Back

Employ risk assessment procedures that take into account incidents associated with the target environment.


CONTROL ID
06480
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain risk assessment procedures., CC ID: 06446

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The requirements for each zone should be determined through the risk assessment. The risk assessment should include, but is not limited to, threats like aircraft crashes, chemical effects, dust, electrical supply interference, electromagnetic radiation, explosives, fire, smoke, theft/destruction, vi… (Critical components of information security 8) (ii), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The organization should use the register as a reference for future risk assessments. (Control: 0916, Australian Government Information Security Manual: Controls)
  • the potential impact of a significant disruption on the institution's ICT systems on the financial system either at domestic or international level; (Title 3 3.2.1 39.a, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • The assumable repercussions on the business activities or fulfilment of tasks through security incidents must be analysed. (§ 8.1 Subsection 3 ¶ 1 Bullet 5, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • The risk of suffering damages due to security incidents must be assessed. (§ 8.1 Subsection 3 ¶ 1 Bullet 6, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • The assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate actions. (§ 3 Principle 8 Points of Focus: Assesses Attitudes and Rationalizations, COSO Internal Control - Integrated Framework (2013))
  • Information risk assessments should take into account incidents previously experienced (including frequency and magnitude). (SR.01.02.06i, The Standard of Good Practice for Information Security)
  • Information risk reports should cover a broad range of information risk-based activities, which include details about information security incidents, including assessment of business impact, root cause analysis (to identify control weaknesses), and forensic investigation (where applicable). (SI.02.02.05f, The Standard of Good Practice for Information Security)
  • Information risk reports should cover a broad range of information risk-based activities, which include details about information security incidents, including assessment of business impact, root cause analysis (to identify control weaknesses), and forensic investigation (where applicable). (SI.02.02.05f, The Standard of Good Practice for Information Security, 2013)
  • Information risk assessments should take into account incidents previously experienced (including frequency and magnitude). (SR.01.02.08e, The Standard of Good Practice for Information Security, 2013)
  • [Information] [risk assessments] {should} {be} {supported} by {reviewing} [intelligence information] about information security incidents affecting major organizations (including type of incidents, frequency of occurrence, and preceding events). (SR.01.01.07c, The Standard of Good Practice for Information Security, 2013)
  • The assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate actions. (CC3.3 ¶ 3 Bullet 4 Assesses Attitudes and Rationalizations, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • In performing his or her procedures, the service auditor may become aware of a system incident that has affected a system of the service organization that is not the system under examination. For example, the service organization may experience a breach in an IT system that is not a component of the… (¶ 3.159, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • In performing procedures, the service auditor may become aware of a system incident that has affected a system of the service organization that is not the system under examination. For example, the service organization may experience a breach in an IT system that is not a component of the system und… (¶ 3.185, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate actions. (CC3.3 Assesses Attitudes and Rationalizations, Trust Services Criteria)
  • The assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate actions. (CC3.3 ¶ 3 Bullet 4 Assesses Attitudes and Rationalizations, Trust Services Criteria, (includes March 2020 updates))
  • Prior history of attack on similar facilities taking into account the frequency, geographic proximity, and severity of past physical security related events; and (B. R4. 4.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-2, Version 2)
  • Prior history of attack on similar facilities taking into account the frequency, geographic proximity, and severity of past physical security related events; and (B. R4. 4.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-3, Version 3)
  • Malicious activity, including fraud, theft, blackmail, sabotage, cyber attacks, and terrorism. (III.B Action Summary ¶ 2 Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Analyze the event associated with the indicators. (App A Objective 8.5.b, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should have a process to enable the following: - Identify indicators of compromise. - Analyze the event associated with the indicators. - Classify the event. - Escalate the event consistent with the classification. - Report internally and externally as appropriate. (III.C Incident Identification and Assessment, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • actual incidents of security breaches, identity theft, or fraud experienced by the institution or industry. (Risk Assessments ¶ 1 Bullet 4, Supplement to Authentication in an Internet Banking Environment)
  • An assessment of a covered entity's security shall be based upon the entity's reasonable security measures as a whole and shall place an emphasis on data security failures that are multiple or systemic, including consideration of all the following: (§ 8-38-3 (c), Code of Alabama Title 8 Chapter 38 Section 8-38-1 thru 8-38-12, Alabama Data Breach Notification Act of 2018)