Back

Address past incidents in the risk assessment program.


CONTROL ID
12743
CONTROL TYPE
Audits and Risk Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a risk assessment program., CC ID: 00687

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Generally speaking, threats include loss, destruction or theft of critical hardware containing at-risk data; insertion of viruses, spyware and other malware; and interception and compromising of electronic transmissions (e.g., email and payment processing systems). In assessing security risks, Membe… (Information Security Program Bullet 2 Security and Risk Analysis ΒΆ 3, 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs)
  • Prior history of attack on similar facilities taking into account the frequency, geographic proximity, and severity of past physical security related events; and (B. R4. 4.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-2, Version 2)
  • Prior history of attack on similar facilities taking into account the frequency, geographic proximity, and severity of past physical security related events; and (B. R4. 4.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-3, Version 3)
  • Determine whether management uses tools to perform threat analysis and analyzes information security events to help do the following: (App A Objective 5.1, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Security breaches. (App A Objective 11:2 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Identify assumptions that affect how risk is assessed, responded to, and monitored within the enterprise. (Task 1-1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)