Back

Employ risk assessment procedures that align with strategic objectives.


CONTROL ID
06474
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain risk assessment procedures., CC ID: 06446

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The establishment and ongoing development of the IT security risk management framework would normally be directed by an overarching IT security strategy and a supporting program of work. This strategy would typically be aligned with a regulated institution's IT and business strategies, as appropriat… (¶ 24, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Financial institutions should define and assign key roles and responsibilities, and relevant reporting lines, for the ICT and security risk management framework to be effective. This framework should be fully integrated into, and aligned with, financial institutions' overall risk management processe… (3.3.1 12, Final Report EBA Guidelines on ICT and security risk management)
  • The strategic impact on the institution, for example if strategic product or business plans are compromised or stolen. (Title 3 3.2.3 43.e, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Develop and maintain a framework that defines the enterprise's overall approach to IT risk and control and that aligns with the IT policy and control environment and the enterprise risk and control framework. (PO6.2 Enterprise IT Risk and Control Framework, CobiT, Version 4.1)
  • Establish the context in which the risk assessment framework is applied to ensure appropriate outcomes. This should include determining the internal and external context of each risk assessment, the goal of the assessment, and the criteria against which risks are evaluated. (PO9.2 Establishment of Risk Context, CobiT, Version 4.1)
  • Information risk assessments should take into account objectives of the organization (e.g., those identified in the organization's business strategy and security strategy). (SR.01.02.06c, The Standard of Good Practice for Information Security)
  • Security monitoring arrangements should provide key decision-makers with an informed view of performance against quantitative, objective targets. (SI.02.01.06d, The Standard of Good Practice for Information Security)
  • Security monitoring arrangements should enable key decision-makers to make strategic decisions affecting information security governance. (SI.02.01.08d, The Standard of Good Practice for Information Security)
  • Information generated by monitoring the Information Security condition of the organization should be used to measure the effectiveness of the information security strategy, information security policy, and security architecture. (SI.02.01.09, The Standard of Good Practice for Information Security)
  • Standards / procedures should cover defining requirements of the audience that receive the reports. (SI.02.02.02a, The Standard of Good Practice for Information Security)
  • Security monitoring arrangements should provide key decision-makers with an informed view of performance against quantitative, objective targets. (SI.02.01.06d, The Standard of Good Practice for Information Security, 2013)
  • Security monitoring arrangements should enable key decision-makers to make strategic decisions affecting information security governance. (SI.02.01.08d, The Standard of Good Practice for Information Security, 2013)
  • Information generated by monitoring the Information Security condition of the organization should be used to measure the effectiveness of the information security strategy, information security policy, and security architecture. (SI.02.01.09, The Standard of Good Practice for Information Security, 2013)
  • Standards / procedures should cover defining requirements of the audience that receive the reports. (SI.02.02.02a, The Standard of Good Practice for Information Security, 2013)
  • Information risk assessments should take into account objectives of the organization (e.g., those identified in the organization's business strategy and security strategy). (SR.01.02.09b, The Standard of Good Practice for Information Security, 2013)
  • Information risk assessment methodologies should be aligned with the organization's approach to enterprise risk management (e.g., managed as part of operational risk management and using similar terminology, techniques, and reporting). (SR.01.02.02b, The Standard of Good Practice for Information Security, 2013)
  • The Risk Management policy shall include balancing the safety, effectiveness, and data and systems security with the organization's mission. (§ 4.2.1 ¶ 1(a), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • To set risk criteria, the following should be considered: - the nature and type of uncertainties that can affect outcomes and objectives (both tangible and intangible); - how consequences (both positive and negative) and likelihood will be defined and measured; - time-related factors;
- consiste… (§ 6.3.4 ¶ 3, ISO 31000 Risk management - Guidelines, 2018)
  • Organizations should implement a risk-based approach to identifying, assessing, and understanding the AI risks to which they are exposed and take appropriate treatment measures according to the level of risk. The success of the overall AI risk management process of an organization relies on the iden… (§ 6.1 ¶ 2, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • ensuring that the approach used for managing risk in IT asset management is aligned with the organization's approach for managing risk. (Section 5.1 ¶ 1 bullet 10, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • effectiveness of the ISMS, considering if the intended outcome(s) of the ISMS are achieved, the requirements of the interested parties are met, information security risks are managed to meet information security objectives, nonconformities are managed, while resources needed for the establishment, i… (§ 10.2 Guidance ¶ 1(c), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • the strategic value of the business information process; (§ 7.2.2 ¶ 1 Bullet 1, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • Management identifies sub-objectives for use in risk assessment related to security, availability, processing integrity, confidentiality, or privacy to support the achievement of the entity's objectives. (CC3.1 ¶ 9 Bullet 1 Establishes Sub-Objectives for Risk Assessment, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • An organization should expect that the strategy it selects can be carried out within the entity's risk appetite; that is, strategy must align with risk appetite. If the risk associated with a specific strategy is inconsistent with the entity's risk appetite or risk capacity, it needs to be revised, … (Aligning Strategy with Risk Appetite ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • As an entity changes, the capabilities and value it seeks from enterprise risk management may also change. Enterprise risk management should be tailored to the capabilities of the entity, considering both what the organization is seeking to attain and the way it manages risk. It is natural for the o… (Enterprise Risk Management within the Evolving Entity ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Determine whether the entity's risk management strategies are designed to achieve resilience. (IV.A, "Resilience") (App A Objective 6, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Financial institutions engaged in retail payment systems should establish an appropriate risk management process that identifies, measures, monitors, and limits risks. Management and the board should manage and mitigate the identified risks through effective internal and external audit, physical and… (Retail Payment Systems Risk Management, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • With respect to strategic risk, determine whether management identified the risks associated with the decision to offer MFS and whether that is consistent with the strategic vision, goals, and risk appetite of the institution. (AppE.7 Objective 3:3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Determine whether the ODFI conducts risk assessments of its originators and whether they reflect a reasonable exercise of business judgment. Consider whether the risk assessment includes evaluations of: (App A Tier 2 Objectives and Procedures K.4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The organization must consistently implement the risk management strategy across the organization. (App G § PM-9.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Risk must be analyzed in relation to achievement of the strategic objectives established in the Agency strategic plan (See OMB Circular No. A-11, Section 230), as well as risk in relation to appropriate operational objectives. Specific objectives must be identified and documented to facilitate ident… (Section II (B1) ¶ 1, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • relating to the strategic goals and objectives aligned with and supporting the Agency's Mission (See OMB Circular No. A11, Section 230). (Section II (B1) ¶ 1 Bullet 1 Strategic Objectives, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • Identification of Objectives (Section II (B) ¶ 3 Bullet 1, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • The objective is related to reporting, compliance, or operations, including both administrative operations and the major operational components of programs. (Section II (B4) ¶ 3 Bullet 2, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)