This Control directly supports the implied Control(s):
Establish, implement, and maintain a risk management program., CC ID: 12051
This Control has the following implementation support Control(s):
Review and approve material risks documented in the residual risk report, as necessary., CC ID: 13672
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Quantitative methods involve assigning numerical measurements that can be entered into the analysis to determine total and residual risks. The various aspects that are considered a part of measurements include costs to safeguard the information and information systems, value of that information and … (Critical components of information security 2) 5), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
When developing the strategy, the residual risk is an important decision criterion, in addition to the costs, that must be considered by the management level. (§ 8.1 Subsection 4 ¶ 3, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
If it proves to be impossible to provide a sufficient budget for implementing all the missing security safeguards, then the residual risk resulting from failure to implement or delay in implementing certain measures should be pointed out. To assist in this, the cross-reference tables from the IT-Gru… (§ 9.2 ¶ 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
The decision on which security safeguards to undertake or initially delay and where residual risks can be accepted should be documented carefully for legal reasons. In case of doubt, additional opinions should be surveyed and these opinions should be documented as well to prove the duty to take good… (§ 9.3 ¶ 5, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
In this regard it is necessary to ascertain whether all the safeguards initially derived from the requirements can be afforded. If there are safeguards that are not economical, alternative safeguards for fulfilling such requirements should be considered. There are many possible solutions also regard… (§ 9.2 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
The residual risk must then be submitted to the management level for approval ("risk acceptance"). This documents in a traceable manner that the organisation is aware of the residual risk. Ideally, an organisation only accepts "Low" risks. In practice, however, this is not always appropriate. Reason… (§ 6.1 ¶ 14, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
risks or issues not adequately addressed in any previous risk assessment; (§ 9.3.2 ¶ 1 i), ISO 22301:2019, Security and resilience â Business continuity management systems â Requirements, Second Edition)
Decision makers and other stakeholders should be aware of the nature and extent of the remaining risk after risk treatment. The remaining risk should be documented and subjected to monitoring, review and, where appropriate, further treatment. (§ 6.5.2 ¶ 8, ISO 31000 Risk management - Guidelines, 2018)
The organization determines ways to aggregate cyber risk to assess the organization's residual cyber risk. (ID.RA-5.6, CRI Profile, v1.2)
The organization determines ways to aggregate cyber risk to assess the organization's residual cyber risk. (ID.RA-5.6, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
Negative residual risks (defined as the sum of all unmitigated risks) to both downstream acquirers of AI systems and end users are documented. (MANAGE 1.4, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
Draft statements of preliminary or residual security risks for system operation. (T0083, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Draft statements of preliminary or residual security risks for system operation. (T0083, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
After initial implementation, the agency's risk profile must be discussed each year with OMB as a component of the summary of findings from the Agency strategic review and FedSTAT (See OMB Circular No. A-11, Section 270). For those objectives for which formal internal control activities have been id… (Section II (C) ¶ 3, OMB Circular No. A-123, Managementâs Responsibility for Enterprise Risk Management and Internal Control)
Residual Risk Assessment (Section II (B) ¶ 3 Bullet 5, OMB Circular No. A-123, Managementâs Responsibility for Enterprise Risk Management and Internal Control)
the extent to which the remaining risk impacts on the Agency's ability to achieve its objectives and meet its mission and goals. (Section IV (D) ¶ 1 (3)(e), OMB Circular No. A-123, Managementâs Responsibility for Enterprise Risk Management and Internal Control)
