Back

Include risk responses in the risk management program.


CONTROL ID
13195
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a risk management program., CC ID: 12051

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Security risk management processes are embedded into organisational risk management frameworks. (G4:, Australian Government Information Security Manual, June 2023)
  • Security risk management processes are embedded into organisational risk management frameworks. (G4:, Australian Government Information Security Manual, September 2023)
  • The risk management measures referred to in paragraph 2, point (d) shall give due consideration to the effects and possible interactions resulting from the combined application of the requirements set out in this Chapter 2. They shall take into account the generally acknowledged state of the art, in… (Article 9 3., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Prioritise and plan the control activities at all levels to implement the risk responses identified as necessary, including identification of costs, benefits and responsibility for execution. Obtain approval for recommended actions and acceptance of any residual risks, and ensure that committed acti… (PO9.6 Maintenance and Monitoring of a Risk Action Plan, CobiT, Version 4.1)
  • Wrongdoing occurs for three reasons: people make mistakes (out of confusion or ignorance), people have a moment of weakness of will, or people choose to do harm. Knowing that any one of these three things can take place, an organization must align core values and behaviors to help people avoid mista… (Responding to Deviations in Core Values and Behaviors ¶ 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Risk responses are identified and prioritized. (ID.RA-6, CRI Profile, v1.2)
  • Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. (RA-7 Control, FedRAMP Security Controls High Baseline, Version 5)
  • Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. (RA-7 Control, FedRAMP Security Controls Low Baseline, Version 5)
  • Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. (RA-7 Control, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Management should identify, analyze, and respond to risks related to achieving the defined objectives. (7.01, Standards for Internal Control in the Federal Government)
  • Management should design control activities to achieve objectives and respond to risks. (10.01, Standards for Internal Control in the Federal Government)
  • AI risks based on assessments and other analytical output from the MAP and MEASURE functions are prioritized, responded to, and managed. (MANAGE 1, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
  • Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. (RA-7 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. (RA-7 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. (RA-7 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. (RA-7 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Reporting at Level 3 should focus on the C-SCRM's implementation, efficiency, effectiveness, and the overall level of exposure to cybersecurity risks in the supply chain for the particular system. System-level reporting should provide system owners with tactical-level insights that enable them to ma… (2.3.4. ¶ 4, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Decide on the appropriate course of action for responding to risk. (Task 3-3, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. (RA-7 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. (RA-7 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. (RA-7 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. (RA-7 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Risk responses are identified and prioritized (ID.RA-6, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Risk responses are identified and prioritized (ID.RA-6, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • Identify and implement a preferred course of action in response to the risk determined. (T0958, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Risk responses are identified, prioritized, and implemented. (ID.RA-P5, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Identify and implement a preferred course of action in response to the risk determined. (T0958, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. (RA-7 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. (RA-7 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship (GV.SC-07, The NIST Cybersecurity Framework, v2.0)
  • Risk responses are chosen, prioritized, planned, tracked, and communicated (ID.RA-06, The NIST Cybersecurity Framework, v2.0)