Back

Include physical assets in the scope of the risk assessment.


CONTROL ID
13075
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Perform risk assessments for all target environments, as necessary., CC ID: 06452

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The FI should include in the scope of the TVRA a review of the DC’s perimeter and surrounding environment, as well as the building and DC facility. The FI should also review daily security procedures, critical mechanical and engineering systems, building and structural elements as well as physical… (§ 10.1.3, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • information assets; (§ 7.3 ¶ 4 Bullet 6, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • The scope of the information security risk management process needs to be defined to ensure that all relevant assets are taken into account in the risk assessment. In addition, the boundaries need to be identified to address those risks that can arise through these boundaries. (§ 7.3 ¶ 2, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • The entity's risk identification and assessment process includes (1) identifying information assets, including physical devices and systems, virtual devices, software, data and data flows, external information systems, and organizational roles; (2) assessing the criticality of those information asse… (CC3.2 Identifies and Assesses Criticality of Information Assets and Identifies Threats and Vulnerabilities, Trust Services Criteria)
  • The entity's risk identification and assessment process includes (1) identifying information assets, including physical devices and systems, virtual devices, software, data and data flows, external information systems, and organizational roles; (2) assessing the criticality of those information asse… (CC3.2 ¶ 4 Bullet 1 Identifies and Assesses Criticality of Information Assets and Identifies Threats and Vulnerabilities, Trust Services Criteria, (includes March 2020 updates))
  • Each Transmission Owner shall perform an initial risk assessment and subsequent risk assessments of its Transmission stations and Transmission substations (existing and planned to be in service within 24 months) that meet the criteria specified in Applicability Section 4.1.1. The initial and subsequ… (B. R1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-2, Version 2)
  • Each Transmission Owner shall perform an initial risk assessment and subsequent risk assessments of its Transmission stations and Transmission substations (existing and planned to be in service within 24 months) that meet the criteria specified in Applicability Section 4.1.1. The initial and subsequ… (B. R1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-3, Version 3)
  • Financial institution's approved technology service providers and equipment. (App A Tier 2 Objectives and Procedures N.2 Bullet 3 Sub-Bullet 6, Sub-Sub Bullet 8, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)