Establish, implement, and maintain a risk assessment policy.
CONTROL ID 14026
CONTROL TYPE Establish/Maintain Documentation
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain a risk assessment program., CC ID: 00687
This Control has the following implementation support Control(s):
Include compliance requirements in the risk assessment policy., CC ID: 14121
Include coordination amongst entities in the risk assessment policy., CC ID: 14120
Include management commitment in the risk assessment policy., CC ID: 14119
Include roles and responsibilities in the risk assessment policy., CC ID: 14118
Include the scope in the risk assessment policy., CC ID: 14117
Include the purpose in the risk assessment policy., CC ID: 14116
Disseminate and communicate the risk assessment policy to interested personnel and affected parties., CC ID: 14115
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
policies on risk analysis and information system security; (Article 21 2(a), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
In accordance with their ICT risk management framework, financial entities shall minimise the impact of ICT risk by deploying appropriate strategies, policies, procedures, ICT protocols and tools. They shall provide complete and updated information on ICT risk and on their ICT risk management framew… (Art. 6.3., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
Document basic procedure of the organisation for performance of risk analyses in a policy and present this to the management level for passing (§ 8.5 Subsection 2 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Establishment of a risk management process: The risk analysis is an important component of the information security management system (ISMS). The basic prerequisites for this should therefore be specified by the organisation's management. The basic approach of the organisation for performance of ris… (§ 8.5 Subsection 1 ¶ 6 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
Risk assessment policy [Assignment: organization-defined frequency]; and (RA-1b.1., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
Risk assessment policy [Assignment: organization-defined frequency]; and (RA-1b.1., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
Risk assessment policy [Assignment: organization-defined frequency]; and (RA-1b.1., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
Risk assessment policy [Assignment: organization-defined frequency]; and (RA-1b.1., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Risk assessment policy [FedRAMP Assignment: at least annually]; and (RA-1b.1. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Risk assessment policy [FedRAMP Assignment: at least every 3 years]; (RA-1b.1. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Risk assessment policy [FedRAMP Assignment: at least every 3 years]; (RA-1b.1. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
[Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: (RA-1a.1., FedRAMP Security Controls High Baseline, Version 5)
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (RA-1a.1(b), FedRAMP Security Controls High Baseline, Version 5)
Policy [FedRAMP Assignment: at least annually] and following [Assignment: organization-defined events]; and (RA-1c.1., FedRAMP Security Controls High Baseline, Version 5)
[Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: (RA-1a.1., FedRAMP Security Controls Low Baseline, Version 5)
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (RA-1a.1(b), FedRAMP Security Controls Low Baseline, Version 5)
Policy [FedRAMP Assignment: at least every 3 years] and following [Assignment: organization-defined events]; and (RA-1c.1., FedRAMP Security Controls Low Baseline, Version 5)
[Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: (RA-1a.1., FedRAMP Security Controls Moderate Baseline, Version 5)
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (RA-1a.1(b), FedRAMP Security Controls Moderate Baseline, Version 5)
[Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: (RA-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (RA-1a.1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (RA-1c.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (RA-1c.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
[Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: (RA-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (RA-1a.1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (RA-1c.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (RA-1a.1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
[Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: (RA-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (RA-1a.1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
[Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: (RA-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (RA-1c.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
[Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: (RA-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (RA-1a.1(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (RA-1c.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
[Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: (RA-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (RA-1c.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (RA-1a.1(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
[Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: (RA-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (RA-1c.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (RA-1a.1(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
[Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: (RA-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (RA-1c.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (RA-1a.1(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Risk assessment policy [Assignment: organization-defined frequency]; and (RA-1b.1. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Risk assessment policy [Assignment: organization-defined frequency]; and (RA-1b.1. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Risk assessment policy [Assignment: organization-defined frequency]; and (RA-1b.1. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
Risk assessment policy [Assignment: organization-defined frequency]; and (RA-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
Risk assessment policy [Assignment: organization-defined frequency]; and (RA-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
Risk assessment policy [Assignment: organization-defined frequency]; and (RA-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Risk assessment policy [Assignment: organization-defined frequency]; and (RA-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
[Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: (RA-1a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (RA-1c.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (RA-1a.1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
[Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: (RA-1a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (RA-1c.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (RA-1a.1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
Risk assessment policy [Assignment: organization-defined frequency]; and (RA-1b.1., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
Document the company's security-related policies and procedures, to include, but not limited to, methodologies used and timelines established for conducting criticality assessments, risk assessments, and security vulnerability assessments (SVAs), if applicable; (3.1 ¶ 1 Bullet 2, Pipeline Security Guidelines)
A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1., TX-RAMP Security Controls Baseline Level 1)
Risk assessment policy [TX-RAMP Assignment: at least every 3 years]; and (RA-1b.1., TX-RAMP Security Controls Baseline Level 1)
A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1., TX-RAMP Security Controls Baseline Level 2)
Risk assessment policy [TX-RAMP Assignment: at least every 3 years]; and (RA-1b.1., TX-RAMP Security Controls Baseline Level 2)
