Back

Include the process for defining the scope of each risk assessment in the risk assessment program.


CONTROL ID
06462
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain risk assessment procedures., CC ID: 06446

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • the scope of independent assessment covers, at a minimum, an objective evaluation (which may be risk-based) of whether adequate risk management controls have been implemented for the e-banking service in question, including those applicable controls set out in this module (focusing on relevant contr… (§ 3.3.1(ii), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • the ICT risks are within the scope of institution-wide risk management and internal control frameworks. (Title 2 2.4 30.b, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • the risk management policy is formalised and approved by the management body and contains sufficient guidance on the institution's ICT risk appetite, and on the main pursued ICT risk management objectives and/or applied ICT risk tolerance thresholds. The relevant ICT risk management policy should al… (Title 3 3.3.1 49.a, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • The processing and sharing of information in business and service processes is supported by data-processing IT systems and related IT processes. The scope and quality thereof shall be based, in particular, on the institution's internal operating needs, business activities and risk situation (see AT … (II.3.8, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • The organization should identify the risk assessment scope of the mineral supply chain. (Supplement on Tin, Tantalum, and Tungsten Step 2: I.A, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The downstream company should identify the scope of the risk assessment. (Supplement on Tin, Tantalum, and Tungsten Step 2: II.B, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Before an organization can assess its risks, it should understand its business processes, assets, threats, and vulnerabilities. - Context Establishment – The risk assessment team needs to understand the internal and external parameters when defining the scope of the risk assessment and/or have acc… (§ 4.2.1 ¶ 1, Information Supplement: PCI DSS Risk Assessment Guidelines, Version 2.0)
  • The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. (§ 3 Principle 6 ¶ 1, COSO Internal Control - Integrated Framework (2013))
  • Information risk assessment methodologies should require all risk assessments to have a clearly defined scope. (SR.01.02.03, The Standard of Good Practice for Information Security)
  • Information risk assessment methodologies should require all risk assessments to have a clearly defined scope and address all types of critical and sensitive information, including commercial information (e.g., order quantities, orders and invoices, prices and quotes). (SR.01.02.03a, The Standard of Good Practice for Information Security, 2013)
  • Information risk assessment methodologies should require all risk assessments to have a clearly defined scope and address all types of critical and sensitive information, including intellectual property (e.g., advice, drawings, product formulae, and specifications). (SR.01.02.03b, The Standard of Good Practice for Information Security, 2013)
  • Information risk assessment methodologies should require all risk assessments to have a clearly defined scope and address all types of critical and sensitive information, including legal, regulatory, and privileged information (e.g., contracts, legal advice, and negotiations). (SR.01.02.03c, The Standard of Good Practice for Information Security, 2013)
  • Information risk assessment methodologies should require all risk assessments to have a clearly defined scope and address all types of critical and sensitive information, including logistical information (e.g., delivery schedules, shipping requirements, and stock reports). (SR.01.02.03d, The Standard of Good Practice for Information Security, 2013)
  • Information risk assessment methodologies should require all risk assessments to have a clearly defined scope and address all types of critical and sensitive information, including management information (e.g., financial reports, process performance, and warehousing and stock turnover). (SR.01.02.03e, The Standard of Good Practice for Information Security, 2013)
  • Information risk assessment methodologies should require all risk assessments to have a clearly defined scope and address all types of critical and sensitive information, including personally identifiable information, such as consumer details, employee data, and payroll data. (SR.01.02.03f, The Standard of Good Practice for Information Security, 2013)
  • establishes the context of the assessment, defines criteria and evaluates the potential impact of a disruptive incident, (§ 8.2.1 ¶ 1 a), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. (CC3.1 ¶ 1 COSO Principle 6:, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. (CC3.1 COSO Principle 6, Trust Services Criteria)
  • The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. (CC3.1 ¶ 1 COSO Principle 6:, Trust Services Criteria, (includes March 2020 updates))
  • Describe the process for assessing and documenting risk and control factors and its application in the formulation of audit plans, resource allocations, audit scopes, and audit cycle frequency (TIER I OBJECTIVES AND PROCEDURES Objective 8:2. Bullet 2, FFIEC IT Examination Handbook - Audit, April 2012)
  • Assumptions affecting risk assessments, risk responses, and risk monitoring; (PM-28a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Assumptions affecting risk assessments, risk responses, and risk monitoring; (PM-28a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Use all-source intelligence to assist in the analysis of risk. (RA-3(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Assumptions affecting risk assessments, risk responses, and risk monitoring; (PM-28a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Use all-source intelligence to assist in the analysis of risk. (RA-3(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Assumptions affecting risk assessments, risk responses, and risk monitoring; (PM-28a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • criteria for the assessment of the confidentiality, integrity, security and availability of the Covered Entity's Information Systems and Nonpublic Information, including the adequacy of existing controls in the context of identified risks; and (§ 500.09 Risk Assessment (b)(2), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • criteria for the assessment of the confidentiality, integrity, security and availability of the covered entity's information systems and nonpublic information, including the adequacy of existing controls in the context of identified risks; and (§ 500.9 Risk Assessment (b)(2), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)