Back

Employ risk assessment procedures that take into account the target environment.


CONTROL ID
06479
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain risk assessment procedures., CC ID: 06446

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Apart from independent assessment and penetration tests mentioned in subsections 3.3.1 and 3.3.2, formal risk assessment should be conducted periodically, at least on an annual basis, to ensure that adequate risk management controls have been implemented for Internet banking and financial services d… (§ 3.3.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • whether the institution may be more exposed to ICT security risks, ICT availability and continuity risks, ICT data integrity risks or ICT change risks due to the complexity (e.g. as a result of mergers or acquisitions) or outdated nature of its ICT systems; (Title 3 3.2.1 39.c, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • The information and business processes that are to be protected must be identified. (§ 8.1 Subsection 3 ¶ 1 Bullet 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Systematically work through BSI-Standard 200-3 Risk analysis based on IT-Grundschutz (§ 8.5 Subsection 2 Bullet 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • operational risks based on an analysis of severe but plausible scenarios, for instance a breach or outage affecting the confidentiality and integrity of sensitive data and/or availability of service provision (see Chapter 10); and (§ 5.21 Bullet 1, SS2/21 Outsourcing and third party risk management, March 2021)
  • Direct connection to the performance of a regulated activity. (Table 5 Row 1 ¶ 1, SS2/21 Outsourcing and third party risk management, March 2021)
  • Upstream companies should identify the factual circumstances of the supply chain by assessing the context of conflict-affected and high-risk areas. (Supplement on Tin, Tantalum, and Tungsten Step 2: I.B, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Upstream companies should identify the factual circumstances of the supply chain by clarifying the chain of custody, the relationships, and activities of all upstream suppliers. (Supplement on Tin, Tantalum, and Tungsten Step 2: I.B, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Upstream companies should identify the factual circumstances of the supply chain by identifying the locations and qualitative conditions of the handling, extraction, trade, and export of the mineral. (Supplement on Tin, Tantalum, and Tungsten Step 2: I.B, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The risk identification process considers changes to the regulatory, economic, and physical environment in which the entity operates. (§ 3 Principle 9 Points of Focus: Assesses Changes in the External Environment, COSO Internal Control - Integrated Framework (2013))
  • Information risk assessments should take into account characteristics of the operating environment of information and systems being assessed (e.g., number and diversity of users, their level of access to information, their attitude to handling business information, resistance to control, and influen… (SR.01.02.06g, The Standard of Good Practice for Information Security)
  • Information risk assessments should take into account the physical locations associated with the target of the risk assessment (e.g., conventional offices inside the organization, remote parts of the organization such as satellite offices, industrial environments, and customer facing locations such … (SR.01.02.06h, The Standard of Good Practice for Information Security)
  • Information risk assessments should take into account characteristics of the operating environment of information and systems being assessed (e.g., number and diversity of users, their level of access to information, their attitude to handling business information, resistance to control, and influen… (SR.01.02.09c, The Standard of Good Practice for Information Security, 2013)
  • Information risk assessments should take into account the physical locations associated with the target of the risk assessment (e.g., conventional offices inside the organization, remote parts of the organization such as satellite offices, industrial environments, and customer facing locations such … (SR.01.02.09d, The Standard of Good Practice for Information Security, 2013)
  • Information risk assessments should take into account factors that may influence the likelihood of threats materializing, including supporting technology that uses makes / models of hardware and software that are proprietary, obsolete or unsupported. (SR.01.02.08f, The Standard of Good Practice for Information Security, 2013)
  • Vulnerabilities that increase the likelihood of business information being compromised should be assessed by performing a system analysis (i.e., an analysis of the key characteristics of an information system (e.g., Internet connectivity, scale and complexity of system, number of transactions)). (SR.01.02.06c, The Standard of Good Practice for Information Security, 2013)
  • Vulnerabilities that increase the likelihood of business information being compromised should be assessed by performing technical analysis (i.e., an analysis of the technical weaknesses inherent in an information system, such as configuration errors, operating system weaknesses, and known software b… (SR.01.02.06d, The Standard of Good Practice for Information Security, 2013)
  • The governing body should consider and manage risk associated with its own activities in accordance with the organizational risk framework. For example, the governing body should: (§ 6.9.3.3 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • hazards (see 6.1.2.1); (§ 6.1.1 ¶ 2 Bullet 1, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • OH&S risks and other risks (see 6.1.2.2); (§ 6.1.1 ¶ 2 Bullet 2, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • Because of the magnitude of potential effects of AI systems, the organization should pay special attention to the environment of its stakeholders when forming and establishing the context of the risk management process. (§ 6.3.3 ¶ 2, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • Organizations should establish a consistent approach to determine the risk level. The approach should reflect the potential impact of AI systems regarding different AI-related objectives (see Annex A). (§ 6.3.4 Table 4 Column 2 Row 5 Bullet 1, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • As part of AI risk assessment, the organization should identify risk sources, events or outcomes that can lead to risks. It should also identify any consequences to the organization itself, to individuals, communities, groups and societies. Organizations should take particular care to identify any d… (§ 6.4.2.6 ¶ 1, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • apply the IT asset risk assessment process to identify all relevant risks, including: (Section 6.1.2 ¶ 1(c)(1), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The risk identification process considers changes to the regulatory, economic, and physical environment in which the entity operates. (CC3.4 ¶ 3 Bullet 1 Assesses Changes in the External Environment, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Sufficient appropriate evidence is primarily obtained from procedures performed during the engagement. It may, however, also include information obtained from other sources, such as previous engagements (provided the service auditor has determined whether changes have occurred since the previous eng… (¶ 4.05, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Assessment of the risks of material misstatement is affected by many factors, including materiality considerations (see paragraph 3.05) and the service auditor's understanding of the effectiveness of the control environment or other components of internal control related to the service provided to u… (¶ 3.01, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Because the description of the system is a narrative presentation, considering materiality during planning involves some unique considerations. Certain aspects of the description of the system may be quantitatively measured but others may not be. When considering aspects of the description that cann… (¶ 2.139, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Sufficient appropriate evidence is primarily obtained from procedures performed during the engagement. It may, however, also include information obtained from other sources, such as previous engagements (provided the service auditor has determined whether changes have occurred since the previous eng… (¶ 4.08, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The risk identification process considers changes to the regulatory, economic, and physical environment in which the entity operates. (CC3.4 Assesses Changes in the External Environment, Trust Services Criteria)
  • The risk identification process considers changes to the regulatory, economic, and physical environment in which the entity operates. (CC3.4 ¶ 3 Bullet 1 Assesses Changes in the External Environment, Trust Services Criteria, (includes March 2020 updates))
  • Each Transmission Owner that identified a Transmission station, Transmission substation, or a primary control center in Requirement R1 and verified according to Requirement R2, and each Transmission Operator notified by a Transmission Owner according to Requirement R3, shall conduct an evaluation of… (B. R4., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-2, Version 2)
  • Unique characteristics of the identified and verified Transmission station(s), Transmission substation(s), and primary control center(s); (B. R4. 4.1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-2, Version 2)
  • Each Transmission Owner that identified a Transmission station, Transmission substation, or a primary control center in Requirement R1 and verified according to Requirement R2, and each Transmission Operator notified by a Transmission Owner according to Requirement R3, shall conduct an evaluation of… (B. R4., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-3, Version 3)
  • Unique characteristics of the identified and verified Transmission station(s), Transmission substation(s), and primary control center(s); (B. R4. 4.1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-3, Version 3)
  • Determine whether management identifies BCM risks and coordinates risk identification efforts throughout the entity to identify systemic threats. (App A Objective 5:2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Initial assessment of the AIO-related risk. (App A Objective 2:8b Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Addresses the program in its current environment. (App A Objective 9.1.a, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Organizations should approach patching from a per-asset perspective. Software inventories should include information on each computing asset's technical characteristics and mission/business characteristics. Making decisions for risk responses and their prioritization should not be based solely on wh… (3.2 ¶ 4, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology, NIST SP 800-40, Revision 4)
  • The organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards and for existing facilities, considers the physical and environmental hazards in its risk mitigation strategy. (PE-18(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The size of the covered entity. (§ 8-38-3 (c)(1), Code of Alabama Title 8 Chapter 38 Section 8-38-1 thru 8-38-12, Alabama Data Breach Notification Act of 2018)