Back

Establish, implement, and maintain a risk management program.


CONTROL ID
12051
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Audits and risk management, CC ID: 00677

This Control has the following implementation support Control(s):
  • Include the scope of risk management activities in the risk management program., CC ID: 13658
  • Integrate the risk management program with the organization's business activities., CC ID: 13661
  • Integrate the risk management program into daily business decision-making., CC ID: 13659
  • Include managing mobile risks in the risk management program., CC ID: 13535
  • Take into account if the system will be accessed by or have an impact on children in the risk management program., CC ID: 14992
  • Include regular updating in the risk management system., CC ID: 14990
  • Establish, implement, and maintain risk management strategies., CC ID: 13209
  • Establish, implement, and maintain the risk assessment framework., CC ID: 00685
  • Include risk responses in the risk management program., CC ID: 13195
  • Document residual risk in a residual risk report., CC ID: 13664
  • Establish, implement, and maintain a cybersecurity risk management strategy., CC ID: 11991
  • Establish, implement, and maintain a supply chain risk management policy., CC ID: 14663
  • Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties., CC ID: 14662
  • Establish, implement, and maintain a supply chain risk management plan., CC ID: 14713
  • Include supply chain risk management procedures in the risk management program., CC ID: 13190
  • Disseminate and communicate the risk management policy to interested personnel and affected parties., CC ID: 13792


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • As part of the risk governance for e-banking, AIs' senior management should establish clear policies and accountability to ensure that stringent independent assessment is performed before the launch of any new electronic delivery channel of e-banking service, or a major enhancement to existing servi… (§ 3.3.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • AIs should closely monitor trends and developments in emerging fraudulent techniques related to the use of e-banking channels, and regularly enhance or adjust their fraud monitoring systems and remediation process whenever there is a need. During the process, AIs should take into account any fraud i… (§ 8.1.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • Licensed corporations are reminded of their obligations under the Management, Supervision and Internal Control Guidelines for Persons Licensed by or Registered with the Securities and Futures Commission (a) to have effective policies and procedures for the proper management of risks to which the fir… (11., Circular to Licensed Corporations - Use of external electronic data storage)
  • Identifying, selecting and implementing appropriate controls. Providing proportional response including considerations like productivity, cost effectiveness, and the value of the asset (Critical components of information security 2) 3) Bullet 5, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The following are the important Application control and risk mitigation measures that need to be implemented by banks: (Critical components of information security 11) c., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Establishing a rigorous, ongoing risk management process. (Critical components of information security 24) viii. ¶ 1 k., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • In view of the constant changes occurring in the internet environment and online delivery channels, management should institute a risk monitoring and compliance regime on an ongoing basis to ascertain the performance and effectiveness of the risk management process. When risk parameters change, the … (Critical components of information security 31) (v), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Effective risk management practices and internal controls should be instituted to achieve data confidentiality, system security, reliability, resiliency and recoverability in the organisation. (§ 4.0.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Risk parameters may shift as the IT environment and delivery channels change. Thus, the FI should review and update the risk processes accordingly, and conduct a re-evaluation of past risk-control methods with renewed testing and assessment of the adequacy and effectiveness of risk management proces… (§ 4.5.3, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Technology is a key business enabler in the financial sector and FIs rely on technology to deliver financial services. It is vital that the FI's board of directors and senior management ensure effective internal controls and risk management practices are implemented to achieve security, reliability … (§ 3.1.1, Technology Risk Management Guidelines, January 2021)
  • establishing the technology risk management framework and strategy; (§ 3.1.8(a), Technology Risk Management Guidelines, January 2021)
  • Effective risk management practices and internal controls should be instituted to achieve data confidentiality and integrity, system security and reliability, as well as stability and resilience in its IT operating environment. (§ 4.1.2, Technology Risk Management Guidelines, January 2021)
  • ensuring a sound and robust risk management framework is established and maintained to manage technology risks; (§ 3.1.7(a), Technology Risk Management Guidelines, January 2021)
  • As business and IT environments, as well as the cyber threat landscape, tend to evolve over time, the FI should review the adequacy and effectiveness of its risk management framework regularly. (§ 4.1.5, Technology Risk Management Guidelines, January 2021)
  • The FI should establish a risk management framework to manage technology risks. Appropriate governance structures and processes should be established, with well-defined roles, responsibilities, and clear reporting lines across the various organisational functions. (§ 4.1.1, Technology Risk Management Guidelines, January 2021)
  • ensuring sound and prudent policies, standards and procedures for managing technology risks are established and maintained, and that standards and procedures are implemented effectively; (§ 3.1.8(c), Technology Risk Management Guidelines, January 2021)
  • Institute a risk management framework to identify the security threats to the protection of personal data, assess the risks involved and determine the controls to remove or reduce them. (Annex A1: Risk Management 6, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • A regulated institution would normally manage the initial development and continuing updates to the IT security risk management framework as an ongoing program of work. Subject to the materiality of changes to the IT security risk management framework, the body of work would typically be managed as … (¶ 31, The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • APRA envisages that a regulated institution would regularly assess IT security vulnerabilities and evaluate the effectiveness of the existing IT security risk management framework, making any necessary adjustments to ensure emerging vulnerabilities are treated in a timely manner. This assessment wou… (¶ 30, The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • In APRA's view, the IT security risk management framework would encapsulate the expectations of the Board and senior management, have a designated owner(s), and outline the roles and responsibilities of staff to ensure the achievement of effective IT security risk management outcomes. The framework … (¶ 25, The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Financial institutions should ensure that the ICT and security risk management framework is documented, and continuously improved, based on 'lessons learned' during its implementation and monitoring. The ICT and security risk management framework should be approved and reviewed, at least once a year… (3.3.1 14, Final Report EBA Guidelines on ICT and security risk management)
  • Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, rep… (3.3.1 10, Final Report EBA Guidelines on ICT and security risk management)
  • ICT risk management policy, processes and risk tolerance thresholds; (Title 3 3.3 46.a, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Competent authorities should review whether the institution has appropriate risk management policies, processes and tolerance thresholds in place for the identified material ICT risks. These can be a part of the operational risk management framework or a separate document. For this assessment compet… (Title 3 3.3.1 49., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment ins… (4.5 32, Final Report on EBA Guidelines on outsourcing arrangements)
  • A risk management system shall be established, implemented, documented and maintained in relation to high-risk AI systems. (Article 9 1., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • For credit institutions regulated by Directive 2013/36/EU, the aspects described in paragraphs 1 to 8 shall be part of the risk management procedures established by those institutions pursuant to Article 74 of that Directive. (Article 9 9., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Member States shall ensure that payment service providers establish a framework with appropriate mitigation measures and control mechanisms to manage the operational and security risks, relating to the payment services they provide. As part of that framework, payment service providers shall establis… (Art 95(1), DIRECTIVE (EU) 2015/2366 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC)
  • incident and risk-handling procedures; (ANNEX I ¶ 1(2)(c)(i), Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
  • Policies and instructions for the general procedure applicable to the identification, analysis, assessment and handling of risks and IT risks in particular are documented, communicated and provided according to SA-01. (Section 5.1 OIS-06 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The procedures for the identification, analysis, assessment and handling of risks, including the IT risks relevant to the cloud service are done at least once a year in order to take internal and external changes and influencing factors into account. The identified risks are comprehensibly documente… (Section 5.1 OIS-07 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The components of an information risk management system shall be implemented in line with the competencies of all the key parties and functions involved and with no conflicts of interest. (II.3.9, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • A firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems. (2.1.1 Principle 3 Management and control, Principles for Businesses)
  • The purpose of the risk management practice is to ensure that the organization understands and effectively handles risks. Managing risk is essential to ensuring the ongoing sustainability of an organization and creating value for its customers. Risk management is an integral part of all organization… (5.1.10 ¶ 1, ITIL Foundation, 4 Edition)
  • Work with the board to define the enterprise's appetite for IT risk, and obtain reasonable assurance that IT risk management practices are appropriate to ensure that the actual IT risk does not exceed the board's risk appetite. Embed risk management responsibilities into the organisation, ensuring t… (ME4.5 Risk Management, CobiT, Version 4.1)
  • Establish an IT risk management framework that is aligned to the organisation's (enterprise's) risk management framework. (PO9.1 IT Risk Management Framework, CobiT, Version 4.1)
  • The board of directors retains oversight responsibility for management’s design, implementation, and conduct of internal control: – Control Environment — Establishing integrity and ethical values, oversight structures, authority and responsibility, expectations of competence, and accountabilit… (§ 3 Principle 2 Points of Focus: Provides Oversight for the System of Internal Controls, COSO Internal Control - Integrated Framework (2013))
  • Establish a formal, documented, and leadership-sponsored Enterprise Risk Management (ERM) program that includes policies and procedures for identification, evaluation, ownership, treatment, and acceptance of cloud security and privacy risks. (GRC-02, Cloud Controls Matrix, v4.0)
  • The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in 6.1, by: (§ 8.1 ¶ 1, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization should continually improve the suitability, adequacy and effectiveness of the risk management framework and the way the risk management process is integrated. (§ 5.7.2 ¶ 1, ISO 31000 Risk management - Guidelines, 2018)
  • The organization should continually monitor and adapt the risk management framework to address external and internal changes. In doing so, the organization can improve its value. (§ 5.7.1 ¶ 1, ISO 31000 Risk management - Guidelines, 2018)
  • This will help the organization to: - align risk management with its objectives, strategy and culture; - recognize and address all obligations, as well as its voluntary commitments; - establish the amount and type of risk that may or may not be taken to guide the development of risk criteria, ensu… (§ 5.2 ¶ 2, ISO 31000 Risk management - Guidelines, 2018)
  • The purpose of monitoring and review is to assure and improve the quality and effectiveness of process design, implementation and outcomes. Ongoing monitoring and periodic review of the risk management process and its outcomes should be a planned part of the risk management process, with responsibil… (§ 6.6 ¶ 1, ISO 31000 Risk management - Guidelines, 2018)
  • The organization should evaluate its existing risk management practices and processes, evaluate any gaps and address those gaps within the framework. (§ 5.1 ¶ 3, ISO 31000 Risk management - Guidelines, 2018)
  • Top management and oversight bodies, where applicable, should demonstrate and articulate their continual commitment to risk management through a policy, a statement or other forms that clearly convey an organization's objectives and commitment to risk management. The commitment should include, but i… (§ 5.4.2 ¶ 1, ISO 31000 Risk management - Guidelines, 2018)
  • address the risks and opportunities as determined in accordance with the requirements of 6:1; (4.4.1 ¶ 2(f), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • actions to address these risks and opportunities; (6.1.2 ¶ 1(a), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • evaluate the effectiveness of these actions. (Section 6.1.1 ¶ 2(b) bullet 2, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • actions to address these risks and opportunities and their priorities; (§ 6.1.3 ¶ 1(a), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • results of risk assessment and the effectiveness of actions taken to address risks and opportunities; (§ 9.3 ¶ 2(k), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The organization and responsibilities for the information security risk management process should be set up and maintained. The following are the main roles and responsibilities of this organization: (§ 7.4 ¶ 1, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • The information security risk management process should be continually monitored, reviewed and improved as necessary and appropriate. (§ 12.2 Action:, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • obtain and maintain confidence in the risk management capability of the auditee; (§ 5.2.2 ¶ 1 Bullet 2, ISO/IEC 27007:2020, Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing, Third Edition)
  • The cloud service customer should implement cryptographic controls for its use of cloud services if justified by the risk analysis. The controls should be of sufficient strength to mitigate the identified risks, whether those controls are supplied by the cloud service customer or by the cloud servic… (§ 10.1.1 Table: Cloud service customer, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • The organization pursues improvement of enterprise risk management. (Principle 17: Pursues Improvement in Enterprise Risk Management, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The board of directors ultimately holds the chief executive officer accountable for managing the risk faced by the entity by establishing enterprise risk management practices and capabilities to support the achievement of the entity's strategy and business objectives. The chief executive officer and… (Enforcing Accountability ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Effective communication between the board of directors and management is critical for organizations to achieve the strategy and business objectives and to seize opportunities within the business environment. Communicating about risks starts by defining risk responsibilities clearly: who needs to kno… (Communicating with the Board ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Even those entities with suitable enterprise risk management can become more efficient. By embedding continual evaluations into business practices, organizations can systematically identify potential improvements to their enterprise risk management practices. Separate evaluations may also be helpful… (Pursuing Improvement ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The organization's cyber risk management framework provides for segregation of duties between policy development, implementation, and oversight to ensure rigorous review of both policy and implementation. (GV.RM-3.3, CRI Profile, v1.2)
  • The organization's cyber risk management framework provides for segregation of duties between policy development, implementation, and oversight to ensure rigorous review of both policy and implementation. (GV.RM-3.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Reading documents (such as board minutes, organization charts, and communications about the security, availability, and processing integrity of the system and the confidentiality or privacy of the information it uses) to understand the service organization's risk governance structure and processes, … (¶ 3.59 Bullet 7, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The frequency with which service organization management updates the risk assessment and supporting risk management processes and controls (¶ 3.82 Bullet 3, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Assess the sufficiency of policies, procedures, Information Systems and other safeguards in place to manage these threats, including consideration of threats in each relevant area of the Licensee's operations, including: (Section 4.C ¶ 1(4), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • Assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks. (§ II.B(3), 12 CFR Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards)
  • The sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks. (Supplement A § I.B.1(c), 12 CFR Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards)
  • implementing policies and procedures to cost-effectively reduce risks to an acceptable level; and (§ 3554(a)(2)(C), Federal Information Security Modernization Act of 2014)
  • Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a). (§ 164.308(a)(1)(ii)(B), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Determine whether appropriate risk management over the business continuity process is in place and if the financial institution's and TSP's risk management strategies consider wide-scale recovery scenarios designed to achieve industry-wide resilience. (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether audit reports to the board and provides an assessment of management's ability to manage and control risks related to continuity and resilience. (App A Objective 3:2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Roles, responsibilities, procedures, and reporting mechanisms for risk management in AIO activities. (App A Objective 2:8b Bullet 6, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management identification and evaluation of AIO-related risks, definition of short- and long-term objectives, and creation of policies and procedures to mitigate those risks. (App A Objective 2:2b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Policies, standards, and procedures. (App A Objective 2:1e, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • ERM. (App A Objective 2:1c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Review of the entity's AIO functions and activities and management's ability to oversee and control AIO-related risks. (App A Objective 2:11a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Threat identification and assessment. (App A Objective 8.1.i, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Maintaining procedures for obtaining, monitoring, assessing, and responding to evolving threat and vulnerability information. (App A Objective 8.3.a, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Designing policies to allow immediate and consequential threats to be dealt with expeditiously. (App A Objective 8.3.e, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should do the following: - Identify and assess threats. - Use threat knowledge to drive risk assessment and response. - Design policies to allow immediate and consequential threats to be dealt with expeditiously. (III.A Threat Identification and Assessment, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • As part of the governance structure, financial institution management should ensure development, implementation, and maintenance of the following: - An effective IT risk management structure. - A comprehensive information security program. - A formal project management process. - An enterprise-wide … (I.B IT Responsibilities and Functions, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Implements effective IT governance and IT risk management processes, including those that relate to cybersecurity. (App A Objective 2:8 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Reviews, understands, approves, and provides for at least annual reviews of ITRM processes. (App A Objective 2:8 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Review the institution's management of operational risk, and verify that the risk management process includes aspects of operational risk across the institution, including the following: (App A Objective 8:1, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Is regularly updated with a frequency appropriate for the pace of change. (App A Objective 9:3 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether IT management has developed adequate policies, standards, and procedures to manage the risk from technology and that they are current, documented, and appropriately communicated. Policies, standards, and procedures should address the following: (App A Objective 12:4, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine the effectiveness of the risk management program by reviewing whether it receives appropriate direction and support from the board and senior management. (App A Objective 7:2, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether the board of directors oversees and senior management proactively mitigates operational risk. (App A Objective 8, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether management implements an ITRM process that supports the overall enterprise-wide risk management process. (App A Objective 9, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether the institution has a risk management program and whether the program includes an integrated approach for enterprise-wide risk management, including identification, measurement, mitigation, monitoring, and reporting of risk. If applicable, determine whether the structure conforms t… (App A Objective 7:1, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Designed and implemented a program to control risks; (TIER II OBJECTIVES AND PROCEDURES D.2. Bullet 2, FFIEC IT Examination Handbook - Audit, April 2012)
  • Financial institutions engaged in retail payment systems should establish an appropriate risk management process that identifies, measures, monitors, and limits risks. Management and the board should manage and mitigate the identified risks through effective internal and external audit, physical and… (Retail Payment Systems Risk Management, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Identify and describe the monitoring reports used by the financial institution to manage risk. Obtain copies of reports used and review the monitoring process with appropriate financial institution staff. Discuss with appropriate financial institution staff the internal processes for responding to e… (App A Tier 2 Objectives and Procedures N.9 Bullet 4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Review and update the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes. (PM-9c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Review and update the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes. (PM-9c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The CSP shall comply with its respective records retention policies in accordance with applicable laws, regulations, and policies, including any NARA records retention schedules that may apply. If the CSP opts to retain records in the absence of any mandatory requirements, the CSP SHALL conduct a ri… (4.2.5 ¶ 1, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • The CSP shall comply with its respective records retention policies in accordance with applicable laws, regulations, and policies, including any NARA records retention schedules that may apply. If the CSP opts to retain records in the absence of any mandatory requirements, the CSP SHALL conduct a ri… (4.3.5 ¶ 1, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • The CSP shall comply with its respective records retention policies in accordance with applicable laws, regulations, and policies, including any National Archives and Records Administration (NARA) records retention schedules that may apply. If the CSP opts to retain records in the absence of any man… (4.1.5 ¶ 1, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • The CSP SHALL maintain a record, including audit logs, of all steps taken to verify the identity of the applicant and SHALL record the types of identity evidence presented in the proofing process. The CSP SHALL conduct a risk management process, including assessments of privacy and security risks to… (4.2 ¶ 1.7, Digital Identity Guidelines: Enrollment and Identity Proofing, NIST SP 800-63A)
  • Risk management processes are established, managed, and agreed to by organizational stakeholders (ID.RM-1, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Reviews and updates the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes. (PM-9c., Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Provide input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials). (T0205, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Participate in Risk Governance process to provide security risks, mitigations, and input on other technical risk. (T0255, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop and coordinate a risk management and compliance framework for privacy (T0892, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Establish a risk management strategy for the organization that includes a determination of risk tolerance. (T0930, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization's priorities, constraints, risk tolerance, and assumptions are established and used to support risk decisions associated with managing privacy risk and third parties within the data processing ecosystem. The organization has established and implemented the processes to identify, ass… (Data Processing Ecosystem Risk Management (ID.DE-P), NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Data processing ecosystem risk management policies, processes, and procedures are identified, established, assessed, managed, and agreed to by organizational stakeholders. (ID.DE-P1, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Policies, processes, and procedures incorporate lessons learned from problematic data actions. (GV.MT-P6, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Risk management processes are established, managed, and agreed to by organizational stakeholders. (GV.RM-P1, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Identify constraints on the conduct of risk assessment, risk response, and risk monitoring activities within the organization. (Task 1-2, NIST SP 800-39, Managing Information Security Risk)
  • Provide input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials). (T0205, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop and coordinate a risk management and compliance framework for privacy (T0892, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Perform security reviews, identify gaps in security architecture, and develop a security risk management plan. (T0177, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Establish a risk management strategy for the organization that includes a determination of risk tolerance. (T0930, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Reviews and updates the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes. (PM-9c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Review and update the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes. (PM-9c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Identify constraints on the conduct of risk assessment, risk response, and risk monitoring activities within the organization. (2.2.1 TASK 1-2:, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks. (§ III. B. 3., Appendix B of OCC 12 CFR Part 30, Safety and Soundness Standards)
  • Following the assessment of these risks, the Security Guidelines require a financial institution to design a program to address the identified risks. The particular security measures an institution should adopt will depend upon the risks presented by the complexity and scope of its business. At a mi… (Supp A § I. B. 2., Appendix B of OCC 12 CFR Part 30, Safety and Soundness Standards)
  • The sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks. (Supp A § I. B. 1.(c), Appendix B of OCC 12 CFR Part 30, Safety and Soundness Standards)
  • In the staff’s view, funds and advisers should identify their respective compliance obligations under the federal securities laws and take into account these obligations when assessing their ability to prevent, detect and respond to cyber attacks. Funds and advisers could also mitigate exposure to… (CYBERSECURITY GUIDANCE ¶ 4, IM Guidance Update: Cybersecurity Guidance, No. 2015-02)
  • Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage these threats, including consideration of threats in each relevant area of the operations of the licensee, including all of the following: (Section 27-62-4(c)(4), Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • Assess the sufficiency of policies, procedures, information systems and other safeguards in place to manage the threats identified pursuant to subparagraph (B) of this subdivision by considering such threats in the following areas of such licensee's operations: (Part VI(c)(3)(D), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage a threat identified under paragraph (c)(2) of this section, including consideration of threats in each relevant area of the licensee's operations, including all of the following: (§ 8604.(c)(4), Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage the reasonably foreseeable internal or external threats, including consideration of threats in each relevant area of the licensee's operations, including: (§431:3B-202(b)(4), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • Assessing the sufficiency of the policies, procedures, information systems, and other safeguards currently in place to manage the threats identified in subdivision (2), including an assessment of threats in each relevant area of the licensee's operations, including the following: (Sec. 17.(4), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • Assesses the sufficiency of policies, procedures, information systems, and other safeguards in place to manage the threats identified in paragraph “b”. This assessment must include consideration of threats identified in each relevant area of the licensee’s operations, including all of the foll… (507F.4 3.d., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage these threats, including consideration of threats in each relevant area of the licensee's operations, including all of the following: (§2504.C.(4), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • Assess the sufficiency of policies, procedures and other safeguards in place to manage the threats described in paragraph B, including consideration of threats in each relevant area of the licensee's operations, including: (§2264 3.D., Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage these threats, including consideration of threats in each relevant area of the licensee's operations, including all of the following: (Sec. 555.(3)(d), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage these threats, including consideration of threats in each relevant area of the licensee's operations, including: (§ 60A.9851 Subdivision 3(4), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • Assess the sufficiency of policies, procedures, information systems and other safeguards in place to manage these threats, including consideration of threats in each relevant area of the licensee’s operations, including: (§ 83-5-807 (3)(d), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • Assess the sufficiency of policies, procedures, information systems and other safeguards in place to manage these threats, including consideration of threats in each relevant area of the licensee's operations, including: (§ 420-P:4 III.(d), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage any threats, including consideration of threats in each relevant area of the licensee's operations, including: (26.1-02.2-03. 3.d., North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage the threats described in division (C)(2) of this section, including consideration of such threats in each relevant area of the licensee's operations, including all of the following: (Section 3965.02 (C)(4), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage these threats, taking into consideration threats in each relevant area of the licensee's operations, including: (SECTION 38-99-20. (C)(4), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage threats throughout the licensee's operations, including in: (§ 56-2-1004 (3)(D), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • Assess the sufficiency of policies, procedures, information systems, and other safeguards to manage the threats identified under par. (a) in each relevant area of the licensee's operations, including all of the following: (§ 601.952(2)(c), Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)