Back

Disseminate and communicate the approved risk assessment report to interested personnel and affected parties.


CONTROL ID
10633
CONTROL TYPE
Communicate
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Perform risk assessments for all target environments, as necessary., CC ID: 06452

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Member States shall ensure that payment service providers provide to the competent authority on an annual basis, or at shorter intervals as determined by the competent authority, an updated and comprehensive assessment of the operational and security risks relating to the payment services they provi… (Art 95(2), DIRECTIVE (EU) 2015/2366 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC)
  • The ICT risk management framework shall be documented and reviewed at least once a year, or periodically in the case of microenterprises, as well as upon the occurrence of major ICT-related incidents, and following supervisory instructions or conclusions derived from relevant digital operational res… (Art. 6.5., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Upon request of the cloud customer, the cloud provider provides information of the results, impacts and risks of these audits and assessments in an appropriate form. If necessary, unscheduled audits can be carried out by independent third parties. (Section 5.16 COM-03 Description of additional requirements (confidentiality and availability) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The management board shall be informed regularly, but at least once a quarter, in particular about the results of the risk analysis as well as any changes in the risk situation. (II.3.14, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • The outcome of risk evaluation should be recorded, communicated and then validated at appropriate levels of the organization. (§ 6.4.4 ¶ 3, ISO 31000 Risk management - Guidelines, 2018)
  • direct reports by, and private sessions with, risk management and compliance management as independent control functions; (§ 6.4.3.3 ¶ 2 Bullet 2, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The organization reports on risk, culture, and performance at multiple levels and across the entity. (Principle 20: Reports on Risk, Culture, and Performance, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Identifying affected stakeholders or customers; and (RS.AN-5.2(4), Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. (CA-2d., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and (RA-3d., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. (CA-2d., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and (RA-3d., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. (CA-2d., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and (RA-3d., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. (CA-2d., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and (RA-3d., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • For a primary control center(s) identified by the Transmission Owner according to Requirement R1, Part 1.2 that a) operationally controls an identified Transmission station or Transmission substation verified according to Requirement R2, and b) is not under the operational control of the Transmissio… (B. R3., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-2, Version 2)
  • If a Transmission station or Transmission substation previously identified under Requirement R1 and verified according to Requirement R2 is removed from the identification during a subsequent risk assessment performed according to Requirement R1 or a verification according to Requirement R2, then th… (B. R3. 3.1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-2, Version 2)
  • If a Transmission station or Transmission substation previously identified under Requirement R1 and verified according to Requirement R2 is removed from the identification during a subsequent risk assessment performed according to Requirement R1 or a verification according to Requirement R2, then th… (B. R3. 3.1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-3, Version 3)
  • For a primary control center(s) identified by the Transmission Owner according to Requirement R1, Part 1.2 that a) operationally controls an identified Transmission station or Transmission substation verified according to Requirement R2, and b) is not under the operational control of the Transmissio… (B. R3., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-3, Version 3)
  • Determine whether reports include a written BCM presentation, including the BIA, risk assessment, BCP, exercise and test results, and identified issues. (App A Objective 12:1a, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Financial institution management should develop an effective ITRM process that supports the broader risk management process. As part of the ITRM process, management should perform the following: - Identify risks to information and technology assets within the financial institution or controlled by t… (III IT Risk Management, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Whether risk assessment and compliance status are communicated to senior management and the board of directors. (App A Tier 1 Objectives and Procedures Objective 11:1 Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Identify and describe the RDC customer risk management reports recommended by financial institution management. Discuss how financial institution management validates that RDC customers review the reports. Examples include: (App A Tier 2 Objectives and Procedures N.9 Bullet 4 Sub-Bullet 6, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Identify and describe the monitoring reports used by the financial institution to manage risk. Obtain copies of reports used and review the monitoring process with appropriate financial institution staff. Discuss with appropriate financial institution staff the internal processes for responding to e… (App A Tier 2 Objectives and Procedures N.9 Bullet 4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Provides the results of the security control assessment to [FedRAMP Assignment: individuals or roles to include FedRAMP PMO]. (CA-2d. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and (RA-3d. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Provides the results of the security control assessment to [FedRAMP Assignment: individuals or roles to include FedRAMP PMO]. (CA-2d. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Provides the results of the security control assessment to [FedRAMP Assignment: individuals or roles to include FedRAMP PMO]. (CA-2d. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and (RA-3d. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and (RA-3d. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Provide the results of the control assessment to [FedRAMP Assignment: individuals or roles to include FedRAMP PMO]. (CA-2f., FedRAMP Security Controls High Baseline, Version 5)
  • Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and (RA-3e., FedRAMP Security Controls High Baseline, Version 5)
  • Provide the results of the control assessment to [FedRAMP Assignment: individuals or roles to include FedRAMP PMO]. (CA-2f., FedRAMP Security Controls Low Baseline, Version 5)
  • Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and (RA-3e., FedRAMP Security Controls Low Baseline, Version 5)
  • Provide the results of the control assessment to [FedRAMP Assignment: individuals or roles to include FedRAMP PMO]. (CA-2f., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and (RA-3e., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Provide the results of the control assessment to [Assignment: organization-defined individuals or roles]. (CA-2f., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and (RA-3e., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Provide the results of the control assessment to [Assignment: organization-defined individuals or roles]. (CA-2f., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and (RA-3e., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Provide the results of the control assessment to [Assignment: organization-defined individuals or roles]. (CA-2f., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and (RA-3e., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Provide the results of the control assessment to [Assignment: organization-defined individuals or roles]. (CA-2f., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and (RA-3e., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Provide the results of the control assessment to [Assignment: organization-defined individuals or roles]. (CA-2f., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and (RA-3e., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and (RA-3e., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and (RA-3e., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Provide the results of the control assessment to [Assignment: organization-defined individuals or roles]. (CA-2f., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and (RA-3e., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Provide the results of the control assessment to [Assignment: organization-defined individuals or roles]. (CA-2f., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. (CA-2d. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. (CA-2d. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. (CA-2d. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and (RA-3d. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and (RA-3d. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and (RA-3d. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization disseminates risk assessment results to {organizationally documented personnel}. (RA-3d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization disseminates risk assessment results to {organizationally documented roles}. (RA-3d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization disseminates risk assessment results to {organizationally documented personnel}. (RA-3d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization disseminates risk assessment results to {organizationally documented roles}. (RA-3d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization disseminates risk assessment results to {organizationally documented personnel}. (RA-3d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization disseminates risk assessment results to {organizationally documented roles}. (RA-3d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization disseminates risk assessment results to {organizationally documented personnel}. (RA-3d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization disseminates risk assessment results to {organizationally documented roles}. (RA-3d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. (CA-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and (RA-3d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. (CA-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and (RA-3d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. (CA-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and (RA-3d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and (RA-3d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. (CA-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and (RA-3e., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provide the results of the control assessment to [Assignment: organization-defined individuals or roles]. (CA-2f., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and (RA-3e., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Provide the results of the control assessment to [Assignment: organization-defined individuals or roles]. (CA-2f., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. (CA-2d., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and (RA-3d., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Report to the Board. Each national bank or Federal savings association shall report to its board or an appropriate committee of the board at least annually. This report should describe the overall status of the information security program and the national bank's or Federal savings association's com… (§ III. F., Appendix B of OCC 12 CFR Part 30, Safety and Soundness Standards)
  • Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. (CA-2d., TX-RAMP Security Controls Baseline Level 1)
  • Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and (RA-3d., TX-RAMP Security Controls Baseline Level 1)
  • Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. (CA-2d., TX-RAMP Security Controls Baseline Level 2)
  • Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and (RA-3d., TX-RAMP Security Controls Baseline Level 2)