Back

Establish, implement, and maintain a financial plan to support the risk management strategy.


CONTROL ID
12786
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a risk assessment program., CC ID: 00687

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain insurance requirements., CC ID: 16562
  • Purchase insurance on behalf of interested personnel and affected parties., CC ID: 16571
  • Design a portfolio of insurance options in accordance with risk decision-making criteria., CC ID: 12878
  • Design a portfolio of loans in accordance with risk decision-making criteria., CC ID: 12877


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Reviewing and approving the budget and spending on resources for cybersecurity risk management; (3.1. ¶ 1 (b), Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading)
  • The financial impact, including (but not limited to) loss of funds or assets, potential customer compensation, legal and remediation costs, contractual damages, lost revenue; (Title 3 3.2.3 43.a, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • that the ICT risk management activities are performed with sufficient and qualitatively appropriate human and technical resources. To assess the credibility of the applicable risk mitigation plans, competent authorities should also assess whether the institution has allocated sufficient financial bu… (Title 3 3.3.2 50.c, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • whether the institution is implementing aggressive ICT cost cutting measures which may lead to the reduction of needed ICT investments, resources and IT expertise and can increase the exposure to all the ICT risks types in the taxonomy; (Title 3 3.2.1 39.f, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • When developing the strategy, the residual risk is an important decision criterion, in addition to the costs, that must be considered by the management level. (§ 8.1 Subsection 4 ¶ 3, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Only if the protection requirements are significantly higher, it will be necessary to also perform a risk analysis, weighing up the cost-effectiveness of implementing additional safeguards. Usually, it will be sufficient here to add corresponding individual, higher-quality safeguards to the security… (§ 2.6 Subsection 4 ¶ 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Are the costs and effort required for implementation appropriate in scale for the protection requirement of the affected target objects? (§ 7 ¶ 5 Bullet 2, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • Develop and maintain a risk response process designed to ensure that cost-effective controls mitigate exposure to risks on a continuing basis. The risk response process should identify risk strategies such as avoidance, reduction, sharing or acceptance; determine associated responsibilities; and con… (PO9.5 Risk Response, CobiT, Version 4.1)
  • Prioritise and plan the control activities at all levels to implement the risk responses identified as necessary, including identification of costs, benefits and responsibility for execution. Obtain approval for recommended actions and acceptance of any residual risks, and ensure that committed acti… (PO9.6 Maintenance and Monitoring of a Risk Action Plan, CobiT, Version 4.1)
  • Management must consider the potential costs and benefits of different risk responses. Generally, anticipated costs and benefits are commensurate with the severity and prioritization of the risk. For example, a high-priority risk with a greater severity may warrant increased resource costs, given th… (Considering Costs and Benefits of Risk Responses ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Credit or operating losses primarily attributable (or thought to be attributable) to IT (e.g., system problems, inadequate controls, improperly implemented changes to systems, and fraud resulting from cybersecurity attacks, such as account takeover). (App A Objective 1:3 g., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Financial institutions engaged in retail payment systems should establish an appropriate risk management process that identifies, measures, monitors, and limits risks. Management and the board should manage and mitigate the identified risks through effective internal and external audit, physical and… (Retail Payment Systems Risk Management, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Appropriate credit and liquidity risk measures for the bankcard and acquiring business lines. (App A Tier 2 Objectives and Procedures F.7 Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • It is recommended that the C-SCRM PMO have the lead responsibility of coordinating with mission and business process and budget officials to build out and maintain a multi-year C-SCRM program budget that captures both recurring and non-recurring resource requirements and maps those requirements to a… (3.6. ¶ 8, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)