Back

Employ risk assessment procedures that take into account both electronic records and printed records.


CONTROL ID
06476
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain risk assessment procedures., CC ID: 06446

This Control has the following implementation support Control(s):
  • Employ risk assessment procedures that take into account information classification., CC ID: 06477


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The information and business processes that are to be protected must be identified. (§ 8.1 Subsection 3 ¶ 1 Bullet 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Information risk assessments should take into account the different formats of information (including paper documents, electronic files, verbal communications, and physical objects). (SR.01.02.06d, The Standard of Good Practice for Information Security)
  • Standards / procedures should cover collecting and analyzing information risk data. (SI.02.02.02b, The Standard of Good Practice for Information Security)
  • Standards / procedures should cover collecting and analyzing information risk data. (SI.02.02.02b, The Standard of Good Practice for Information Security, 2013)
  • Information risk assessments should take into account the different formats of information (including paper documents, electronic files, verbal communications, and physical objects). (SR.01.02.08b, The Standard of Good Practice for Information Security, 2013)
  • Risk assessments associated with data governance requirements shall be conducted at planned intervals and shall consider the following: - Awareness of where sensitive data is stored and transmitted across applications, databases, servers, and network infrastructure - Compliance with defined retent… (GRM-02, Cloud Controls Matrix, v3.0)
  • Type of cash letter instrument and the geographic location of the originator. (App A Tier 2 Objectives and Procedures N.2 Bullet 3 Sub-Bullet 6, Sub-Sub Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Assess the quality of risk management and support for checks. (App A Tier 1 Objectives and Procedures Objective 10, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The amount of sensitive personally identifying information and the type of activities for which the sensitive personally identifying information is accessed, acquired, maintained, stored, utilized, or communicated by, or on behalf of, the covered entity. (§ 8-38-3 (c)(2), Code of Alabama Title 8 Chapter 38 Section 8-38-1 thru 8-38-12, Alabama Data Breach Notification Act of 2018)