Back

Approve the risk assessment program and associated risk assessment procedures at the senior management level.


CONTROL ID
06458
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain risk assessment procedures., CC ID: 06446

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • formal risk assessment is conducted periodically by, for instance, the function(s) designated by the senior management under subsection 3.3.1(i) above or an independent party (such as the assessor), to determine whether any independent assessment should be performed during the year, and if so, the s… (§ 3.3.1(iv), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • Apart from independent assessment and penetration tests mentioned in subsections 3.3.1 and 3.3.2, formal risk assessment should be conducted periodically, at least on an annual basis, to ensure that adequate risk management controls have been implemented for Internet banking and financial services d… (§ 3.3.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • The FI should ensure risks associated with deviations are thoroughly reviewed and assessed. The risk assessment should be approved by senior management. Approved deviations should be reviewed periodically to ensure the residual risks remain at an acceptable level. (§ 3.2.2, Technology Risk Management Guidelines, January 2021)
  • In APRA's view, the IT security risk management framework would encapsulate the expectations of the Board and senior management, have a designated owner(s), and outline the roles and responsibilities of staff to ensure the achievement of effective IT security risk management outcomes. The framework … (¶ 25, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Financial institutions should ensure that the ICT and security risk management framework is documented, and continuously improved, based on 'lessons learned' during its implementation and monitoring. The ICT and security risk management framework should be approved and reviewed, at least once a year… (3.3.1 14, Final Report EBA Guidelines on ICT and security risk management)
  • that the management body knows and addresses the risks associated with the ICT; (Title 2 2.3 28.b, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • the risk management policy is formalised and approved by the management body and contains sufficient guidance on the institution's ICT risk appetite, and on the main pursued ICT risk management objectives and/or applied ICT risk tolerance thresholds. The relevant ICT risk management policy should al… (Title 3 3.3.1 49.a, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21, oversee its implementation and can be held liable for infringements by the entities of that Article… (Article 20 1 ¶ 1, DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • The management body of the financial entity shall define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework referred to in Article 6(1). (Art. 5.2. ¶ 1, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • The manner in which risks should be dealt with must be documented, assigned to a risk owner, and approved by the topmost management level. The resources necessary for implementing the strategy must be planned and made available. (§ 8.1 Subsection 4 ¶ 2, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Submit the security analysis management report to management for approval. (4.6 Bullet 4, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • Then, an organisation must define risk acceptance criteria and map the handling of the risk on such criteria. In all cases, the management must be involved in the decision how the risks identified are dealt with, because there may be substantial damage or additional costs. (§ 8.5 Subsection 1 ¶ 7, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Document basic procedure of the organisation for performance of risk analyses in a policy and present this to the management level for passing (§ 8.5 Subsection 2 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • If it proves to be impossible to provide a sufficient budget for implementing all the missing security safeguards, then the residual risk resulting from failure to implement or delay in implementing certain measures should be pointed out. To assist in this, the cross-reference tables from the IT-Gru… (§ 9.2 ¶ 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Likewise, it must also be specified who is responsible for monitoring the implementation and who is to be reported of the completion of the implementation of each safeguard. The ISO is usually informed of the completion. The ISO must be notified continuously on advancement of implementation as well … (§ 9.4 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Establishment of a risk management process: The risk analysis is an important component of the information security management system (ISMS). The basic prerequisites for this should therefore be specified by the organisation's management. The basic approach of the organisation for performance of ris… (§ 8.5 Subsection 1 ¶ 6 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Approval of documented evidence by senior management. (12.3.2 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Information risk assessment methodologies should be documented, and approved by executive management. (SR.01.02.02a, The Standard of Good Practice for Information Security)
  • Information risk assessment methodologies should be documented, and approved by executive management. (SR.01.02.02a, The Standard of Good Practice for Information Security, 2013)
  • Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for managing the risks associated with applying changes to organization assets, including application, systems, infrastructure, configuration, etc., regardless of whether the assets are managed internally… (CCC-01, Cloud Controls Matrix, v4.0)
  • The organization shall document the evaluation, reporting, and approval of the Risk Analysis, risk evaluation, risk control, and residual risks. (§ 4.4.1 ¶ 2, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • results of information security risk assessment(s) and status of information security risk treatment plan; and (§ 9.3 Guidance ¶ 4(e), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The organization has a cyber risk management strategy and framework that is approved by the appropriate governing authority (e.g., the Board or one of its committees) and incorporated into the overall business strategy and enterprise risk management framework. (GV.SF-1.1, CRI Profile, v1.2)
  • An appropriate governing authority (e.g., the Board or one of its committees) oversees and holds senior management accountable for implementing the organization's cyber risk management strategy and framework. (GV.SF-1.2, CRI Profile, v1.2)
  • Cyber risk management processes are established, managed, and agreed to by organizational stakeholders. (GV.RM-1, CRI Profile, v1.2)
  • The organization has a cyber risk management framework that is reviewed and approved by the Board and is informed by the organization's risk tolerances and its role in critical infrastructure. (Strategy and Framework (GV.SF), CRI Profile, v1.2)
  • The organization has a cyber risk management strategy and framework that is approved by the appropriate governing authority (e.g., the Board or one of its committees) and incorporated into the overall business strategy and enterprise risk management framework. (GV.SF-1.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • An appropriate governing authority (e.g., the Board or one of its committees) oversees and holds senior management accountable for implementing the organization's cyber risk management strategy and framework. (GV.SF-1.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning] (B. R3., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Supply Chain Risk Management CIP-013-1)
  • Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning] (B. R3., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Supply Chain Risk Management CIP-013-2, Version 2)
  • Determine whether the board and senior management review and approve the BIA, risk assessment, written BCP, testing program, and testing results at least annually and document these reviews in the board minutes. (TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Reviews, understands, approves, and provides for at least annual reviews of ITRM processes. (App A Objective 2:8 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Audit risk assessment and audit plan. (App A Objective 6:3 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Data processing ecosystem risk management policies, processes, and procedures are identified, established, assessed, managed, and agreed to by organizational stakeholders. (ID.DE-P1, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Risk management processes are established, managed, and agreed to by organizational stakeholders. (GV.RM-P1, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Management must review and approve the Risk Management plan. (SG.PS-2 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative. (RA-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative. (RA-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative. (RA-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative. (RA-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders (GV.SC-01, Framework for Improving Critical Infrastructure Cybersecurity, v2.0)
  • The board of directors must approve risk-based policies governing the third party Risk Management process. ("Board of Directors" Bullet 2, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)