Back

Update the risk assessment upon changes to the risk profile.


CONTROL ID
11627
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Perform risk assessments for all target environments, as necessary., CC ID: 06452

This Control has the following implementation support Control(s):
  • Review the risk to the audit function when the audit personnel status changes., CC ID: 01153
  • Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed., CC ID: 13312


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • After AIs implement an outsourcing plan, they should regularly re-perform this assessment. (2.2.2, Hong Kong Monetary Authority Supervisory Policy Manual SA-2 Outsourcing, V.1-28.12.01)
  • formal risk assessment is conducted periodically by, for instance, the function(s) designated by the senior management under subsection 3.3.1(i) above or an independent party (such as the assessor), to determine whether any independent assessment should be performed during the year, and if so, the s… (§ 3.3.1(iv), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • the risks associated with e-banking are fully understood and that adequate risk management measures are taken when introducing or enhancing e-banking and thereafter, as there might be changes in risk over time especially as technologies evolve. In this connection, the AI's Board and senior managemen… (§ 3.1.1 (i), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • Apart from independent assessment and penetration tests mentioned in subsections 3.3.1 and 3.3.2, formal risk assessment should be conducted periodically, at least on an annual basis, to ensure that adequate risk management controls have been implemented for Internet banking and financial services d… (§ 3.3.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • Conducting post-mortem analysis and reviews to identify causes of information security incidents, developing corrective actions and reassessing risk, and adjusting controls suitably to reduce the related risks in the future (Critical components of information security 10) (ii) i., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • In view of the constant changes occurring in the internet environment and online delivery channels, management should institute a risk monitoring and compliance regime on an ongoing basis to ascertain the performance and effectiveness of the risk management process. When risk parameters change, the … (Critical components of information security 31) (v), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • A bank needs to regularly assess information security vulnerabilities and evaluate the effectiveness of the existing IT security risk management framework, making any necessary adjustments to ensure emerging vulnerabilities are addressed in a timely manner. This assessment should also be conducted a… (Critical components of information security 30) c) ¶ 3, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • When selecting a DC provider, the FI should obtain and assess the TVRA report on the DC facility. The FI should verify that TVRA reports are current and that the DC provider is committed to address all material vulnerabilities identified. For the FI that chooses to build its own DC, an assessment of… (§ 10.1.4, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should conduct a Threat and Vulnerability Risk Assessment (TVRA) for its data centres (DCs) to identify potential vulnerabilities and weaknesses, and the protection that should be established to safeguard the DCs against physical and environmental threats. In addition, the TVRA should conside… (§ 8.5.1, Technology Risk Management Guidelines, January 2021)
  • The organization should review the gateway security architecture and the security risks of all connected security domains at least annually. (Control: 1041, Australian Government Information Security Manual: Controls)
  • Vulnerability assessments should be performed before the system is used, after any major changes to the system, and as required by the Security Officer. (§ 3.7.31, Australian Government ICT Security Manual (ACSI 33))
  • Financial institutions should identify the ICT and security risks that impact the identified and classified business functions, supporting processes and information assets, according to their criticality. This risk assessment should be carried out and documented annually or at shorter intervals if r… (3.3.3 20, Final Report EBA Guidelines on ICT and security risk management)
  • In particular, the assessment of governance and ICT strategy performed in accordance with Title 2 of these Guidelines should result in findings that inform the summary of findings of the assessment of internal governance and institution-wide controls element of SREP as specified in Title 5 of the EB… (Title 1 14., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Financial entities, other than microenterprises, shall perform a risk assessment upon each major change in the network and information system infrastructure, in the processes or procedures affecting their ICT supported business functions, information assets or ICT assets. (Art. 8.3., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • In case of changes to the environment (e.g. organizational structure, location, changes to regulations), reassessment is carried out in a timely manner. (1.4.1 Requirements (should) Bullet 4, Information Security Assessment, Version 5.1)
  • The organization must perform an annual technical risk assessment and when there is a significant change to an existing operational system. (Mandatory Requirement 32, HMG Security Policy Framework, Version 6.0 May 2011)
  • The organization should periodically review control strategies and risk limitations and adjust the risk profile accordingly. (Principle 6, BIS Sound Practices for the Management and Supervision of Operational Risk)
  • The organization should conduct additional risk assessments after risks are mitigated or after a change to the system. (Annex I ¶ 3(D), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The organization should conduct additional risk assessments for risks that require mitigation and after a change in the supply chain. (Supplement on Tin, Tantalum, and Tungsten Step 3: D, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Upstream companies should conduct additional risk assessments for risks that require mitigation and after a change in the supply chain. (Supplement on Gold Step 3: § I.E, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Downstream companies should conduct additional risk assessments for risks that require mitigation and after a change in the supply chain. (Supplement on Gold Step 3: § II.E, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Review the risk assessment documentation to verify a risk assessment is performed at least annually and after significant changes to the environment. (Testing Procedures § 12.2.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • A risk assessment must be conducted at least annually and after significant changes to the environment. (PCI DSS Requirements § 12.2 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Is the risk assessment process performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.)? (PCI DSS Question 12.2(c), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Is the risk assessment process performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.)? (PCI DSS Question 12.2(c), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • The organization considers changes in management and respective attitudes and philosophies on the system of internal control. (§ 3 Principle 9 Points of Focus: Assesses Changes in Leadership, COSO Internal Control - Integrated Framework (2013))
  • Ongoing monitoring activities need to performed to periodically reassess risk and the effectiveness of controls to manage risk. (§ 5.1.1 ¶ 2, IIA Global Technology Audit Guide (GTAG) 11: Developing the IT Audit Plan)
  • Internal auditors should ensure that risk management processes have been implemented throughout the organization and should review change management processes regularly. (§ 7 ¶ 5, IIA Global Technology Audit Guide (GTAG) 2:Change and Patch Management Controls: Critical for Organizational Success)
  • The Chief Audit Executive (CAE) should ensure the IT risk assessment process is completed each year and not just an update. (§ 4.5 (Robust IT Risk Assessment), IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • The organization must ensure the risk assessment information is kept up to date and confidential, as necessary, and re-evaluate risks and impacts whenever changes are made to the operating environment, functions, procedures, services, supply chains, and partnerships. The output of the management rev… (§ 4.3.1 ¶ 2(a), § 4.3.1 ¶ 2(b), § 4.6.3 ¶ 1(b), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • Standards / procedures should cover monitoring business changes that affect risk ratings. (SI.02.02.02d, The Standard of Good Practice for Information Security)
  • Standards / procedures should cover monitoring business changes that affect risk ratings. (SI.02.02.02d, The Standard of Good Practice for Information Security, 2013)
  • Risk assessment results shall include updates to security policies, procedures, standards, and controls to ensure that they remain relevant and effective. (GRM-08, Cloud Controls Matrix, v3.0)
  • new or changed activities, products or services; (§ 4.6 ¶ 5 Bullet 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • changes to the structure or strategy of the organization; (§ 4.6 ¶ 5 Bullet 2, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • significant external changes, such as financial-economic circumstances, market conditions, liabilities and client relationships; (§ 4.6 ¶ 5 Bullet 3, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • changes to compliance obligations (see 4.5); (§ 4.6 ¶ 5 Bullet 4, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • update of the risk assessment, business impact analysis, business continuity plans and related procedures; (§ 9.3 ¶ 4 c), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • update of the business impact analysis, risk assessment, business continuity strategies and solutions, and business continuity plans; (§ 9.3.3.1 b), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a). (§ 8.2 ¶ 1, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The compliance risks shall be assessed periodically and whenever there are material changes in circumstances or organizational context. (§ 4.6 ¶ 4, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • The compliance risks shall be assessed periodically and whenever there are material changes in circumstances or organizational context. (§ 6.4 ¶ 3, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The processes that have been defined as a result of the planning described in Clause 6 should be implemented, operated and verified throughout the organization. The following should be considered and implemented: (§ 8.1 Guidance ¶ 1, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • which of these changes or incidents require an additional information security risk assessment; and (§ 8.2 Guidance ¶ 2(a), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • changes to the organization's risk appetite arising from the use of AI; (§ 6.6.1 ¶ 4 Bullet 5, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • Assess and address the impact on stakeholders. While some decisions will negatively impact stakeholders (e.g. refusing a bank loan to a customer), the organization should ensure that such impacts are not exacerbated by the use of AI. Existing risk and impact assessments, together with mitigation pro… (§ 5.5 ¶ 1 Bullet 3, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • Assess organization-wide security and privacy risk and update the risk assessment results on an ongoing basis. (TASK P-3, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • Conduct a system-level risk assessment and update the risk assessment results on an ongoing basis. (TASK P-14, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • The entity considers changes in management and respective attitudes and philosophies on the system of internal control. (CC3.4 ¶ 3 Bullet 3 Assesses Changes in Leadership, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The risk identification process assesses changes in (1) internal and external threats to and vulnerabilities of the components of the entity's systems and (2) the likelihood and magnitude of the resultant risks to the achievement of the entity's objectives. (CC3.4 ¶ 4 Bullet 3 Assesses Changes in Threats and Vulnerabilities, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • If an organization finds that it cannot establish business objectives that support the achievement of strategy while remaining within its risk appetite or capabilities, a review of either the strategy or the risk profile is required. (Aligning Business Objectives ¶ 4, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • An appropriate governing authority (e.g., the Board or one of its committees) endorses and periodically reviews the cyber risk appetite and is regularly informed about the status of and material changes in the organization's inherent cyber risk profile. (GV.SF-3.1, CRI Profile, v1.2)
  • As a part of the cyber risk management program, the organization has documented its cyber risk assessment process and methodology, which are periodically updated to address changes to the risk profile and risk appetite (e.g., new technologies, products, services, interdependencies, and the evolving … (GV.RM-1.3, CRI Profile, v1.2)
  • An appropriate governing authority (e.g., the Board or one of its committees) endorses and periodically reviews the cyber risk appetite and is regularly informed about the status of and material changes in the organization's inherent cyber risk profile. (GV.SF-3.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • As a part of the cyber risk management program, the organization has documented its cyber risk assessment process and methodology, which are periodically updated to address changes to the risk profile and risk appetite (e.g., new technologies, products, services, interdependencies, and the evolving … (GV.RM-1.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the sy… (RA-3e., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the sy… (RA-3e., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the sy… (RA-3e., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the sy… (RA-3e., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • In certain situations, the service auditor may become aware of information that causes the service auditor to reconsider some of the conclusions reached to that point. For example, when obtaining the written representations from management, the service auditor may learn about a previously unknown se… (¶ 3.208, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Paragraph .34 of AT-C section 205 states that the service auditor's assessment of the risks of material misstatement may change during the course of the examination as additional evidence is obtained. If the service auditor obtains evidence from performing further procedures, or if new information i… (¶ 3.181, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The frequency with which service organization management updates the risk assessment and supporting risk management processes and controls (¶ 3.82 Bullet 3, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Evaluating the frequency with which service organization management updates the risk assessment and supporting processes and controls (¶ 3.93 Bullet 3, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In certain situations, the service auditor may become aware of information that causes the service auditor to reconsider some of the conclusions reached to that point. For example, when obtaining the written representations from management, the service auditor may learn about a previously unknown se… (¶ 3.238, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Paragraph .35 of AT-C section 205 states that the service auditor's assessment of the risks of material misstatement may change during the course of the examination as additional evidence is obtained. If the service auditor obtains evidence from performing further procedures, or if new information i… (¶ 3.212, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The practitioner's assessment of the risks of material misstatement may change during the course of the engagement as additional evidence is obtained. In circumstances in which the practitioner obtains evidence from performing further procedures, or if new information is obtained, either of which is… (AT-C Section 205.34, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The entity considers changes in management and respective attitudes and philosophies on the system of internal control. (CC3.4 Assesses Changes in Leadership, Trust Services Criteria)
  • The entity considers changes in management and respective attitudes and philosophies on the system of internal control. (CC3.4 ¶ 3 Bullet 3 Assesses Changes in Leadership, Trust Services Criteria, (includes March 2020 updates))
  • identifies and assesses changes (for example, environmental, regulatory, and technological changes and results of the assessment and monitoring of controls) that could significantly affect the system of internal control, and (CC3.1(4), TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • reassesses, and revises, as necessary, risk assessments and mitigation strategies based on the identified changes. (CC3.1(5), TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • If the unaffiliated third party reviewer recommends changes to the evaluation performed under Requirement R4 or security plan(s) developed under Requirement R5, the Transmission Owner or Transmission Operator shall, within 60 calendar days of the completion of the unaffiliated third party review, fo… (B. R6. 6.3., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-2, Version 2)
  • If the unaffiliated verifying entity recommends that the Transmission Owner add a Transmission station(s) or Transmission substation(s) to, or remove a Transmission station(s) or Transmission substation(s) from, its identification under Requirement R1, the Transmission Owner shall either, within 60 … (B. R2. 2.3., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-2, Version 2)
  • Modify its identification under Requirement R1 consistent with the recommendation; or (B. R2. 2.3. Bullet 1, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-3, Version 3)
  • Modify its evaluation or security plan(s) consistent with the recommendation; or (B. R6. 6.3. Bullet 1, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-3, Version 3)
  • The organization must review and update the risk assessment annually or when significant changes are made to the network, system, or facility. (CSR 1.8.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The financial institution's overall risk assessment and profile. (TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:1 Bullet 6, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • The risk assessment is updated to address new technologies, products, services, and connections before deployment. (Domain 1: Assessment Factor: Risk Management, RISK ASSESSMENT Baseline 2 ¶ 3, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Interview management and review responses to pre-examination information requests to identify changes to the technology infrastructure or new products and services that might increase the institution's risk. Consider the following: (App A Objective 1:3, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Financial institution management should develop an effective ITRM process that supports the broader risk management process. As part of the ITRM process, management should perform the following: - Identify risks to information and technology assets within the financial institution or controlled by t… (III IT Risk Management, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Develop or update policies within the risk management function to guide risk measurement activities. (App A Objective 7:4 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Risk assessments should be updated by the auditors on an annual basis or more frequently, if necessary. (Pg 11, Pg 16, FFIEC IT Examination Handbook - Audit, August 2003)
  • Determine whether the RDC risk assessment is updated on a periodic basis as technology, market, customer base, industry, or processes change. Identify the date of the last risk assessment or update. (App A Tier 2 Objectives and Procedures N.2 Bullet 3 Sub-Bullet 6, Sub-Sub Bullet 10, Sub-Sub-Sub Bullet 5, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The organization should monitor the service provider for changes in products, services, and/or risk management practices that could adversely affect the organization. (Pg 3, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, March 2003)
  • Updates the risk assessment [FedRAMP Assignment: annually] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. (RA-3e. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Updates the risk assessment [FedRAMP Assignment: at least every three (3) years or when a significant change occurs] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions … (RA-3e. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Updates the risk assessment [FedRAMP Assignment: at least every three (3) years or when a significant change occurs] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions … (RA-3e. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Update the supply chain risk assessment [Assignment: organization-defined frequency], when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain. (RA-3(1)(b), FedRAMP Security Controls High Baseline, Version 5)
  • Update the risk assessment [FedRAMP Assignment: annually] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system. (RA-3f., FedRAMP Security Controls High Baseline, Version 5)
  • Update the supply chain risk assessment [Assignment: organization-defined frequency], when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain. (RA-3(1)(b), FedRAMP Security Controls Low Baseline, Version 5)
  • Update the risk assessment [FedRAMP Assignment: at least every three (3) years] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system. (RA-3f., FedRAMP Security Controls Low Baseline, Version 5)
  • Update the supply chain risk assessment [Assignment: organization-defined frequency], when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain. (RA-3(1)(b), FedRAMP Security Controls Moderate Baseline, Version 5)
  • Update the risk assessment [FedRAMP Assignment: at least every three (3) years] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system. (RA-3f., FedRAMP Security Controls Moderate Baseline, Version 5)
  • The organization must conduct an assessment of the security controls at least annually. The assessment must ensure the controls are operating correctly and producing the desired outcome. The risk assessment must be updated whenever there are significant changes to the system or any of the facilities… (§ 5.6.4, § 5.6.13, Exhibit 4 CA-2, Exhibit 4 CA-7, Exhibit 4 RA-4, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Update the risk assessment [Assignment: organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system. (RA-3f., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Update the supply chain risk assessment [Assignment: organization-defined frequency], when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain. (RA-3(1)(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Update the risk assessment [Assignment: organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system. (RA-3f., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Update the supply chain risk assessment [Assignment: organization-defined frequency], when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain. (RA-3(1)(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Update the risk assessment [Assignment: organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system. (RA-3f., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Update the supply chain risk assessment [Assignment: organization-defined frequency], when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain. (RA-3(1)(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Update the risk assessment [Assignment: organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system. (RA-3f., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Level 1 activities ultimately provide the overarching context and boundaries within which the enterprise's mission and business processes manage cybersecurity risks throughout the supply chain. Outputs from Level 1 (e.g., C-SCRM Strategy, C-SCRM Policy, Governance, and Operating Model) are further t… (2.3.2. ¶ 12, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Update the risk assessment [Assignment: organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system. (RA-3f., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Update the risk assessment [Assignment: organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system. (RA-3f., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Update the risk assessment [Assignment: organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system. (RA-3f., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Update the risk assessment [Assignment: organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system. (RA-3f., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the sy… (RA-3e. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the sy… (RA-3e. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the sy… (RA-3e. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Privacy risk is re-evaluated on an ongoing basis and as key factors, including the organization's business environment (e.g., introduction of new technologies), governance (e.g., legal obligations, risk tolerance), data processing, and systems/products/services change. (GV.MT-P1, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • The organization must update the risk assessment whenever there is a significant change to the environment or the system, there are other conditions that impact the system security, or on a defined frequency. (SG.RA-4 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must update the risk assessment whenever there is a significant change to the facilities or the system, there are other conditions that impact the system security or authorization to operate, or on a defined frequency. (SG.RA-5 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must update the risk assessment on a predefined frequency or whenever significant changes occur in the Information System or environment. (App F § RA-3.d, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop, document, and implement a Risk Management strategy for operations, assets, individuals, or other organizations associated with the operation and use of Information Systems; and consistently implement across the organization. (App G § PM-9, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization updates the risk assessment {organizationally documented frequency} or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security sta… (RA-3e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization updates the risk assessment {organizationally documented frequency} or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security sta… (RA-3e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization updates the risk assessment {organizationally documented frequency} or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security sta… (RA-3e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization updates the risk assessment {organizationally documented frequency} or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security sta… (RA-3e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the sy… (RA-3e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the sy… (RA-3e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the sy… (RA-3e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the sy… (RA-3e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Update the supply chain risk assessment [Assignment: organization-defined frequency], when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain. (RA-3(1)(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Update the risk assessment [Assignment: organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system. (RA-3f., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Update the supply chain risk assessment [Assignment: organization-defined frequency], when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain. (RA-3(1)(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Update the risk assessment [Assignment: organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system. (RA-3f., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the sy… (RA-3e., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The management of risk must be regularly reviewed to monitor whether or not the risk profile has changed and to gain assurance that risk management is effective or if further action is necessary. In addition, processes must be put in place to review whether risks still exist, whether new risks have … (Section II (C) ¶ 1, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • Update the facility SVA within 12 months following significant modifications. (Table 1: Design and Construction Enhanced Security Measures Cell 2, Pipeline Security Guidelines)
  • The Under Secretary must periodically review the threats to aviation and focus on a systems analysis (vulnerability analysis, threat definitions) and future technologies that might be used to threaten aircraft. (§ 44912(b)(1), TITLE 49, Subtitle VII - Aviation Programs, December 5, 2001)
  • Security controls shall be reviewed whenever significant modifications are made to general support systems or at least every 3 years. The scope and frequency of these reviews should be commensurate with the acceptable risk level. (§ A.3.a.3, Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources)
  • Each Covered Entity shall conduct a periodic Risk Assessment of the Covered Entity's Information Systems sufficient to inform the design of the cybersecurity program as required by this Part. Such Risk Assessment shall be updated as reasonably necessary to address changes to the Covered Entity's Inf… (§ 500.09 Risk Assessment (a), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • Each covered entity shall conduct a periodic risk assessment of the covered entity's information systems sufficient to inform the design of the cybersecurity program as required by this Part. Such risk assessment shall be reviewed and updated as reasonably necessary, but at a minimum annually, and w… (§ 500.9 Risk Assessment (a), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • Updates the risk assessment [TX-RAMP Assignment: at least every three (3) years or when a significant change occurs] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions … (RA-3e., TX-RAMP Security Controls Baseline Level 1)
  • Updates the risk assessment [TX-RAMP Assignment: at least every three (3) years or when a significant change occurs] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions … (RA-3e., TX-RAMP Security Controls Baseline Level 2)