Back

Establish, implement, and maintain risk management strategies.


CONTROL ID
13209
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a risk management program., CC ID: 12051

This Control has the following implementation support Control(s):
  • Include off-site storage of supplies in the risk management strategies., CC ID: 13221
  • Include data quality in the risk management strategies., CC ID: 15308
  • Include the use of alternate service providers in the risk management strategies., CC ID: 13217
  • Include minimizing service interruptions in the risk management strategies., CC ID: 13215
  • Include off-site storage in the risk mitigation strategies., CC ID: 13213


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • It is the primary responsibility of AIs to ensure that the risks posed by e-banking are properly managed and to educate and protect their customers. In the light of the inherent operational, reputation and legal risk as well as potential liquidity risk associated with e-banking, an AI's Board7, or i… (§ 3.1.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • the change in risks associated with e-banking are fully understood and that adequate risk management measures are taken when introducing or enhancing e-banking and thereafter, as there might be changes in risk over time especially as technologies evolve. In this connection, the AI's Board and senior… (§ 3.1.1 (i), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • the risks associated with e-banking are fully understood and that adequate risk management measures are taken when introducing or enhancing e-banking and thereafter, as there might be changes in risk over time especially as technologies evolve. In this connection, the AI's Board and senior managemen… (§ 3.1.1 (i), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • AIs should conduct regular assessment to identify and evaluate the relevant risks associated with self-service terminals. Proper risk management measures should be implemented to address the relevant risks. Furthermore, AIs should also closely monitor the emerging cyber attacks and vulnerabilities r… (§ 7.3.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • It is the primary responsibility of AIs to ensure that the risks posed by e-banking are properly managed and to educate and protect their customers. In the light of the inherent operational, reputation and legal risk as well as potential liquidity risk associated with e-banking, an AI's Board , or i… (§ 3.1.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • With the assistance of its service manager, the financial institution should prepare thorough risk management and project management strategies, especially if the institution is the main decision maker for service operation and renewals. (C26.1. ¶ 4(3) ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Given that today's banking is largely dependent on IT systems and since most of the internal processing requirements of banks are electronic, it is essential that adequate security systems are fully integrated into the IT systems of banks. It would be optimal to classify these based on the risk anal… (Boards of Directors/Senior Management ¶ 4, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The board of directors and senior management should ensure a technology risk management strategy is established and implemented. (§ 3.1.4, Technology Risk Management Guidelines, January 2021)
  • undertaking regular reviews of the technology risk management strategy for continued relevance; (§ 3.1.7(e), Technology Risk Management Guidelines, January 2021)
  • IT assets that have been implemented prior to an institution's current IT security management framework may not comply with the framework's requirements. In such instances, the institution would typically, as part of its risk management processes, formulate a strategy for either the replacement of t… (¶ 61, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Competent authorities may rely on and take into consideration work already undertaken by the institution or by the competent authority in the context of the assessments of other risks or SREP elements in order to have an update of the assessment. Specifically, in conducting the assessments specified… (Title 1 12., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment ins… (4.5 32, Final Report on EBA Guidelines on outsourcing arrangements)
  • The ICT risk management framework shall include at least strategies, policies, procedures, ICT protocols and tools that are necessary to duly and adequately protect all information assets and ICT assets, including computer software, hardware, servers, as well as to protect all relevant physical comp… (Art. 6.2., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • In accordance with their ICT risk management framework, financial entities shall minimise the impact of ICT risk by deploying appropriate strategies, policies, procedures, ICT protocols and tools. They shall provide complete and updated information on ICT risk and on their ICT risk management framew… (Art. 6.3., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • minimise the impact of ICT risk through the use of sound, resilient and updated ICT systems, protocols and tools which are appropriate to support the performance of their activities and the provision of services and adequately protect availability, authenticity, integrity and confidentiality of data… (Art. 16.1. ¶ 2(c), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • The information risk management and information security management under sections 3 and 4 of the BAIT shall take the CIP objective into account and adopt measures to ensure that it is achieved. In particular, risks that have the potential to impair critical services to a significant degree shall be… (II.9.59, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • Develop and maintain a risk response process designed to ensure that cost-effective controls mitigate exposure to risks on a continuing basis. The risk response process should identify risk strategies such as avoidance, reduction, sharing or acceptance; determine associated responsibilities; and con… (PO9.5 Risk Response, CobiT, Version 4.1)
  • Risk treatment can also introduce new risks that need to be managed. (§ 6.5.2 ¶ 6, ISO 31000 Risk management - Guidelines, 2018)
  • This will help the organization to: - align risk management with its objectives, strategy and culture; - recognize and address all obligations, as well as its voluntary commitments; - establish the amount and type of risk that may or may not be taken to guide the development of risk criteria, ensu… (§ 5.2 ¶ 2, ISO 31000 Risk management - Guidelines, 2018)
  • To set risk criteria, the following should be considered: - the nature and type of uncertainties that can affect outcomes and objectives (both tangible and intangible); - how consequences (both positive and negative) and likelihood will be defined and measured; - time-related factors;
- consiste… (§ 6.3.4 ¶ 3, ISO 31000 Risk management - Guidelines, 2018)
  • strategies to manage risk are deployed within agreed risk limits and associated risk tolerance; (§ 6.9.3.4 ¶ 1 b), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • treating and monitoring risks using the approach described in 6.1.3. (Section 8.1 ¶ 1 bullet 4, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • actions to address these risks and opportunities, taking into account how these risks and opportunities can change with time; (Section 6.1.1 ¶ 2(a), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • An appropriate risk management approach should be selected or developed that addresses basic criteria such as: risk evaluation criteria, impact criteria, risk acceptance criteria. (§ 7.2.1 ¶ 2, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • Establish a risk management strategy for the organization that includes a determination of risk tolerance. (TASK P-2, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • Management should identify and mitigate the effect of bias in carrying out risk assessment practices. For example, confidence bias may support a pre-existing perception of a known risk. Additionally, how a risk is framed can also affect how risks are interpreted and assessed. For example, for a give… (Bias in Assessment ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Strategic planning. (App A Objective 2:1b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Financial institutions engaged in retail payment systems should establish an appropriate risk management process that identifies, measures, monitors, and limits risks. Management and the board should manage and mitigate the identified risks through effective internal and external audit, physical and… (Retail Payment Systems Risk Management, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Assess the quality of risk management and support for bankcard issuance and acquiring (merchant processing) activity. (App A Tier 1 Objectives and Procedures Objective 6, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Assess the RDC strategic planning and the risk assessment process. (App A Tier 2 Objectives and Procedures N.2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Operational risk mitigation: Review whether management controls include the following: risk management; transaction monitoring and geolocation tools; fraud prevention, detection, and response programs; additional controls (e.g., stronger authentication and encryption); authentication and authorizati… (AppE.7 Objective 5:4 b., FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The Agencies use the Uniform Rating System for Information Technology (URSIT) to uniformly assess and rate IT-related risks of financial institutions and their TSPs. The primary purpose of this rating system is to evaluate the examined institution's overall risk exposure and risk management performa… (Uniform Rating System for Information Technology ¶ 1, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
  • The risk management process and its outcomes are established through transparent policies, procedures, and other controls based on organizational risk priorities. (GOVERN 1.4, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
  • Privacy risk to individuals resulting from the authorized processing of personally identifiable information; (PM-9a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and (PM-9a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • In addition to defining C-SCRM governance structures and operating models, Level 1 carries out the activities necessary to frame C-SCRM for the enterprise. C-SCRM framing is the process by which the enterprise makes explicit the assumptions about cybersecurity risks throughout the supply chain (e.g.… (2.3.2. ¶ 8, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Many threats to and through the supply chain are addressed at Level 2 in the management of third-party relationships with suppliers, developers, system integrators, external system service providers, and other ICT/OT-related service providers. Because C-SCRM can both directly and indirectly impact m… (2.3.3. ¶ 3, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • A critical Level 3 activity is the development of the C-SCRM plan. Along with applicable security control information, the C-SCRM plan includes information on the system, its categorization, operational status, related agreements, architecture, critical system personnel, related laws, regulations, p… (2.3.4. ¶ 5, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Level 2 roles include representatives of each mission and business process, such as program managers, research and development, and acquisitions/procurement. Level 2 C-SCRM activities address C-SCRM within the context of the enterprise's mission and business process. Specific strategies, policies, a… (2.3.3. ¶ 2, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Apply insights gained from leading C-SCRM metrics (i.e., forward-looking indicators) to shift from reactive to predictive C-SCRM strategies and plans that adapt to risk profile changes before they occur. (3.4.3. ¶ 1 Bullet 3, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Business and Mission Impact: Develop and map measures to the identified enterprise strategic and C-SCRM-specific objectives to offer insight into the impact of C-SCRM (e.g., contribution to business process cost savings; reduction in national security risk). These measures should be considered a com… (3.5.1. ¶ 1 Bullet 7, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and (PM-9a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Privacy risk to individuals resulting from the authorized processing of personally identifiable information; (PM-9a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • The CSP SHOULD obtain additional confidence in identity proofing using fraud mitigation measures (e.g., inspecting geolocation, examining the device characteristics of the applicant, evaluating behavioral characteristics, checking vital statistic repositories such as the Death Master File [DMF], so … (4.2 ¶ 1.10, Digital Identity Guidelines: Enrollment and Identity Proofing, NIST SP 800-63A)
  • Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems; (PM-9a., Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Collaborate with cybersecurity personnel on the security risk assessment process to address privacy compliance and risk mitigation (T0872, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization's priorities, constraints, risk tolerance, and assumptions are established and used to support risk decisions associated with managing privacy risk and third parties within the data processing ecosystem. The organization has established and implemented the processes to identify, ass… (Data Processing Ecosystem Risk Management (ID.DE-P), NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • The organization's mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform privacy roles, responsibilities, and risk management decisions. (Business Environment (ID.BE-P), NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Collaborate with cybersecurity personnel on the security risk assessment process to address privacy compliance and risk mitigation (T0872, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Establish a risk management strategy for the organization that includes a determination of risk tolerance. (T0930, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems; (PM-9a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and (PM-9a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Privacy risk to individuals resulting from the authorized processing of personally identifiable information; (PM-9a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and (PM-9a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Privacy risk to individuals resulting from the authorized processing of personally identifiable information; (PM-9a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)