Back

Disseminate and communicate the risk assessment policy to interested personnel and affected parties.


CONTROL ID
14115
CONTROL TYPE
Communicate
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a risk assessment policy., CC ID: 14026

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • In accordance with their ICT risk management framework, financial entities shall minimise the impact of ICT risk by deploying appropriate strategies, policies, procedures, ICT protocols and tools. They shall provide complete and updated information on ICT risk and on their ICT risk management framew… (Art. 6.3., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for managing the risks associated with applying changes to organization assets, including application, systems, infrastructure, configuration, etc., regardless of whether the assets are managed internally… (CCC-01, Cloud Controls Matrix, v4.0)
  • A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: (RA-1a.1., FedRAMP Security Controls High Baseline, Version 5)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: (RA-1a.1., FedRAMP Security Controls Low Baseline, Version 5)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: (RA-1a.1., FedRAMP Security Controls Moderate Baseline, Version 5)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: (RA-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: (RA-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: (RA-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: (RA-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: (RA-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: (RA-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: (RA-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: (RA-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: (RA-1a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: (RA-1a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1., TX-RAMP Security Controls Baseline Level 1)
  • A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (RA-1a.1., TX-RAMP Security Controls Baseline Level 2)