Back

Include risk responses in the risk management program.


CONTROL ID
13195
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a risk management program., CC ID: 12051

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The risk management measures referred to in paragraph 2, point (d) shall give due consideration to the effects and possible interactions resulting from the combined application of the requirements set out in this Chapter 2. They shall take into account the generally acknowledged state of the art, in… (Article 9 3., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Prioritise and plan the control activities at all levels to implement the risk responses identified as necessary, including identification of costs, benefits and responsibility for execution. Obtain approval for recommended actions and acceptance of any residual risks, and ensure that committed acti… (PO9.6 Maintenance and Monitoring of a Risk Action Plan, CobiT, Version 4.1)
  • Wrongdoing occurs for three reasons: people make mistakes (out of confusion or ignorance), people have a moment of weakness of will, or people choose to do harm. Knowing that any one of these three things can take place, an organization must align core values and behaviors to help people avoid mista… (Responding to Deviations in Core Values and Behaviors ¶ 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Risk responses are identified and prioritized. (ID.RA-6, CRI Profile, v1.2)
  • Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. (RA-7 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. (RA-7 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. (RA-7 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. (RA-7 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Reporting at Level 3 should focus on the C-SCRM's implementation, efficiency, effectiveness, and the overall level of exposure to cybersecurity risks in the supply chain for the particular system. System-level reporting should provide system owners with tactical-level insights that enable them to ma… (2.3.4. ¶ 4, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Decide on the appropriate course of action for responding to risk. (Task 3-3, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. (RA-7 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. (RA-7 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. (RA-7 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Risk responses are identified and prioritized (ID.RA-6, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Identify and implement a preferred course of action in response to the risk determined. (T0958, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Risk responses are identified, prioritized, and implemented. (ID.RA-P5, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Identify and implement a preferred course of action in response to the risk determined. (T0958, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. (RA-7 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)