Back

Include cost benefit analysis in the decision management strategy.


CONTROL ID
14014
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a decision management strategy., CC ID: 06913

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Specific security safeguards can be derived from the general security objectives and security requirements specified by the management level. When selecting security safeguards, the cost-benefit aspects and practical feasibility must also be considered besides the effects on the level of security. (§ 8.1 Subsection 5 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Maintaining a particular level of security always requires financial, personnel, and time-related resources that must be made available in sufficient quantities by the management level. If set objectives cannot be achieved due to a lack of resources, it is not the fault of the persons responsible fo… (§ 5 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • The hypothetical effort and possible costs of any security safeguards required and information on existing security mechanisms are important decision-making aids. (§ 6.1 ¶ 8, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • consider associated costs and benefits. (§ 8.3.3 ¶ 1 c), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • Assets of and their value to communities and societies: (§ 6.4.2.2 ¶ 1 Bullet 3, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • Assets of and their value to individuals: (§ 6.4.2.2 ¶ 1 Bullet 2, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • Potential costs, including non-monetary costs, which result from expected or realized AI errors or system functionality and trustworthiness – as connected to organizational risk tolerance – are examined and documented. (MAP 3.2, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
  • Organizations should plan on periodically reevaluating their alternatives to patching. There are two main aspects to this. One is conducting a risk assessment to see if the alternatives to patching are still sufficiently effective at mitigating risk. The other is conducting a cost-benefit analysis t… (3.5.4 ¶ 3, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology, NIST SP 800-40, Revision 4)
  • Evaluate cost/benefit, economic, and risk analysis in decision-making process. (T0099, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The ISCP Coordinator should ensure that the strategy chosen can be implemented effectively with available personnel and financial resources. The cost of each type of alternate site, equipment replacement, and storage option under consideration should be weighed against budget limitations. The coordi… (§ 3.4.5 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Evaluate cost/benefit, economic, and risk analysis in decision-making process. (T0099, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Federal managers must carefully consider the appropriate balance between controls and risk in their programs and operations. To emphasize, too many controls can result in inefficient and ineffective government; agency managers must ensure an appropriate balance between the strength of controls and t… (Section III ¶ 9, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)