Back

Integrate the risk management program into daily business decision-making.


CONTROL ID
13659
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a risk management program., CC ID: 12051

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • In APRA's view, the IT security risk management framework would encapsulate the expectations of the Board and senior management, have a designated owner(s), and outline the roles and responsibilities of staff to ensure the achievement of effective IT security risk management outcomes. The framework … (¶ 25, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Top management and oversight bodies, where applicable, should demonstrate and articulate their continual commitment to risk management through a policy, a statement or other forms that clearly convey an organization's objectives and commitment to risk management. The commitment should include, but i… (§ 5.4.2 ¶ 1, ISO 31000 Risk management - Guidelines, 2018)
  • decision-making behaviours are informed by risk assessment outcomes and are consistent with governance policies; (§ 6.9.3.4 ¶ 1 g), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • guides decision-making behaviours and the impact of leadership actions, inactions or omissions on those behaviours; (§ 6.9.3.2 ¶ 2 b), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: (§ 8.5.1.3 ¶ 1, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • definition of decision escalation paths; (§ 7.4 ¶ 1 Bullet 5, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • A review of current risk management processes should particularly examine whether the risks involved in decision-making, data use, culture and values, and compliance are well understood and managed. In this way, the context of the additional risks that AI systems bring to the organization can be cla… (§ 6.7.1 ¶ 4, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • Organizations prioritize risks in order to inform decision-making on risk responses and optimize the allocation of resources. Given the resources available to an entity, management must evaluate the trade-offs between allocating resources to mitigate one risk compared to another. The prioritization … (Establishing the Criteria ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The organization's priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. (Risk Management (GV.RM), CRI Profile, v1.2)
  • The organization's mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. (Business Environment (DM.BE), CRI Profile, v1.2)
  • Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; (RA-3b., FedRAMP Security Controls High Baseline, Version 5)
  • Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; (RA-3b., FedRAMP Security Controls Low Baseline, Version 5)
  • Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; (RA-3b., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; (RA-3b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; (RA-3b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; (RA-3b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; (RA-3b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Tailor the enterprise risk framework to the mission and business process (e.g., set risk tolerances). (Level 2 Mission and Business Process Activities Bullet 6, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Many threats to and through the supply chain are addressed at Level 2 in the management of third-party relationships with suppliers, developers, system integrators, external system service providers, and other ICT/OT-related service providers. Because C-SCRM can both directly and indirectly impact m… (2.3.3. ¶ 3, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Level of Implementation: Develop and map measures to the identified C-SCRM standards, policies, and procedures to demonstrate the program's implementation progress. These measures should be considered when rendering decisions to prioritize and invest in C-SCRM capabilities. (3.5.1. ¶ 1 Bullet 5, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; (RA-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; (RA-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; (RA-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; (RA-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Evaluate cost/benefit, economic, and risk analysis in decision-making process. (T0099, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Evaluate cost/benefit, economic, and risk analysis in decision-making process. (T0099, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; (RA-3b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; (RA-3b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions (Risk Management Strategy (GV.RM), The NIST Cybersecurity Framework, v2.0)
  • Risk responses take many forms, including: avoidance of risk by development of a legislative proposal; reduction of risk by proposing to increase funding for the activity; acceptance of the risk of adopting a new technology in order to provide better services to customers. Formulation of risk respon… (Section II (B4) ¶ 2, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • Integrate security risk mitigation measures during the design, construction, or renovation of a facility. (Table 1: Design and Construction Baseline Security Measures Cell 1, Pipeline Security Guidelines)