Back

Address cybersecurity risks in the risk assessment program.


CONTROL ID
13193
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a risk assessment program., CC ID: 00687

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • a mechanism to identify relevant assets and an assessment of the risks in that Member State; (Article 7 1(d), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • Financial entities shall, on a continuous basis, identify all sources of ICT risk, in particular the risk exposure to and from other financial entities, and assess cyber threats and ICT vulnerabilities relevant to their ICT supported business functions, information assets and ICT assets. Financial e… (Art. 8.2., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Financial entities, other than microenterprises, shall monitor relevant technological developments on a continuous basis, also with a view to understanding the possible impact of the deployment of such new technologies on ICT security requirements and digital operational resilience. They shall keep … (Art. 13.7., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Establish and maintain an encryption and key management risk program that includes provisions for risk assessment, risk treatment, risk context, monitoring, and feedback. (CEK-07, Cloud Controls Matrix, v4.0)
  • The organization has a cyber risk management strategy and framework that is approved by the appropriate governing authority (e.g., the Board or one of its committees) and incorporated into the overall business strategy and enterprise risk management framework. (GV.SF-1.1, CRI Profile, v1.2)
  • The cyber risk management program addresses identified cyber risks in one of the following ways: risk acceptance, risk mitigation, risk avoidance, or risk transfer, which includes cyber insurance. (GV.RM-1.6, CRI Profile, v1.2)
  • The cyber risk management framework is integrated into the enterprise risk management framework. (GV.RM-3.1, CRI Profile, v1.2)
  • The cyber risk assessment process is consistent with the organization's policies and procedures and includes criteria for the evaluation and categorization of enterprise-specific cyber risks and threats. (GV.RM-1.4, CRI Profile, v1.2)
  • The organization includes in its threat analysis those cyber threats which could trigger extreme but plausible cyber events, even if they are considered unlikely to occur or have never occurred in the past. (ID.RA-3.2, CRI Profile, v1.2)
  • Independent risk management is required to analyze cyber risk at the enterprise level to identify and ensure effective response to events with the potential to impact one or multiple operating units. (ID.RA-6.2, CRI Profile, v1.2)
  • The organization's business units identify, assess and document applicable cyber risks and potential vulnerabilities associated with business assets to include workforce, data, technology, facilities, service, and IT connection points for the respective unit. (ID.RA-1.1, CRI Profile, v1.2)
  • Cyber threats, vulnerabilities, likelihoods, and impacts are used to determine overall cyber risk to the organization. (ID.RA-5.1, CRI Profile, v1.2)
  • Cyber risk management framework is integrated into the enterprise risk management framework. (GV.RM-3, CRI Profile, v1.2)
  • Organizational cybersecurity policy addresses appropriate controls, identified through risk assessment. (GV.PL-2, CRI Profile, v1.2)
  • The cyber risk assessment process is consistent with the organization's policies and procedures and includes criteria for the evaluation and categorization of enterprise-specific cyber risks and threats. (GV.RM-1.4, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The cyber risk management program addresses identified cyber risks in one of the following ways: risk acceptance, risk mitigation, risk avoidance, or risk transfer, which includes cyber insurance. (GV.RM-1.6, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The cyber risk management framework is integrated into the enterprise risk management framework. (GV.RM-3.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization has a cyber risk management strategy and framework that is approved by the appropriate governing authority (e.g., the Board or one of its committees) and incorporated into the overall business strategy and enterprise risk management framework. (GV.SF-1.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Cyber threats, vulnerabilities, likelihoods, and impacts are used to determine overall cyber risk to the organization. (ID.RA-5.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Independent risk management is required to analyze cyber risk at the enterprise level to identify and ensure effective response to events with the potential to impact one or multiple operating units. (ID.RA-6.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization's business units identify, assess and document applicable cyber risks and potential vulnerabilities associated with business assets to include workforce, data, technology, facilities, service, and IT connection points for the respective unit. (ID.RA-1.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization includes in its threat analysis those cyber threats which could trigger extreme but plausible cyber events, even if they are considered unlikely to occur or have never occurred in the past. (ID.RA-3.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Include cybersecurity risks in the Licensee's enterprise risk management process. (Section 4.D ¶ 1(3), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from: (i) procuring and installing vendor equipment and software; and (ii) transitions from one vendo… (B. R1. 1.1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Supply Chain Risk Management CIP-013-1)
  • One or more process(es) used in planning for the procurement of BES Cyber Systems and their associated EACMS and PACS to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from: (i) procuring and installing vendor equipment and software;… (B. R1. 1.1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Supply Chain Risk Management CIP-013-2, Version 2)
  • Verify that the risk assessment includes the identification of cybersecurity risks and results of information security risk assessments. (App A Objective 5:2b, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Financial institutions should implement the appropriate physical and logical security controls to ensure retail payment system transactions are processed, cleared, and settled in an accurate, timely, and reliable manner. Security risk assessments should consider physical and logical security control… (Information Security, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The Agencies reiterate and stress the expectation described in the 2005 Guidance that financial institutions should perform periodic risk assessments and adjust their customer authentication controls as appropriate in response to new threats to customers' online accounts. Financial institutions shou… (Risk Assessments ¶ 1, Supplement to Authentication in an Internet Banking Environment)
  • Review and assess system, human, or organizational flaws that expose business, technical, and acquisition environments to cyber threats and attacks. (Level 2 Mission and Business Process Activities Bullet 4, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • An enterprise's C-SCRM Strategy and Implementation Plan guides the enterprise toward the achievement of long-term, sustainable reductions in exposure to cybersecurity risks throughout the supply chain. As a core part of the C-SCRM Strategy and Implementation Plan, enterprises should address how this… (3.1.1. ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • In addition to addressing cybersecurity risks throughout the supply chain and performing C-SCRM activities during each phase of the acquisition process, enterprises should develop and execute an acquisition strategy that drives reductions in their overall risk exposure. By applying such strategies, … (3.1. ¶ 3, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Acquisition policies and processes need to incorporate C-SCRM considerations into each step of the procurement and contract management life cycle management process (i.e., plan procurement, define and develop requirements, perform market analysis, complete procurement, ensure compliance, and monitor… (3.1.2. ¶ 3, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Governance and risk management processes address cybersecurity risks (ID.GV-4, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Governance and risk management processes address cybersecurity risks (ID.GV-4, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • Analyze computer-generated threats for counter intelligence or criminal activity. (T0423, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The level of cyber risk in terms of risk to missions, business functions, or other forms of risk (e.g., security, safety, reputation). An assessment of this form is possible if the organization has established a risk model, or at least a consequence model, for such forms of risk. An initial assessme… (3.2.2.3 ¶ 1 Bullet 3, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)
  • Analyze computer-generated threats for counter intelligence or criminal activity. (T0423, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization's current cybersecurity risks are understood (IDENTIFY (ID), The NIST Cybersecurity Framework, v2.0)
  • The cybersecurity risk to the organization, assets, and individuals is understood by the organization (Risk Assessment (ID.RA), The NIST Cybersecurity Framework, v2.0)
  • Include cybersecurity risks in the enterprise risk management process of the licensee. (Section 27-62-4(d)(3), Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • Include cybersecurity risks in such licensee's enterprise risk management process. (Part VI(c)(4)(C), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • Include cybersecurity risks in the licensee's enterprise risk management process. (§ 8604.(d)(3), Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • Include cybersecurity risks in the licensee's enterprise risk management process; (§431:3B-203(3), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • Include cybersecurity risks in the licensee's enterprise risk management process. (Sec. 18.(3), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • Include cybersecurity risks in the licensee’s enterprise-wide risk management process. (507F.4 4.c., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • Include cybersecurity risks in the licensee's enterprise risk management process. (§2504.D.(3), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • Include cybersecurity risks in the licensee's enterprise risk management process; (§2264 4.C., Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • Include cybersecurity risks in the licensee's enterprise risk management process. (Sec. 555.(4)(c), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • include cybersecurity risks in the licensee's enterprise risk management process; (§ 60A.9851 Subdivision 4(3), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • Include cybersecurity risks in the licensee’s enterprise risk management process. (§ 83-5-807 (4)(c), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • Include cybersecurity risks in the licensee's enterprise risk management process. (§ 420-P:4 IV.(c), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • Each covered entity shall conduct a periodic risk assessment of the covered entity's information systems sufficient to inform the design of the cybersecurity program as required by this Part. Such risk assessment shall be reviewed and updated as reasonably necessary, but at a minimum annually, and w… (§ 500.9 Risk Assessment (a), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • Include cybersecurity risks in the licensee's enterprise risk management process. (26.1-02.2-03. 4.c., North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • Include cybersecurity risks in the licensee's enterprise risk management process; (Section 3965.02 (D)(3), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • include cybersecurity risks in the licensee's enterprise risk management process; (SECTION 38-99-20. (D)(3), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • Include cybersecurity risks in the licensee's enterprise risk management process; (§ 56-2-1004 (4)(C), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • Include cybersecurity risks in the licensee's enterprise risk management process. (§ 601.952(3)(f), Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)