Back

Integrate the risk management program into daily business decision-making.


CONTROL ID
13659
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a risk management program., CC ID: 12051

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • In APRA's view, the IT security risk management framework would encapsulate the expectations of the Board and senior management, have a designated owner(s), and outline the roles and responsibilities of staff to ensure the achievement of effective IT security risk management outcomes. The framework … (¶ 25, The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Top management and oversight bodies, where applicable, should demonstrate and articulate their continual commitment to risk management through a policy, a statement or other forms that clearly convey an organization's objectives and commitment to risk management. The commitment should include, but i… (§ 5.4.2 ¶ 1, ISO 31000 Risk management - Guidelines, 2018)
  • decision-making behaviours are informed by risk assessment outcomes and are consistent with governance policies; (§ 6.9.3.4 ¶ 1 g), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • guides decision-making behaviours and the impact of leadership actions, inactions or omissions on those behaviours; (§ 6.9.3.2 ¶ 2 b), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: (§ 8.5.1.3 ¶ 1, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • definition of decision escalation paths; (§ 7.4 ¶ 1 Bullet 5, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • Organizations prioritize risks in order to inform decision-making on risk responses and optimize the allocation of resources. Given the resources available to an entity, management must evaluate the trade-offs between allocating resources to mitigate one risk compared to another. The prioritization … (Establishing the Criteria ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The organization's priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. (Risk Management (GV.RM), CRI Profile, v1.2)
  • The organization's mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. (Business Environment (DM.BE), CRI Profile, v1.2)
  • Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; (RA-3b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; (RA-3b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; (RA-3b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; (RA-3b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Tailor the enterprise risk framework to the mission and business process (e.g., set risk tolerances). (Level 2 Mission and Business Process Activities Bullet 6, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Many threats to and through the supply chain are addressed at Level 2 in the management of third-party relationships with suppliers, developers, system integrators, external system service providers, and other ICT/OT-related service providers. Because C-SCRM can both directly and indirectly impact m… (2.3.3. ¶ 3, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Level of Implementation: Develop and map measures to the identified C-SCRM standards, policies, and procedures to demonstrate the program's implementation progress. These measures should be considered when rendering decisions to prioritize and invest in C-SCRM capabilities. (3.5.1. ¶ 1 Bullet 5, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; (RA-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; (RA-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; (RA-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Evaluate cost/benefit, economic, and risk analysis in decision-making process. (T0099, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Evaluate cost/benefit, economic, and risk analysis in decision-making process. (T0099, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; (RA-3b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Integrate security risk mitigation measures during the design, construction, or renovation of a facility. (Table 1: Design and Construction Baseline Security Measures Cell 1, Pipeline Security Guidelines)