Back

Analyze the organization's information security environment.


CONTROL ID
13122
CONTROL TYPE
Technical Security
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain risk assessment procedures., CC ID: 06446

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Understanding different data environments and the impact of granting access to them (Security Administrator ¶ 1 Bullet 1, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • To draw up a security concept, and especially to apply the IT-Grundschutz Compendium it is necessary to analyse and document the interaction of the business processes, applications and existing information technology. Since IT systems today are highly networked, the network topology plan should be u… (§ 7.4 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Note target objects for a risk analysis that cannot be modelled appropriately (§ 8.3.7 Subsection 1 Bullet 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The cyber risk management framework provides mechanisms to determine the adequacy of resources to fulfill cybersecurity objectives. (GV.SF-3.3, CRI Profile, v1.2)
  • The cyber risk management framework provides mechanisms to determine the adequacy of resources to fulfill cybersecurity objectives. (GV.SF-3.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Accordingly, the service auditor should consider the nature of threats and the likelihood and magnitude of the risks arising from those threats to the achievement of the service organization's service commitments and system requirements based on the applicable trust services criteria. For example, t… (¶ 2.106, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The technical environment, including whether the realization of those threats or the exploitation of vulnerabilities related to aspects of the service organization's environment that appear inconsequential or are seemingly unrelated to the system could expose (either directly or indirectly) the syst… (¶ 3.162 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Determine the complexity of the institution's information security environment. (App A Objective 1.4, FFIEC Information Technology Examination Handbook - Information Security, September 2016)