Back

Approve the results of the risk assessment as documented in the risk assessment report.


CONTROL ID
07109
CONTROL TYPE
Audits and Risk Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Perform risk assessments for all target environments, as necessary., CC ID: 06452

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The TRM function should formulate a formal technology risk acknowledgement and acceptance process for reviewing, evaluating and approving any major incidents of non-compliance with IT control policies. Typical reasons for such non-compliance are technology limitations (e.g. certain proprietary opera… (2.3.4, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Reviewing the position of security incidents and various information security assessments and monitoring activities across the bank (Information Security Committee ¶ 3 Bullet 4, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • When selecting a DC provider, the FI should obtain and assess the TVRA report on the DC facility. The FI should verify that TVRA reports are current and that the DC provider is committed to address all material vulnerabilities identified. For the FI that chooses to build its own DC, an assessment of… (§ 10.1.4, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The risk analysis on the basis of the defined risk criteria shall be conducted by comparing the target measures and the measures that have been successfully implemented in each case. Other risk-reducing measures due to target measures that have not been implemented completely shall be effectively co… (II.3.13, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • The organization should report the supply chain risk assessment findings to senior management. (Annex I ¶ 3(A), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The organization shall document the evaluation, reporting, and approval of the Risk Analysis, risk evaluation, risk control, and residual risks. (§ 4.4.1 ¶ 2, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • its results are consistent and reproducible (i.e. the identification of risks, their analysis and their evaluation can be understood by a third party and results are the same when different persons assess the risks in the same context); and (§ 6.1.2 Guidance ¶ 9 Bullet 2, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The organization accepts the results of an assessment of [Assignment: organization-defined information system] performed by [Assignment: organization-defined external organization] when the assessment meets [Assignment: organization-defined requirements]. (CA-2(3) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization accepts the results of an assessment of [Assignment: organization-defined information system] performed by [Assignment: organization-defined external organization] when the assessment meets [Assignment: organization-defined requirements]. (CA-2(3) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization accepts the results of an assessment of [FedRAMP Assignment: any FedRAMP Accredited 3PAO] performed by [FedRAMP Assignment: any FedRAMP Accredited 3PAO] when the assessment meets [FedRAMP Assignment: the conditions of the JAB/AO in the FedRAMP Repository]. (CA-2(3) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization accepts the results of an assessment of [FedRAMP Assignment: any FedRAMP Accredited 3PAO] performed by [FedRAMP Assignment: any FedRAMP Accredited 3PAO] when the assessment meets [FedRAMP Assignment: the conditions of the JAB/AO in the FedRAMP Repository]. (CA-2(3) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Leverage the results of control assessments performed by [FedRAMP Assignment: any FedRAMP Accredited 3PAO] on [Assignment: organization-defined system] when the assessment meets [FedRAMP Assignment: the conditions of the JAB/AO in the FedRAMP Repository]. (CA-2(3) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Leverage the results of control assessments performed by [FedRAMP Assignment: any FedRAMP Accredited 3PAO] on [Assignment: organization-defined system] when the assessment meets [FedRAMP Assignment: the conditions of the JAB/AO in the FedRAMP Repository]. (CA-2(3) ¶ 1, FedRAMP Security Controls Low Baseline, Version 5)
  • Leverage the results of control assessments performed by [FedRAMP Assignment: any FedRAMP Accredited 3PAO] on [Assignment: organization-defined system] when the assessment meets [FedRAMP Assignment: the conditions of the JAB/AO in the FedRAMP Repository]. (CA-2(3) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Leverage the results of control assessments performed by [Assignment: organization-defined external organization] on [Assignment: organization-defined system] when the assessment meets [Assignment: organization-defined requirements]. (CA-2(3) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Management must review and approve the Privacy Impact Assessment. (SG.PL-4 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization accepts the results of an assessment of {organizationally documented information system} performed by {organizationally documented external organization} when the assessment meets {organizationally documented requirements}. (CA-2(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews risk assessment results {organizationally documented frequency}. (RA-3c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes. (PM-10a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews risk assessment results {organizationally documented frequency}. (RA-3c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews risk assessment results {organizationally documented frequency}. (RA-3c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews risk assessment results {organizationally documented frequency}. (RA-3c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization accepts the results of an assessment of [Assignment: organization-defined information system] performed by [Assignment: organization-defined external organization] when the assessment meets [Assignment: organization-defined requirements]. (CA-2(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Leverage the results of control assessments performed by [Assignment: organization-defined external organization] on [Assignment: organization-defined system] when the assessment meets [Assignment: organization-defined requirements]. (CA-2(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Leverage the results of control assessments performed by [Assignment: organization-defined external organization] on [Assignment: organization-defined system] when the assessment meets [Assignment: organization-defined requirements]. (CA-2(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization accepts the results of an assessment of [Assignment: organization-defined information system] performed by [Assignment: organization-defined external organization] when the assessment meets [Assignment: organization-defined requirements]. (CA-2(3) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization accepts the results of an assessment of [Assignment: organization-defined information system] performed by [Assignment: organization-defined external organization] when the assessment meets [Assignment: organization-defined requirements]. (CA-2(3) ¶ 1, TX-RAMP Security Controls Baseline Level 2)