Employ risk assessment procedures that take into account both electronic records and printed records.
CONTROL ID 06476
CONTROL TYPE Establish/Maintain Documentation
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain risk assessment procedures., CC ID: 06446
This Control has the following implementation support Control(s):
Employ risk assessment procedures that take into account information classification., CC ID: 06477
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
The information and business processes that are to be protected must be identified. (§ 8.1 Subsection 3 ¶ 1 Bullet 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
Information risk assessments should take into account the different formats of information (including paper documents, electronic files, verbal communications, and physical objects). (SR.01.02.06d, The Standard of Good Practice for Information Security)
Standards / procedures should cover collecting and analyzing information risk data. (SI.02.02.02b, The Standard of Good Practice for Information Security)
Standards / procedures should cover collecting and analyzing information risk data. (SI.02.02.02b, The Standard of Good Practice for Information Security, 2013)
Information risk assessments should take into account the different formats of information (including paper documents, electronic files, verbal communications, and physical objects). (SR.01.02.08b, The Standard of Good Practice for Information Security, 2013)
Risk assessments associated with data governance requirements shall be conducted at planned intervals and shall consider the following:
- Awareness of where sensitive data is stored and transmitted across applications, databases, servers, and network infrastructure
- Compliance with defined retent… (GRM-02, Cloud Controls Matrix, v3.0)
Type of cash letter instrument and the geographic location of the originator. (App A Tier 2 Objectives and Procedures N.2 Bullet 3 Sub-Bullet 6, Sub-Sub Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Assess the quality of risk management and support for checks. (App A Tier 1 Objectives and Procedures Objective 10, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
The amount of sensitive personally identifying information and the type of activities for which the sensitive personally identifying information is accessed, acquired, maintained, stored, utilized, or communicated by, or on behalf of, the covered entity. (§ 8-38-3 (c)(2), Code of Alabama Title 8 Chapter 38 Section 8-38-1 thru 8-38-12, Alabama Data Breach Notification Act of 2018)