counterfeiting of Material Goods, First Edition)
The organization should identify and evaluate its compliance risks. This evaluation can be based on a formal compliance risk assessment or conducted via alternative approaches. Compliance risk assessment constitutes the basis for the implementation of the compliance management system and the planned… (§ 4.6 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
Management shall ensure risk assessments are conducted at predetermined time periods. (§ 6.6.1 ¶ 1(d), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
includes systematic analysis, prioritization of risk treatments, and their related costs, (§ 8.2.1 ¶ 1 c), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a). (§ 8.2 ¶ 1, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
Risk assessment should be conducted systematically, iteratively and collaboratively, drawing on the knowledge and views of stakeholders. It should use the best available information, supplemented by further enquiry as necessary. (§ 6.4.1 ¶ 2, ISO 31000 Risk management - Guidelines, 2018)
Â§ 5.3.2: The organization should understand the external context to ensure external stakeholders' objectives and concerns are considered when developing the risk criteria. The external context can include, but is not limited to, the international, national, regional, and/or local cultural, social, … (§ 5.3.2, § 5.3.3 ¶ 3, § 5.3.4, ISO 31000 Risk management -- Principles and guidelines, 2009)
ensure that when the governing body makes decisions, it assesses, treats, monitors, and communicates the nature and extent of the risks faced; (§ 6.9.3.1 ¶ 2 b), ISO 37000:2021, Governance of organizations â Guidance, First Edition)
the organization assesses, treats, monitors and reviews risk in accordance with the established organizational risk framework; (§ 6.9.3.4 ¶ 1 d), ISO 37000:2021, Governance of organizations â Guidance, First Edition)
The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9)… (§ 6.11.3.4 ¶ 1, ISO 37000:2021, Governance of organizations â Guidance, First Edition)
The organization shall identify, analyse and evaluate its compliance risks based upon a compliance risk assessment. (§ 4.6 ¶ 1, ISO 37301:2021 Compliance management systems â Requirements with guidance for use, First Edition, Edition 1)
The compliance risks shall be assessed periodically and whenever there are material changes in circumstances or organizational context. (§ 4.6 ¶ 4, ISO 37301:2021 Compliance management systems â Requirements with guidance for use, First Edition, Edition 1)
The compliance risks shall be assessed periodically and whenever there are material changes in circumstances or organizational context. (§ 6.4 ¶ 3, ISO/DIS 37301, Compliance management systems â Requirements with guidance for use, DRAFT)
The organization shall identify, analyse and evaluate its compliance risks based upon a compliance risk assessment. (§ 6.4 ¶ 1, ISO/DIS 37301, Compliance management systems â Requirements with guidance for use, DRAFT)
Organizations should implement a risk-based approach to identifying, assessing, and understanding the AI risks to which they are exposed and take appropriate treatment measures according to the level of risk. The success of the overall AI risk management process of an organization relies on the iden… (§ 6.1 ¶ 2, ISO/IEC 23894:2023, Information technology â Artificial intelligence â Guidance on risk management)
At planned intervals, the information security risks to the SMS and the services shall be assessed and documented. Information security controls shall be determined, implemented and operated to support the information security policy and address identified information security risks. Decisions about… (§ 8.7.3.2 ¶ 1, ISO/IEC 20000-1:2018, Information technology â Service management âPart 1: Service management system requirements, Third Edition)
The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a). (§ 8.2 ¶ 1, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection â Information security management systems â Requirements)
The organization performs information security risk assessments and retains documented information on their results. (§ 8.2 Required activity, ISO/IEC 27003:2017, Information technology â Security techniques â Information security management systems â Guidance, Second Edition, 2017-03)
Organizations should have a plan for conducting scheduled information security risk assessments. (§ 8.2 Guidance ¶ 1, ISO/IEC 27003:2017, Information technology â Security techniques â Information security management systems â Guidance, Second Edition, 2017-03)
The level of detail of the risk identification should be refined step by step in further iterations of the information security risk assessment in the context of the continual improvement of the ISMS. A broad information security risk assessment should be performed at least once a year. (§ 8.2 Guidance ¶ 3, ISO/IEC 27003:2017, Information technology â Security techniques â Information security management systems â Guidance, Second Edition, 2017-03)
perform risk assessment and establish a risk treatment plan; (§ 7.2.1 ¶ 3 Bullet 1, ISO/IEC 27005:2018, Information Technology â Security Techniques â Information Security Risk Management, Third Edition)
The cloud service customer should request information from the cloud service provider about the management of technical vulnerabilities that can affect the cloud services provided. The cloud service customer should identify the technical vulnerabilities it will be responsible to manage, and clearly … (§ 12.6.1 Table: Cloud service customer, ISO/IEC 27017:2015, Information technology â Security techniques â Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
The organization shall assess the potential consequences for both the organization and PII principals that would result if the risks identified in ISO/IEC 27001:2013, 6.1.2 c) as refined above, were to materialize. (§ 5.4.1.2 ¶ 7, ISO/IEC 27701:2019, Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines)
Conduct a system-level risk assessment and update the risk assessment results on an ongoing basis. (TASK P-14, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
Identify hazards and perform a biosafety risk assessment at participating laboratories; use appropriate biosafety measures to mitigate risks (Pillar 5 Step 1 Action 3, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
Wrongdoing occurs for three reasons: people make mistakes (out of confusion or ignorance), people have a moment of weakness of will, or people choose to do harm. Knowing that any one of these three things can take place, an organization must align core values and behaviors to help people avoid mista… (Responding to Deviations in Core Values and Behaviors ¶ 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
To demonstrate that a comprehensive risk identification has been carried out, management will identify risks and opportunities across all functions and levels - those risks that are common across more than one function, as well as those that are unique to a particular product, service offering, juri… (Using a Risk Inventory ¶ 4, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
The organization performs a risk assessment for prospective users, devices and other assets which authenticate into its ecosystem with a specific focus on: (PR.AC-7.1, CRI Profile, v1.2)
The organization performs a risk assessment for prospective users, devices and other assets which authenticate into its ecosystem with a specific focus on: (PR.AC-7.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; (RA-3a., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; (RA-3a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; (RA-3a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; (RA-3a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
The entity's security policies include assessing risks on a periodic basis. (Security Prin. and Criteria Table § 1.2 c, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The entity's system availability and related security policies include assessing risks on a periodic basis. (Availability Prin. and Criteria Table § 1.2 c, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The entity's system processing integrity and related security policies include assessing risks on a periodic basis. (Processing Integrity Prin. and Criteria Table § 1.2 c, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The entity's policies related to the system's protection of confidential information and security include assessing risks on a periodic basis. (Confidentiality Prin. and Criteria Table § 1.2 c, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
Service organization management is responsible for having a reasonable basis for its assertion about the description, suitability of design of controls and, in a type 2 engagement, operating effectiveness of controls stated therein. Furthermore, because management's assertion generally addresses the… (¶ 2.58, SOC 2Â® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
When there is extensive documentation of the service organization's risk assessment process, inspecting such documentation may assist the service auditor in identifying deficiencies in the design of controls. However, as discussed beginning at paragraph 2.108, the service auditor is responsible for … (¶ 2.118, SOC 2Â® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
Performing risk assessment procedures (¶ 2.195 Bullet 5, SOC 2Â® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
Principle: Firms should conduct regular assessments to identify cybersecurity risks associated with firm assets and vendors and prioritize their remediation. Effective practices include establishing and implementing governance frameworks to: - identify and maintain an inventory of assets authorized… (Cybersecurity Risk Assessment, Report on Cybersecurity Practices)
Principle: Firms should establish and implement a cybersecurity governance framework that supports informed decision making and escalation within the organization to identify and manage cybersecurity risks. The framework should include defined risk management policies, processes and structures coupl… (Governance and Risk Management for Cybersecurity, Report on Cybersecurity Practices)
Subsequent risk assessments shall be performed: - At least once every 30 calendar months for a Transmission Owner that has identified in its previous risk assessment (as verified according to Requirement R2) one or more Transmission stations or Transmission substations that if rendered inoperable or… (B. R1. 1.1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-2, Version 2)
Each Transmission Owner shall perform an initial risk assessment and subsequent risk assessments of its Transmission stations and Transmission substations (existing and planned to be in service within 24 months) that meet the criteria specified in Applicability Section 4.1.1. The initial and subsequ… (B. R1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-2, Version 2)
Each Transmission Owner shall perform an initial risk assessment and subsequent risk assessments of its Transmission stations and Transmission substations (existing and planned to be in service within 24 months) that meet the criteria specified in Applicability Section 4.1.1. The initial and subsequ… (B. R1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-3, Version 3)
At least once every 30 calendar months for a Transmission Owner that has identified in its previous risk assessment (as verified according to Requirement R2) one or more Transmission stations or Transmission substations that if rendered inoperable or damaged could result in instability, uncontrolled… (B. R1. 1.1. Bullet 1, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-3, Version 3)
At least once every 60 calendar months for a Transmission Owner that has not identified in its previous risk assessment (as verified according to Requirement R2) any Transmission stations or Transmission substations that if rendered inoperable or damaged could result in instability, uncontrolled sep… (B. R1. 1.1. Bullet 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-3, Version 3)
Does the risk assessment program include a risk assessment that has been conducted inside the last 12 months? (§ A.1.1, Shared Assessments Standardized Information Gathering Questionnaire - A. Risk Management, 7.0)
The security manager must ensure that the organization performs a Risk Analysis for the systems and the facilities that are to be protected. (§ 5.2 ¶ AC42.010, DISA Access Control STIG, Version 2, Release 3)
Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. (RM.2.141, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources, and risk measurement criteria. (RM.3.144, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. (RM.2.141, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources, and risk measurement criteria. (RM.3.144, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. (RM.2.141, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. (RM.2.141, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources, and risk measurement criteria. (RM.3.144, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
Identify and mitigate risk associated with unidentified wireless access points connected to the network. (AC.5.024, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. (RA.L2-3.11.1 Risk Assessments, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
Section 5.10.4.1 Level 4/5 Commercial IP Addressing and Routing: Â¶ 2 Waiver: Alternate solutions that require a CSO's commercial IP addresses to be routed on the NIPRNet must be assessed and approved through a Non-DoD addressing risk assessment and waiver process which may affect the ability of the… (Section 5.10.4.1 ¶ 7, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. (§ 164.308(a)(1)(ii)(A), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
Risk analysis. The Predictive Decision Support Intervention(s) must be subject to analysis of potential risks and adverse impacts associated with the following characteristics: validity, reliability, robustness, fairness, intelligibility, safety, security, and privacy. (§ 170.315 (b) (11) (vi) (A), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
The approach for validation should be based on a justified and documented risk assessment and a determination of the system potential to affect product quality, product safety, and record integrity. (§ III.C.1 ¶ 2, Guidance for Industry Part 11, Electronic Records; Electronic Signatures - Scope and Application, August 2003)
A comprehensive risk management program includes an assessment of risks and effective mitigating controls for credential and API-based authentication when CPEs access a financial institution's information systems and customer information. For example, a financial institution may assess how the contr… (Section 9 ¶ 2, Authentication and Access to Financial Institution Services and Systems)
Determine whether an adequate BIA and risk assessment have been completed. (TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
Determine whether the work flow analysis was performed to ensure that all departments and business processes, as well as their related interdependencies, were included in the BIA and risk assessment. (TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitorin… (TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
Verify that reputation, operational, compliance, and other risks that are relevant to the institution are considered in the BIA and risk assessment. (TIER I OBJECTIVES AND PROCEDURES Business Impact Analysis (BIA) and Risk Assessment Objective 3:5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
Low likelihood and high impact events (e.g., terrorist attacks or pandemic events). (III.B Action Summary ¶ 2 Bullet 5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
A risk assessment focused on safeguarding customer information identifies reasonable and foreseeable internal and external threats, the likelihood and potential damage of threats, and the sufficiency of policies, procedures, and customer information systems. (Domain 1: Assessment Factor: Risk Management, RISK ASSESSMENT Baseline 2 ¶ 1, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
Conducts risk assessments to determine assets' EOLs. (App A Objective 4:4c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Addresses voice communications risks through development and acquisition processes, and in written policies, standards, and procedures. If the entity uses VoIP for voice communications, determine whether management performs a comprehensive risk assessment to ensure confidentiality, integrity, and av… (App A Objective 13:3n, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Performs ongoing risk assessments to consider the adequacy of application-level controls in light of changing threat, network, and host environments. (App A Objective 6.28.c, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Verification that information and cybersecurity risks are appropriately identified, measured, mitigated, monitored, and reported. (App A Objective 6.31.g, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Management should oversee outsourced operations through the following: - Appropriate due diligence in third-party research, selection, and relationship management. - Contractual assurances for security responsibilities, controls, and reporting. - Nondisclosure agreements regarding the institution'… (II.C.20 Oversight of Third-Party Service Providers, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Financial institution boards should oversee, while senior management should implement, an IT planning process with the following elements: - Long-term goals and the allocation of IT resources to achieve them, usually within a three- to five-year horizon. - Alignment of the IT strategic plan with the… (I.B.6 Planning IT Operations and Investment, FFIEC Information Technology Examination Handbook - Management, November 2015)
Financial institution management should develop an effective ITRM process that supports the broader risk management process. As part of the ITRM process, management should perform the following: - Identify risks to information and technology assets within the financial institution or controlled by t… (III IT Risk Management, FFIEC Information Technology Examination Handbook - Management, November 2015)
Review the institution's management of operational risk, and verify that the risk management process includes aspects of operational risk across the institution, including the following: (App A Objective 8:1, FFIEC Information Technology Examination Handbook - Management, November 2015)
Determine whether the institution's management of operational risk incorporates an enterprise-wide view of IT and business processes that are supported by technology. (App A Objective 8:2, FFIEC Information Technology Examination Handbook - Management, November 2015)
Considers the overall IT environment, regardless of the design and management of the IT environment. (App A Objective 9:3 d., FFIEC Information Technology Examination Handbook - Management, November 2015)
Considers the information security risk assessments completed in accordance with the Information Security Standards in management oversight of IT operations. (App A Objective 11:1 h., FFIEC Information Technology Examination Handbook - Management, November 2015)
Information security; (App A Tier 1 Objectives and Procedures Objective 2:3 Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Current and anticipated volume of RDC transactions (number and dollar amounts of transactions). (App A Tier 2 Objectives and Procedures N.2 Bullet 3 Sub-Bullet 6, Sub-Sub Bullet 5, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
After the MFS strategy is complete, determine whether the institution developed an effective risk assessment process for the MFS offerings. Verify whether management incorporates the results of the risk assessment into a process to periodically review and update the strategy. (AppE.7 Objective 3:1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
In cloud computing environments, financial institutions may outsource the management of different controls over information assets and operations to the cloud service provider. Careful review of the contract between the financial institution and the cloud service provider along with an understanding… (Risks ¶ 1, FFIEC Security in a Cloud Computing Environment)
changes in the customer base adopting electronic banking; (Risk Assessments ¶ 1 Bullet 2, Supplement to Authentication in an Internet Banking Environment)
changes in the customer functionality offered through electronic banking; and (Risk Assessments ¶ 1 Bullet 3, Supplement to Authentication in an Internet Banking Environment)
You shall periodically perform additional risk assessments that reexamine the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other comprom… (§ 314.4 ¶ 1(b)(2), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; (RA-3a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; (RA-3a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; (RA-3a. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Conduct a risk assessment, including: (RA-3a., FedRAMP Security Controls High Baseline, Version 5)
Conduct a risk assessment, including: (RA-3a., FedRAMP Security Controls Low Baseline, Version 5)
Conduct a risk assessment, including: (RA-3a., FedRAMP Security Controls Moderate Baseline, Version 5)
Has a risk assessment or a cost/benefit analysis been conducted with regards to implementing biometrics? (IT - Authentication Q 10, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Has the Credit Union conducted a risk assessment to determine if a firewall is needed? (IT - Firewalls Q 1, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
The AI system is evaluated regularly for safety risks â as identified in the MAP function. The AI system to be deployed is demonstrated to be safe, its residual negative risk does not exceed the risk tolerance, and it can fail safely, particularly if made to operate beyond its knowledge limits. Sa… (MEASURE 2.6, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
Conduct a risk assessment, including: (RA-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
Conduct a risk assessment, including: (RA-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
Conduct a risk assessment, including: (RA-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
Conduct a risk assessment, including: (RA-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
Determine the risk to enterprise operations and assets, individuals, other enterprises, and the Nation if identified threats exploit identified vulnerabilities. (Task 2-2, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
Conduct a risk assessment, including: (RA-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
Conduct a risk assessment, including: (RA-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
Conduct a risk assessment, including: (RA-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Conduct a risk assessment, including: (RA-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
Hardware-based authenticators and verifiers at AAL3 SHOULD resist relevant side-channel (e.g., timing and power-consumption analysis) attacks. Relevant side-channel attacks SHALL be determined by a risk assessment performed by the CSP. (4.3.2 ¶ 5, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
Address any additional risk to subscribers in its risk assessment. (5.2.10 ¶ 4 3., Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
The CSP SHOULD obtain additional confidence in identity proofing using fraud mitigation measures (e.g., inspecting geolocation, examining the device characteristics of the applicant, evaluating behavioral characteristics, checking vital statistic repositories such as the Death Master File [DMF], so … (4.2 ¶ 1.10, Digital Identity Guidelines: Enrollment and Identity Proofing, NIST SP 800-63A)
Assess the effectiveness of security solutions [Assignment: organization-defined frequency] to address anticipated risk to organizational systems and the organization based on current and accumulated threat intelligence. (3.11.5e, Enhanced Security Requirements for Protecting Controlled Unclassified Information, NIST SP 800-172)
Potential business impacts and likelihoods are identified. (ID.RA-4, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
Organizations should plan on periodically reevaluating their alternatives to patching. There are two main aspects to this. One is conducting a risk assessment to see if the alternatives to patching are still sufficiently effective at mitigating risk. The other is conducting a cost-benefit analysis t… (3.5.4 ¶ 3, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology, NIST SP 800-40, Revision 4)
Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; (RA-3a. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; (RA-3a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; (RA-3a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change. (T0181, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Conduct risk analysis, feasibility study, and/or trade-off analysis to develop, document, and refine functional requirements and specifications. (T0033, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Participate in an information security risk assessment during the Security Assessment and Authorization process. (T0158, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Perform an information security risk assessment. (T0509, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Review authorization and assurance documents to confirm that the level of risk is within acceptable limits for each software application, system, and network. (T0221, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Coordinate with intelligence analysts to correlate threat assessment data. (T0312, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Perform technical (evaluation of technology) and nontechnical (evaluation of people and operations) risk and vulnerability assessments of relevant technology focus areas (e.g., local computing environment, network and infrastructure, enclave boundary, supporting infrastructure, and applications). (T0549, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Maintain awareness of advancements in hardware and software technologies (e.g., attend training or conferences, reading) and their potential implications. (T0738, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Collaborate with cybersecurity personnel on the security risk assessment process to address privacy compliance and risk mitigation (T0872, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
The organization must perform risk assessments that looks at the risk of unauthorized use, unauthorized disruption, unauthorized access, unauthorized disclosure, unauthorized modification, and unauthorized destruction of information and the Information System. (SG.RA-4 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of CUI. (3.11.1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. (3.11.1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. (3.11.1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
The organization must conduct a risk assessment that includes the likelihood and magnitude of harm. (App F § RA-3.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
Review authorization and assurance documents to confirm that the level of risk is within acceptable limits for each software application, system, and network. (T0221, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Conduct risk analysis, feasibility study, and/or trade-off analysis to develop, document, and refine functional requirements and specifications. (T0033, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change. (T0181, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Perform an information security risk assessment. (T0509, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Participate in an information security risk assessment during the Security Assessment and Authorization process. (T0158, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Collaborate with cybersecurity personnel on the security risk assessment process to address privacy compliance and risk mitigation (T0872, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Perform technical (evaluation of technology) and nontechnical (evaluation of people and operations) risk and vulnerability assessments of relevant technology focus areas (e.g., local computing environment, network and infrastructure, enclave boundary, supporting infrastructure, and applications). (T0549, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
The organization conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits. (RA-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits. (RA-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits. (RA-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits. (RA-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; (RA-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; (RA-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; (RA-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; (RA-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Conduct a risk assessment, including: (RA-3a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Conduct a risk assessment, including: (RA-3a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; (RA-3a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
Examiners may assess whether registrants have cybersecurity governance and risk assessment processes relative to the key areas of focus discussed below. Examiners also may assess whether firms are periodically evaluating cybersecurity risks and whether their controls and risk assessment processes ar… (Bullet 1: Governance and Risk Assessment, OCIEâs 2015 Cybersecurity Examination Initiative, Volume IV, Issue 8)
There are several Enterprise Risk Management (ERM) models available to help organizations integrate risk management and internal control activities into a common framework. Section 270.24 of the Office of Management and Budget (OMB) Circular No. A-11 defines "risk" as the effect of uncertainty on ob… (Section II ¶ 1, OMB Circular No. A-123, Managementâs Responsibility for Enterprise Risk Management and Internal Control)
The identification of risk is a continuous and ongoing process. Once initial risks are identified, it is important to re-examine risks on a regular basis to identify new risks or changes to existing risks. (Section II (B2) ¶ 2, OMB Circular No. A-123, Managementâs Responsibility for Enterprise Risk Management and Internal Control)
Conduct an SVA or the equivalent on a periodic basis, not to exceed 36 months, and within 12 months after completion of a significant enhancement or modification to the facility; (4.3 ¶ 2 Bullet 1, Pipeline Security Guidelines)
Identification and assessment of reasonably foreseeable internal and external risks to the security, confidentiality or integrity of any electronic, paper or other records that contain personal information, (§ 38a-999b(b)(2)(D)(i), Connecticut General Statutes Title 38a, Chapter 705, Section 38a - 999b, Comprehensive information security program to safeguard personal information. Certification. Notice requirements for actual or suspected breach. Penalty.)
A licensee shall conduct a risk assessment of its information systems and treatment of nonpublic information by doing the following: (Sec. 17., Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
Each Covered Entity shall conduct a periodic Risk Assessment of the Covered Entity's Information Systems sufficient to inform the design of the cybersecurity program as required by this Part. Such Risk Assessment shall be updated as reasonably necessary to address changes to the Covered Entity's Inf… (§ 500.09 Risk Assessment (a), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
Each covered entity shall conduct a periodic risk assessment of the covered entity's information systems sufficient to inform the design of the cybersecurity program as required by this Part. Such risk assessment shall be reviewed and updated as reasonably necessary, but at a minimum annually, and w… (§ 500.9 Risk Assessment (a), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
assesses risks of information storage and disposal; (§ 899-bb. 2(b)(ii)(C)(1), New York General Business Law Chapter 20, Article 39-F, Section 899-BB)
assesses risks in information processing, transmission and storage; (§ 899-bb. 2(b)(ii)(B)(2), New York General Business Law Chapter 20, Article 39-F, Section 899-BB)
A licensee shall conduct a risk assessment as follows: (§ 56-2-1004 (3), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; (RA-3a., TX-RAMP Security Controls Baseline Level 1)
Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; (RA-3a., TX-RAMP Security Controls Baseline Level 2)
Risk assessment. The licensee shall conduct a risk assessment under which the licensee shall do all of the following: (§ 601.952(2), Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)