Back

Evaluate the effectiveness of threat and vulnerability management procedures.


CONTROL ID
13491
CONTROL TYPE
Investigate
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a risk assessment program., CC ID: 00687

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Further, a bank should also regularly assess the comprehensiveness of its information security risk management framework by comparison to peers and other established control frameworks and standards including any security related frameworks issued by reputed institutions like IDRBT or DSCI. (Critical components of information security 27) (d), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • APRA envisages that a regulated institution would regularly assess IT security vulnerabilities and evaluate the effectiveness of the existing IT security risk management framework, making any necessary adjustments to ensure emerging vulnerabilities are treated in a timely manner. This assessment wou… (¶ 30, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Financial institutions should perform a variety of information security reviews, assessments and testing to ensure the effective identification of vulnerabilities in their ICT systems and ICT services. For instance, financial institutions may perform gap analysis against information security standar… (3.4.6 41, Final Report EBA Guidelines on ICT and security risk management)
  • measures to protect the ICT systems from attacks from the Internet (i.e. cyber-attacks) or other external networks (e.g. traditional telecom connections or connections with trusted partners). Competent authorities should review whether the institution's framework considers: (Title 3 3.3.4(b) 55.h, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Have all the aspects of the relevant threats been covered in full? (§ 7 ¶ 2 Bullet 1, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • effectiveness of the actions to address the risks and opportunities, and internal and external issues associated with the audit programme; (§ 5.7 ¶ 3(g), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • evaluate the effectiveness of these actions. (§ 6.1 ¶ 2 b) Bullet 2, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • evaluate the effectiveness of these actions. (§ 6.1 ¶ 3 b) 2), ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • evaluate the effectiveness of these actions. (§ 6.1 ¶ 3 b) bullet 2, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • Procedures are in place for responding to environmental threat events and for evaluating the effectiveness of those policies and procedures on a periodic basis. This includes automatic mitigation systems (for example, uninterruptable power system and generator backup subsystem). (A1.2 ¶ 2 Bullet 5 Responds to Environmental Threat Events, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • the types of threat and vulnerability assessments the service organization performs (both internal and external), and (¶ 3.59 Bullet 7 Sub-Bullet 3, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Degree to which controls are designed to identify and address threats and vulnerabilities that are currently unknown. Certain controls may have the ability to detect and address unknown threats. An example of this is a data loss prevention (DLP) control that monitors and restricts outbound informati… (¶ 3.163 Bullet 7, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Determining whether attacks and vulnerability exploitations, including those identified publicly by organizations such as the United States Computer Emergency Readiness Team, and emerging risks and threats have been adequately addressed (¶ 3.96 Bullet 5, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • the threat and vulnerability assessments the service organization performs (both internal and external), and (¶ 3.20 Bullet 4 Sub-Bullet 3, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Determining whether attacks and vulnerability exploitations, including those identified publicly by organizations such as the United States Computer Emergency Readiness Team, and emerging risks and threats have been adequately addressed (¶ 3.111 Bullet 5, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • identifies the threats to the achievement of the service organization's service commitments and system requirements and the vulnerabilities of the system components; (¶ 3.93 Bullet 1 Sub-Bullet 3, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • assesses the intersection of threats and vulnerabilities (that is, realization of the risks) and evaluates the likelihood and potential magnitude of the realization of the risks and the entity's tolerance for the identified risks; (¶ 3.93 Bullet 1 Sub-Bullet 4, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Effective risk assessment is critical to the design of controls. Failure to identify a significant threat or a vulnerability to a system component can cause the service organization to overlook a control that is necessary to achieve one or more service commitments and system requirements. In evaluat… (¶ 3.94, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Degree to which controls are designed to identify and address threats and vulnerabilities that are currently unknown. Certain controls may have the ability to detect and address unknown threats and vulnerabilities. An example of such a control is a data loss prevention (DLP) control that monitors an… (¶ 3.190 Bullet 7, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Procedures are in place for responding to environmental threat events and for evaluating the effectiveness of those policies and procedures on a periodic basis. This includes automatic mitigation systems (for example, uninterruptable power system and generator back-up subsystem). (A1.2 Responds to Environmental Threat Events, Trust Services Criteria)
  • Procedures are in place for responding to environmental threat events and for evaluating the effectiveness of those policies and procedures on a periodic basis. This includes automatic mitigation systems (for example, uninterruptable power system and generator backup subsystem). (A1.2 ¶ 2 Bullet 5 Responds to Environmental Threat Events, Trust Services Criteria, (includes March 2020 updates))
  • Review of other vulnerability mitigation performed by the party; or (Attachment 1 Section 2. 2.1 Bullet 3, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability Assessments CIP-010-4, Version 4)
  • Review of other vulnerability mitigation performed by the party; or (Attachment 1 Section 2. 2.1 Bullet 3, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
  • Analyze the effectiveness of security solutions at least annually to address anticipated risk to the system and the organization based on current and accumulated threat intelligence. (RM.5.155, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Evaluation of the entity's susceptibility to multiple threat scenarios in resilience planning, testing, and recovery strategies. (IV.A Action Summary ¶ 3 Bullet 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)