Back

Include the results of the risk assessment in the risk assessment report.


CONTROL ID
06481
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Perform risk assessments for all target environments, as necessary., CC ID: 06452

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and object… (3.3.1 11 ¶ 1, Final Report EBA Guidelines on ICT and security risk management)
  • Financial institutions should identify the ICT and security risks that impact the identified and classified business functions, supporting processes and information assets, according to their criticality. This risk assessment should be carried out and documented annually or at shorter intervals if r… (3.3.3 20, Final Report EBA Guidelines on ICT and security risk management)
  • Competent authorities should summarise the findings of their assessments of the criteria specified in these Guidelines and use them for the purposes of reaching conclusions on the assessment of the SREP elements as specified in the EBA SREP Guidelines. (Title 1 13., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • The outcome of the assessment of ICT risk as specified in Title 3 of these Guidelines should inform the findings of the assessment of operational risk and should be considered as informing the relevant score as specified in in Title 6.4 of the EBA SREP Guidelines. (Title 1 15., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • The outcome of this assessment should inform, where relevant, the assessment of risk management and controls in Title 3 of these Guidelines. (Title 2 2.1 24., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Competent authorities should first identify the material inherent ICT risks to which the institution is or might be exposed, followed by an assessment of the effectiveness of the institution's ICT risks' management framework, procedures and controls to mitigate these risks. The outcome of the assess… (Title 3 3.1 36., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Following the above assessment, competent authorities should form an opinion on the institution's ICT risk. This opinion should be reflected in a summary of findings which competent authorities should consider when assigning the score of operational risk in Table 6 of the EBA SREP Guidelines. Compet… (Title 3 3.4 61., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Competent authorities may rely on and take into consideration work already undertaken by the institution or by the competent authority in the context of the assessments of other risks or SREP elements in order to have an update of the assessment. Specifically, in conducting the assessments specified… (Title 1 12., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Supplement the security analysis by integrating the results of the risk analyses into the security concept. (4.6 Bullet 6, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • the security risks for the organisation and its information as well as the related effects and costs, (§ 3.1 ¶ 4 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The results of the IT-Grundschutz Check should be documented such that all those involved can understand them, and they can be used as the basis for implementation planning for those requirements and measures where deficits still exist. Suitable aids providing support for drawing up and updating any… (§ 6.3 Subsection 3 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • In order to determine the protection needs of the device, the potential damage to the relevant business processes must be considered in its entirety. The results of defining the protection needs of devices should be documented in a table if such results have an impact on information security. Only d… (§ 8.2.6 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Deficits / estimation of costs: Regarding requirements not fulfilled or only partially fulfilled, the respectively connected risks should be determined and documented in a suitable manner. For example, this is important for audits and certifications. In case of such safeguards, the financial and per… (§ 8.4.3 ¶ 5 Bullet 5, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The results of the IT-Grundschutz Check should be documented such that all those involved can understand them, and they can be used as the basis for implementation planning for those requirements and measures where deficits still exist. The documentation efforts should not be underestimated. Thus, s… (§ 8.4.3 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • An overall review should be used to assess the requirements of the IT-Grundschutz modules that have not been implemented or only have been implemented partially. Here, it is recommended to extract them from the results of the IT-Grundschutz Check and to summarise them in a table. (§ 9.1 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The procedures for the identification, analysis, assessment and handling of risks, including the IT risks relevant to the cloud service are done at least once a year in order to take internal and external changes and influencing factors into account. The identified risks are comprehensibly documente… (Section 5.1 OIS-07 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The contractual arrangements shall take appropriate account of the measures derived from the risk assessment relating to other external procurement of IT services. Appropriate account shall be taken of the results of the risk assessment in the operational risk management process, primarily in the ov… (II.8.55, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • Upstream companies should publish the supply chain risk assessment and Supply Chain Management plan and make them available to upstream companies, local authorities, local civil society, central authorities, and affected third parties. (Supplement on Tin, Tantalum, and Tungsten Step 3: B.2(b)(i), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Risk assessment conclusions should be corroborated by reliable, verifiable, and up-to-date evidence. (Supplement on Tin, Tantalum, and Tungsten App: A.1, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The results of the risk assessment should be documented and should include the reasons for ranking the system as critical or not critical. (¶ 9.4, Good Practices For Computerized systems In Regulated GXP Environments)
  • The organization should document the risk analysis and the results, including the reasoning for the critical or non-critical classifications and identifying the risks that could potentially impact gxp compliance. (¶ 14.3, Good Practices For Computerized systems In Regulated GXP Environments)
  • Verify the annual risk assessment is documented and identifies the assets, vulnerabilities, threats, and results in a formal risk assessment. (Testing Procedures § 12.2.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • A risk assessment process must be implemented that results in a formal risk assessment. (PCI DSS Requirements § 12.2 Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Implement a risk-assessment process that: - Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), - Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk. (12.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Implement a risk-assessment process that: - Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), - Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk. (12.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Implement a risk-assessment process that: - Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), - Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk. (12.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Is an annual risk assessment process implemented that - Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk? (12.2 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Is an annual risk assessment process implemented that - Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk? (12.2(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Is an annual risk assessment process implemented that: - Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk? (12.2 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Is an annual risk assessment process implemented that: - Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk? (12.2(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Verify that an annual risk-assessment process is documented that: - Identifies critical assets, threats, and vulnerabilities - Results in a formal, documented analysis of risk (12.2.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Each PCI DSS requirement that provides flexibility for how frequently it is performed (for example, requirements to be performed periodically) is supported by a targeted risk analysis that is documented and includes: (12.3.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine the documented targeted risk-analysis for each PCI DSS requirement that the entity meets with the customized approach to verify that documentation for each requirement exists and is in accordance with all elements specified in this requirement. (12.3.2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Does the risk assessment process result in a formal risk assessment? (PCI DSS Question 12.2(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Does the risk assessment process result in a formal risk assessment? (PCI DSS Question 12.2(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Each PCI DSS requirement that provides flexibility for how frequently it is performed (for example, requirements to be performed periodically) is supported by a targeted risk analysis that is documented and includes: (12.3.1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Each PCI DSS requirement that provides flexibility for how frequently it is performed (for example, requirements to be performed periodically) is supported by a targeted risk analysis that is documented and includes: (12.3.1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Each PCI DSS requirement that provides flexibility for how frequently it is performed (for example, requirements to be performed periodically) is supported by a targeted risk analysis that is documented and includes: (12.3.1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Each PCI DSS requirement that provides flexibility for how frequently it is performed (for example, requirements to be performed periodically) is supported by a targeted risk analysis that is documented and includes: (12.3.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Information risk assessments should ensure that the results of assessments are documented. (SR.01.02.07, The Standard of Good Practice for Information Security)
  • Information risk assessments should ensure that their results (including risk treatment options and any identified residual risk) are communicated to the relevant risk owner. (SR.01.02.08a, The Standard of Good Practice for Information Security)
  • Details of security audit fieldwork performed should be recorded, including the results of audit tests, issues identified, and recommended actions made (e.g., by using test templates designed for specific target environments). (SI.01.03.05, The Standard of Good Practice for Information Security)
  • The results of security audits should include important information and ratings about conformance classification (e.g., fully / partially / non-compliant). (SI.01.04.02b, The Standard of Good Practice for Information Security)
  • The results of security audits should include important information and ratings about risks (e.g., red / amber / green or insignificant to critical). (SI.01.04.02c, The Standard of Good Practice for Information Security)
  • The Business Continuity Management team should maintain a central inventory for each individual business environment, which includes the results of Business Continuity risk assessments (including details of the key threats, availability requirements, and risk treatment options chosen). (CF.20.02.06a, The Standard of Good Practice for Information Security)
  • Information risk assessments should ensure that the results of assessments are documented. (SR.01.02.07, The Standard of Good Practice for Information Security, 2013)
  • Details of security audit fieldwork performed should be recorded, including the results of audit tests, issues identified, and recommended actions made (e.g., by using test templates designed for specific target environments). (SI.01.03.05, The Standard of Good Practice for Information Security, 2013)
  • The results of security audits should include important information and ratings about conformance classification (e.g., fully / partially / non-compliant). (SI.01.04.02b, The Standard of Good Practice for Information Security, 2013)
  • The results of security audits should include important information and ratings about risks (e.g., red / amber / green or insignificant to critical). (SI.01.04.02c, The Standard of Good Practice for Information Security, 2013)
  • The Business Continuity Management team should maintain a central inventory for each individual business environment, which includes the results of Business Continuity risk assessments (including details of the key threats, availability requirements, and risk treatment options chosen). (CF.20.02.06a, The Standard of Good Practice for Information Security, 2013)
  • Information risk assessments should ensure that their results (including risk treatment options and any identified residual risk) are communicated to the relevant risk owner. (SR.01.02.11a, The Standard of Good Practice for Information Security, 2013)
  • The organization shall document the evaluation, reporting, and approval of the Risk Analysis, risk evaluation, risk control, and residual risks. (§ 4.4.1 ¶ 2, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • § 3.5: The medical device manufacturer shall establish and maintain a risk management file, in any form or type of medium, for each medical device. For each identified hazard, the risk management file shall provide traceability to the risk evaluation, the risk analysis, the risk control measures im… (§ 3.5, § 4.1, § 6.5 ¶ 3, § 7 ¶ 4, ISO 14971:2007 Medical devices -- Application of risk management to medical devices, 2007)
  • defines the required output from the business impact analysis and risk assessment, and (§ 8.2.1 ¶ 1 d), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • results of risk assessment and status of risk treatment plan; and (§ 9.3 ¶ 2 e), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The outcome of risk evaluation should be recorded, communicated and then validated at appropriate levels of the organization. (§ 6.4.4 ¶ 3, ISO 31000 Risk management - Guidelines, 2018)
  • The organization's methodology(ies) and criteria for the assessment of OH&S risks shall be defined with respect to their scope, nature and timing to ensure they are proactive rather than reactive and are used in a systematic way. Documented information shall be maintained and retained on the methodo… (§ 6.1.2.2 ¶ 2, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • The results of this assessment should be recorded. The risk management record should allow the traceability of each identified risk through all risk management processes. The records can leverage a common template that is agreed upon by the organization. (§ 6.7 ¶ 5, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • Prepare the assessment reports documenting the findings and recommendations from the control assessments. (TASK A-4, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • Produces a security assessment report that documents the results of the assessment; and (CA-2c., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]]; (RA-3b., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Produces a security assessment report that documents the results of the assessment; and (CA-2c., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]]; (RA-3b., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Produces a security assessment report that documents the results of the assessment; and (CA-2c., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]]; (RA-3b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Produces a security assessment report that documents the results of the assessment; and (CA-2c., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]]; (RA-3b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The approach for validation should be based on a justified and documented risk assessment and a determination of the system potential to affect product quality, product safety, and record integrity. (§ III.C.1 ¶ 2, Guidance for Industry Part 11, Electronic Records; Electronic Signatures - Scope and Application, August 2003)
  • Identify and describe the RDC customer risk management reports recommended by financial institution management. Discuss how financial institution management validates that RDC customers review the reports. Examples include: (App A Tier 2 Objectives and Procedures N.9 Bullet 4 Sub-Bullet 6, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Identify and describe the monitoring reports used by the financial institution to manage risk. Obtain copies of reports used and review the monitoring process with appropriate financial institution staff. Discuss with appropriate financial institution staff the internal processes for responding to e… (App A Tier 2 Objectives and Procedures N.9 Bullet 4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Produces a security assessment report that documents the results of the assessment; and (CA-2c. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Documents risk assessment results in [FedRAMP Assignment: security assessment report]; (RA-3b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Produces a security assessment report that documents the results of the assessment; and (CA-2c. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Produces a security assessment report that documents the results of the assessment; and (CA-2c. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Documents risk assessment results in [FedRAMP Assignment: security assessment report]; (RA-3b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Documents risk assessment results in [FedRAMP Assignment: security assessment report]; (RA-3b. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Produce a control assessment report that document the results of the assessment; and (CA-2e., FedRAMP Security Controls High Baseline, Version 5)
  • Produce a control assessment report that document the results of the assessment; and (CA-2e., FedRAMP Security Controls Low Baseline, Version 5)
  • Produce a control assessment report that document the results of the assessment; and (CA-2e., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Produce a control assessment report that document the results of the assessment; and (CA-2e., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Document risk assessment results in [Selection: security and privacy plans; risk assessment report; [Assignment: organization-defined document]]; (RA-3c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Produce a control assessment report that document the results of the assessment; and (CA-2e., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Document risk assessment results in [Selection: security and privacy plans; risk assessment report; [Assignment: organization-defined document]]; (RA-3c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Produce a control assessment report that document the results of the assessment; and (CA-2e., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Document risk assessment results in [Selection: security and privacy plans; risk assessment report; [Assignment: organization-defined document]]; (RA-3c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Produce a control assessment report that document the results of the assessment; and (CA-2e., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Document risk assessment results in [Selection: security and privacy plans; risk assessment report; [Assignment: organization-defined document]]; (RA-3c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Reporting at Level 3 should focus on the C-SCRM's implementation, efficiency, effectiveness, and the overall level of exposure to cybersecurity risks in the supply chain for the particular system. System-level reporting should provide system owners with tactical-level insights that enable them to ma… (2.3.4. ¶ 4, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Produce a control assessment report that document the results of the assessment; and (CA-2e., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Document risk assessment results in [Selection: security and privacy plans; risk assessment report; [Assignment: organization-defined document]]; (RA-3c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Document risk assessment results in [Selection: security and privacy plans; risk assessment report; [Assignment: organization-defined document]]; (RA-3c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Document risk assessment results in [Selection: security and privacy plans; risk assessment report; [Assignment: organization-defined document]]; (RA-3c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Produce a control assessment report that document the results of the assessment; and (CA-2e., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Document risk assessment results in [Selection: security and privacy plans; risk assessment report; [Assignment: organization-defined document]]; (RA-3c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Produce a control assessment report that document the results of the assessment; and (CA-2e., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Produces a security assessment report that documents the results of the assessment; and (CA-2c. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Produces a security assessment report that documents the results of the assessment; and (CA-2c. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Produces a security assessment report that documents the results of the assessment; and (CA-2c. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]]; (RA-3b. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]]; (RA-3b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]]; (RA-3b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Prepare a security assessment report documenting the issues, findings, and recommendations from the security control assessment. (T0953, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Update a security plan, security assessment report, and plan of action and milestones based on the results of a continuous monitoring process. (T0963, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization must document the assessment results in a security assessment report. (SG.CA-2 Requirement 3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must document the assessment results in a security assessment report. (App F § CA-2.c, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must document the risk assessment results in the security plan, the risk assessment report, or other organization-defined report. (App F § RA-3.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Update a security plan, security assessment report, and plan of action and milestones based on the results of a continuous monitoring process. (T0963, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Prepare a security assessment report documenting the issues, findings, and recommendations from the security control assessment. (T0953, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization produces a security assessment report that documents the results of the assessment. (CA-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization documents risk assessment results in {security plan}. (RA-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization documents risk assessment results in {risk assessment report}. (RA-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization documents risk assessment results in {organizationally approved document}. (RA-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization produces a security assessment report that documents the results of the assessment. (CA-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization documents risk assessment results in {security plan}. (RA-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization documents risk assessment results in {risk assessment report}. (RA-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization documents risk assessment results in {organizationally approved document}. (RA-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization produces a security assessment report that documents the results of the assessment. (CA-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization documents risk assessment results in {security plan}. (RA-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization documents risk assessment results in {risk assessment report}. (RA-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization documents risk assessment results in {organizationally approved document}. (RA-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization produces a security assessment report that documents the results of the assessment. (CA-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization documents risk assessment results in {security plan}. (RA-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization documents risk assessment results in {risk assessment report}. (RA-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization documents risk assessment results in {organizationally approved document}. (RA-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Produces a security assessment report that documents the results of the assessment; and (CA-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]]; (RA-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Produces a security assessment report that documents the results of the assessment; and (CA-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]]; (RA-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Produces a security assessment report that documents the results of the assessment; and (CA-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]]; (RA-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Produces a security assessment report that documents the results of the assessment; and (CA-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]]; (RA-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Document risk assessment results in [Selection: security and privacy plans; risk assessment report; [Assignment: organization-defined document]]; (RA-3c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Produce a control assessment report that document the results of the assessment; and (CA-2e., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Document risk assessment results in [Selection: security and privacy plans; risk assessment report; [Assignment: organization-defined document]]; (RA-3c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Produce a control assessment report that document the results of the assessment; and (CA-2e., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Produces a security assessment report that documents the results of the assessment; and (CA-2c., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]]; (RA-3b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Proper documentation and reporting of the third party Risk Management process typically includes regular reports of the independent review results of the risk management process to the Board of Directors and senior management. ("Documentation and Reporting" Bullet 8, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • The Risk Assessment shall be carried out in accordance with written policies and procedures and shall be documented. Such policies and procedures shall include: (§ 500.09 Risk Assessment (b), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • The risk assessment shall be carried out in accordance with written policies and procedures and shall be documented. Such policies and procedures shall include: (§ 500.9 Risk Assessment (b), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • Produces a security assessment report that documents the results of the assessment; and (CA-2c., TX-RAMP Security Controls Baseline Level 1)
  • Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]]; (RA-3b., TX-RAMP Security Controls Baseline Level 1)
  • Produces a security assessment report that documents the results of the assessment; and (CA-2c., TX-RAMP Security Controls Baseline Level 2)
  • Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]]; (RA-3b., TX-RAMP Security Controls Baseline Level 2)