Back

Document cybersecurity risks.


CONTROL ID
12281
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain risk assessment procedures., CC ID: 06446

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The cyber risk management program incorporates cyber risk identification, measurement, monitoring, and reporting. (GV.RM-1.1, CRI Profile, v1.2)
  • The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. (Risk Assessment (ID.RA), CRI Profile, v1.2)
  • The organization's business units identify, assess and document applicable cyber risks and potential vulnerabilities associated with business assets to include workforce, data, technology, facilities, service, and IT connection points for the respective unit. (ID.RA-1.1, CRI Profile, v1.2)
  • The organization timely involves and communicates the recovery activities, procedures, cyber risk management issues to the appropriate governing body (e.g., the Board or one of its committees), senior management and relevant internal stakeholders. (RC.CO-3.1, CRI Profile, v1.2)
  • The cyber risk management program incorporates cyber risk identification, measurement, monitoring, and reporting. (GV.RM-1.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization's business units identify, assess and document applicable cyber risks and potential vulnerabilities associated with business assets to include workforce, data, technology, facilities, service, and IT connection points for the respective unit. (ID.RA-1.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Principle: Firms should manage cybersecurity risk that can arise across the lifecycle of vendor relationships using a risk-based approach to vendor management. Effective practices to manage vendor risk include: - performing pre-contract due diligence on prospective service providers; - establishing … (Vendor Management, Report on Cybersecurity Practices)
  • Verify that the risk assessment includes the identification of cybersecurity risks and results of information security risk assessments. (App A Objective 5:2b, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. (ID.RA Risk Assessment, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. (ID.RA Risk Assessment, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated (GV.RM-06, Framework for Improving Critical Infrastructure Cybersecurity, v2.0)