Include the information flow of restricted data in the risk assessment program.

Back

CONTROL ID
12339

CONTROL TYPE
Establish/Maintain Documentation

CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS

This Control directly supports the implied Control(s):

Establish, implement, and maintain a risk assessment program., CC ID: 00687

There are no implementation support Controls.

SELECTED AUTHORITY DOCUMENTS COMPLIED WITH

Risk assessments associated with data governance requirements shall be conducted at planned intervals and shall consider the following: - Awareness of where sensitive data is stored and transmitted across applications, databases, servers, and network infrastructure - Compliance with defined retent… (GRM-02, Cloud Controls Matrix, v3.0)
The risk of the transaction (e.g., internal-to-internal, external-to-internal); (PR.AC-7.1(2), CRI Profile, v1.2)
The risk of the transaction (e.g., internal-to-internal, external-to-internal); (PR.AC-7.1(2), Financial Services Sector Cybersecurity Profile, Version 1.0.0)
For cloud applications where encrypting DAR with DoD key control is not possible, Mission Owners must perform a risk analysis with relevant data owners before transferring data into a CSO. This analysis must take into account that there may be no high-assurance method available to remediate data spi… (Section 5.11 ¶ 4, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
Information flow diagrams. (App A Objective 10:2 d., FFIEC Information Technology Examination Handbook - Management, November 2015)
Assess risk. Review and interpret criticality, threat, vulnerability, likelihood, impact, and related information. (2. ¶ 1 Bullet 2, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
assesses risks in information processing, transmission and storage; (§ 899-bb. 2(b)(ii)(B)(2), New York General Business Law Chapter 20, Article 39-F, Section 899-BB)