Back

Employ risk assessment procedures that follow standards and best practices, as necessary.


CONTROL ID
06473
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain risk assessment procedures., CC ID: 06446

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • To determine the inherent riskiness of an institution (II. Step 1: Bullet 1, Hong Kong Monetary Authority The Cyber Resilience Assessment Framework, Cybersecurity Summit 2016)
  • assessing the service provider's ability to employ a high standard of care in performing the outsourced service and meet regulatory standards as expected of the institution, as if the outsourcing arrangement is performed by the institution; (5.3.1 (c), Guidelines on Outsourcing)
  • The organization must implement the controls stated in the australian government Information Security manual into the Risk Management processes. (Control: 1205, Australian Government Information Security Manual: Controls)
  • The organization should develop the Security Risk Management Plan in accordance with the australian standards or international standards for Risk Management. (Control: 0894, Australian Government Information Security Manual: Controls)
  • When performing the assessment under this Title, competent authorities should use all available information sources as set out in paragraph 127 of Title 6 of the EBA SREP Guidelines e.g. institution's risk management activities, reporting and outcomes, as a basis for the identification of their supe… (Title 3 3.1 37., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • When developing their own risk assessment methodology, organizations may consider adapting an industry-standard methodology that is most appropriate for their particular culture and business climate, to ensure their particular risk objectives are met. Figure 2.0 illustrates typical risk assessment c… (§ 4.2 ¶ 1, Information Supplement: PCI DSS Risk Assessment Guidelines, Version 2.0)
  • Information risk assessments should take into account compliance requirements with industry standards. (SR.01.02.06a-4, The Standard of Good Practice for Information Security)
  • Information risk assessments should take into account compliance requirements with internal policies. (SR.01.02.06a-5, The Standard of Good Practice for Information Security)
  • Information risk reports should be aligned with other established corporate risk reporting methods (e.g., enterprise risk, operational risk, or market risk). (SI.02.02.07a, The Standard of Good Practice for Information Security)
  • Information risk reports should be aligned with other established corporate risk reporting methods (e.g., enterprise risk, operational risk, or market risk). (SI.02.02.07a, The Standard of Good Practice for Information Security, 2013)
  • The analysis approach should be consistent with the risk criteria developed as part of establishing the context (see 6.3). (§ 6.4.3.1 ¶ 2, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • Where applicable, the organization should assess the likelihood of occurrence of events and outcomes causing risks. Likelihood can be determined on a qualitative or quantitative scale and should align to the criteria established as part of 6.3.4. Likelihood can be informed and affected by (not limit… (§ 6.4.3.3 ¶ 1, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • legal and regulatory compliance risks; (Section 6.1.2 ¶ 1(c)(1)(c), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The purpose of risk identification is to determine what can happen to cause a potential loss, and to gain insight into how, where and why the loss can happen. The steps described in the following subclauses should collect input data for the risk analysis activity. (§ 8.2.1 ¶ 1, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • The cyber risk assessment process is consistent with the organization's policies and procedures and includes criteria for the evaluation and categorization of enterprise-specific cyber risks and threats. (GV.RM-1.4, CRI Profile, v1.2)
  • The cyber risk assessment process is consistent with the organization's policies and procedures and includes criteria for the evaluation and categorization of enterprise-specific cyber risks and threats. (GV.RM-1.4, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Each Transmission Owner shall perform an initial risk assessment and subsequent risk assessments of its Transmission stations and Transmission substations (existing and planned to be in service within 24 months) that meet the criteria specified in Applicability Section 4.1.1. The initial and subsequ… (B. R1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-2, Version 2)
  • Each Transmission Owner shall perform an initial risk assessment and subsequent risk assessments of its Transmission stations and Transmission substations (existing and planned to be in service within 24 months) that meet the criteria specified in Applicability Section 4.1.1. The initial and subsequ… (B. R1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-3, Version 3)
  • Improve consistency in risk measurement. (App A Objective 5.1.c, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should develop risk measurement processes that evaluate the inherent risk to the institution. (II.B Risk Measurement, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • IT risks are adequately identified, measured, and mitigated. (App A Objective 2:1 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Financial institution management should develop risk measurement processes that include the following elements: - Measuring risk using qualitative, quantitative, or a hybrid of methods. - Recognizing that risks do not exist in isolation. - Prioritizing the risks based on the results of risk measurem… (III.B Risk Measurement, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Has formality appropriate to the complexity of the institution. (App A Objective 9:3 c., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Has a risk identification process that is formal yet flexible enough to adapt to changes in the IT environment. (App A Objective 10:1 e., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Measures risk through qualitative, quantitative, or hybrid measurement approaches. (App A Objective 11:1 f., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether management effectively measures risks and determines the likelihood and impact of those risks. (AppE.7 Objective 4:1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Financial institutions engaged in retail payment systems should establish an appropriate risk management process that identifies, measures, monitors, and limits risks. Management and the board should manage and mitigate the identified risks through effective internal and external audit, physical and… (Retail Payment Systems Risk Management, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)