Back

Automate as much of the risk assessment program, as necessary.


CONTROL ID
06459
CONTROL TYPE
Audits and Risk Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain risk assessment procedures., CC ID: 06446

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Information risk assessment methodologies should be automated (e.g., using specialist software tools such as the Information Security Forum Risk Analyst Workbench). (SR.01.02.02c, The Standard of Good Practice for Information Security)
  • Information risk assessment methodologies should be automated (e.g., using specialist software tools such as the Information Security Forum Risk Analyst Workbench). (SR.01.02.02d, The Standard of Good Practice for Information Security, 2013)
  • periodic assessments of the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency, which may include using automated tools co… (§ 3554(b)(1), Federal Information Security Modernization Act of 2014)
  • Automate C-SCRM processes where applicable and practical to drive execution consistency, efficiency, and make available the critical resources required for other critical C-SCRM activities. (3.4.3. ¶ 1 Bullet 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)