Back

Establish, implement, and maintain a threat and risk classification scheme.


CONTROL ID
07183
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain risk assessment procedures., CC ID: 06446

This Control has the following implementation support Control(s):
  • Document organizational risk criteria., CC ID: 12277
  • Include security threats and vulnerabilities in the threat and risk classification scheme., CC ID: 00699
  • Include an analysis of system interdependencies in the threat and risk classification scheme., CC ID: 13056
  • Categorize the systems, information, and data by risk profile in the threat and risk classification scheme., CC ID: 01443
  • Include risks to critical personnel and assets in the threat and risk classification scheme., CC ID: 00698
  • Include the traceability of malicious code in the threat and risk classification scheme., CC ID: 06600
  • Assign a probability of occurrence to all types of threats in the threat and risk classification scheme., CC ID: 01173
  • Approve the threat and risk classification scheme., CC ID: 15693


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The FI should develop a threat and vulnerability matrix to assess the impact of the threat to its IT environment. The matrix will also assist the FI in prioritising IT risks. (§ 4.3.3, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • To facilitate the classification process, the FI should clearly define criteria to categorise problems by severity level. To effectively monitor and escalate problems, the FI should establish target resolution time as well as appropriate escalation processes for each severity level. (§ 7.4.3, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • incident, risk and information classification schemes. (ANNEX I ¶ 1(2)(c)(ii), Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
  • Financial entities shall classify cyber threats as significant based on the criticality of the services at risk, including the financial entity's transactions and operations, number and/or relevance of clients or financial counterparts targeted and the geographical spread of the areas at risk. (Art. 18.2., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Depending on the selected method for risk analysis, the information security management must define how basic threats, potentials for causing damage, probabilities of occurrence, and the risks resulting thereof should be classified and assessed. However, it is difficult, complex, and moreover prone … (§ 8.1 Subsection 2 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Define the "normal", "high", and "very high" protection requirements categories, or adapt them accordingly to the organization. (4.3.1 Bullet 2, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • If possible, at this point in time it should be assessed whether the identified objects require a higher security level than "normal". (§ 3.2.4 ¶ 5, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Regarding later considerations, it can be reasonable to assess the intended security level of the individual assets already at an earlier point in time. However, the actual determination of the required protection should be performed at a later point in time. Such assessment of the security level pr… (§ 3.2.4 Subsection 2 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Classification of risks: Risk analysis has two stages. Here, for every target object and every threat an assessment is performed assuming that security safeguards have already been implemented or planned. These are usually the security safeguards which have been derived from the basic and standard r… (§ 8.5 Subsection 1 ¶ 6 Bullet 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • In practice, the result of the classification of risks are, in most cases, several threats resulting in "Medium", "High" or "Very high" risks. (§ 6.1 ¶ 2, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • If additional security requirements are identified as part of the risk treatment, the risk classification (see examples below) must be adjusted for the target objects concerned. In this respect, it must be taken into account that new requirements might not only have effects on the respective target … (§ 6.1 ¶ 10, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • These supplemental security safeguards must be documented and earmarked. The risks are monitored, and as soon as they are no longer acceptable, the earmarked supplemental security safeguards are checked, updated if necessary and included in the security concept. The risk classification is correspond… (§ 6.2 ¶ 2, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • The aim of the following work steps is to produce, as a starting point for the risk analysis, a summary of the threats to which the information system's target objects under review are subject. The result of this preliminary work (see Section 2) is a list of (prioritised) target objects for which a … (§ 4 ¶ 1, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • The significance of an impact is assessed in relation to the other impacts the organization has identified. The organization should arrange its impacts from most to least significant and define a cut-off point or threshold to determine which of the impacts it will focus its reporting on. The organiz… (§ 1. Step 4. Setting a threshold to determine which topics are material ¶ 1, GRI 3: Material Topics 2021)
  • The organization should document the risk analysis and the results, including the reasoning for the critical or non-critical classifications and identifying the risks that could potentially impact gxp compliance. (¶ 14.3, Good Practices For Computerized systems In Regulated GXP Environments)
  • Clearly define and communicate the characteristics of potential security incidents so they can be properly classified and treated by the incident and problem management process. (DS5.6 Security Incident Definition, CobiT, Version 4.1)
  • Examine the policies and procedures to verify there are defined processes for assigning a risk ranking to the vulnerabilities, including identifying all "high risk" and "critical" vulnerabilities. (Testing Procedures § 6.1.a Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview responsible personnel and observe processes to verify that a risk ranking has been assigned to new vulnerabilities, including "high" risk and "critical" vulnerabilities. (Testing Procedures § 6.1.b Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • A process, that uses reputable outside sources for security vulnerability information, must be established to identify security vulnerabilities and assign the new vulnerabilities a risk rating. (PCI DSS Requirements § 6.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Is there a process to identify security vulnerabilities, including the following: - Using reputable outside sources for vulnerability information? - Assigning a risk ranking to vulnerabilities that includes identification of all “high” risk and “critical” vulnerabilities? (6.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Create incident scoring and prioritization schema based on known or potential impact to your organization. Utilize score to define frequency of status updates and escalation procedures. (CIS Control 19: Sub-Control 19.8 Create Incident Scoring and Prioritization Schema, CIS Controls, 7.1)
  • Create incident scoring and prioritization schema based on known or potential impact to your organization. Utilize score to define frequency of status updates and escalation procedures. (CIS Control 19: Sub-Control 19.8 Create Incident Scoring and Prioritization Schema, CIS Controls, V7)
  • the nature and level of risk associated with noncompliance; (§ 5.2.2 ¶ 1 d), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • establishes the context of the assessment, defines criteria and evaluates the potential impact of a disruptive incident, (§ 8.2.1 ¶ 1 a), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • While risk criteria should be established at the beginning of the risk assessment process, they are dynamic and should be continually reviewed and amended, if necessary. (§ 6.3.4 ¶ 2, ISO 31000 Risk management - Guidelines, 2018)
  • The organization should specify the amount and type of risk that it may or may not take, relative to objectives. It should also define criteria to evaluate the significance of risk and to support decision- making processes. Risk criteria should be aligned with the risk management framework and custo… (§ 6.3.4 ¶ 1, ISO 31000 Risk management - Guidelines, 2018)
  • determine the levels of risk; (Section 6.1.2 ¶ 1(d)(3), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • Level of risks should be compared against risk evaluation criteria and risk acceptance criteria. (§ 8.4 Action:, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • Wrongdoing occurs for three reasons: people make mistakes (out of confusion or ignorance), people have a moment of weakness of will, or people choose to do harm. Knowing that any one of these three things can take place, an organization must align core values and behaviors to help people avoid mista… (Responding to Deviations in Core Values and Behaviors ¶ 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Risk prioritization occurs at all levels of an entity, and different risks may be assigned different priorities at different levels. For example, high-priority risks at the operating level may be evaluated as low-priority risks at the entity level. The organization assigns a priority at the level at… (Prioritizing at All Levels ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The cyber risk assessment process is consistent with the organization's policies and procedures and includes criteria for the evaluation and categorization of enterprise-specific cyber risks and threats. (GV.RM-1.4, CRI Profile, v1.2)
  • The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what level of protection is needed for those critical assets, and what the impact would be if that protection failed. (ID.RA-5.3, CRI Profile, v1.2)
  • The cyber risk assessment process is consistent with the organization's policies and procedures and includes criteria for the evaluation and categorization of enterprise-specific cyber risks and threats. (GV.RM-1.4, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what level of protection is needed for those critical assets, and what the impact would be if that protection failed. (ID.RA-5.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Inventorying, tiering, and assessing, on a periodic basis, threats arising from relationships with vendors and business partners (and those entities' vendors and business partners) and the vulnerability of the entity's objectives to those threats. Examples of risks may include (¶ 3.164 Bullet 3, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Provisions to evaluate evolving physical threats, and their corresponding security measures, to the Transmission station(s), Transmission substation(s), or primary control center(s). (B. R5. 5.4., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-2, Version 2)
  • Provisions to evaluate evolving physical threats, and their corresponding security measures, to the Transmission station(s), Transmission substation(s), or primary control center(s). (B. R5. 5.4., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-3, Version 3)
  • Catalog and periodically update threat profiles and adversary TTPs. (RM.4.149, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Catalog and periodically update threat profiles and adversary TTPs. (RM.4.149, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Determine whether management conducts a risk assessment sufficient to evaluate the likelihood and impact of potential disruptions and events. (III.B, "Risk Assessment") (App A Objective 5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Types of threats and hazards. (App A Objective 5:2a Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Determine whether the risk assessment includes the impact and likelihood of potential disruptive events, including worst-case scenarios. (App A Objective 5:4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • A method or taxonomy for categorizing threats, sources, and vulnerabilities. (App A Objective 4.2.b, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Determine whether the risk identification process produces manageable groupings of information security threats, including cybersecurity threats. Review whether management has the following: (App A Objective 4.2, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Verification that information and cybersecurity risks are appropriately identified, measured, mitigated, monitored, and reported. (App A Objective 6.31.g, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Using threat knowledge to drive risk assessment and response. (App A Objective 8.3.d, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should oversee outsourced operations through the following: - Appropriate due diligence in third-party research, selection, and relationship management. - Contractual assurances for security responsibilities, controls, and reporting. - Nondisclosure agreements regarding the institution'… (II.C.20 Oversight of Third-Party Service Providers, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should do the following: - Identify and assess threats. - Use threat knowledge to drive risk assessment and response. - Design policies to allow immediate and consequential threats to be dealt with expeditiously. (III.A Threat Identification and Assessment, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Financial institution management should develop risk measurement processes that include the following elements: - Measuring risk using qualitative, quantitative, or a hybrid of methods. - Recognizing that risks do not exist in isolation. - Prioritizing the risks based on the results of risk measurem… (III.B Risk Measurement, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Financial institution management should develop an effective ITRM process that supports the broader risk management process. As part of the ITRM process, management should perform the following: - Identify risks to information and technology assets within the financial institution or controlled by t… (III IT Risk Management, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Establishes a formal process to obtain, analyze, and respond to information on threats and vulnerabilities by developing a repeatable threat intelligence and collaboration program. (App A Objective 2:8 f., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether IT management participates in the enterprise-wide risk management process to identify and measure risk from the use of IT, support decisions on how to mitigate the risks, implement the mitigation decisions, and monitor and report on the resulting outcomes. (App A Objective 8:4, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • A risk measurement process using an evidence-based approach to measure the level of risk and determine if it is in line with the board's risk appetite. (App A Objective 9:2 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Maintains an inventory of assets, event classes, threats, and existing controls. (App A Objective 10:1 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether management's risk measurement process includes the determination of risk factors (such as adverse events, threats, and controls) and the affected assets. Determine whether management develops inventories of those risk factors. Specifically, determine whether management does the fol… (App A Objective 11:1, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether the institution has a risk management program and whether the program includes an integrated approach for enterprise-wide risk management, including identification, measurement, mitigation, monitoring, and reporting of risk. If applicable, determine whether the structure conforms t… (App A Objective 7:1, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Context is established and understood. (MAP 1, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
  • Review and update risk framing considerations [Assignment: organization-defined frequency]. (PM-28c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Assess risk. Review and interpret criticality, threat, vulnerability, likelihood, impact, and related information. (2. ¶ 1 Bullet 2, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Review and update risk framing considerations [Assignment: organization-defined frequency]. (PM-28c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Determine the extent of threats and recommend courses of action or countermeasures to mitigate risks. (T0360, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Identify and evaluate threat critical capabilities, requirements, and vulnerabilities. (T0710, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Determine the risk from the operation or use of a system or the provision or use of common controls. (T0957, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Identify assumptions that affect how risk is assessed, responded to, and monitored within the organization. (Task 1-1, NIST SP 800-39, Managing Information Security Risk)
  • Identify and evaluate threat critical capabilities, requirements, and vulnerabilities. (T0710, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Determine the extent of threats and recommend courses of action or countermeasures to mitigate risks. (T0360, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Determine the risk from the operation or use of a system or the provision or use of common controls. (T0957, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Review and update risk framing considerations [Assignment: organization-defined frequency]. (PM-28c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Review and update risk framing considerations [Assignment: organization-defined frequency]. (PM-28c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Identify assumptions that affect how risk is assessed, responded to, and monitored within the organization. (2.2.1 TASK 1-1:, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • be clear about the difference between inherent and residual risk. (Section II (B2) ¶ 3 (3), OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • criteria for the evaluation and categorization of identified cybersecurity risks or threats facing the Covered Entity; (§ 500.09 Risk Assessment (b)(1), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • criteria for the evaluation and categorization of identified cybersecurity risks or threats facing the Covered Entity; (§ 500.9 Risk Assessment (b)(1), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)