compliance controls are associated with this Policy definition 'Conduct Risk Assessment' (677e1da4-00c3-287a-563d-f4a1cf9b99a0)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
RA-3 |
FedRAMP_High_R4_RA-3 |
FedRAMP High RA-3 |
Risk Assessment |
Risk Assessment |
Shared |
n/a |
The organization:
a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];
c. Reviews risk assessment results [Assignment: organization-defined frequency];
d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.
Supplemental Guidance: Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing
entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems.
Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information
system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the
first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation. Related controls: RA-2, PM-9.
Control Enhancements: None.
References: OMB Memorandum 04-04; NIST Special Publication 800-30, 800-39; Web:idmanagement.gov. |
link |
4 |
| FedRAMP_Moderate_R4 |
RA-3 |
FedRAMP_Moderate_R4_RA-3 |
FedRAMP Moderate RA-3 |
Risk Assessment |
Risk Assessment |
Shared |
n/a |
The organization:
a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];
c. Reviews risk assessment results [Assignment: organization-defined frequency];
d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.
Supplemental Guidance: Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing
entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems.
Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information
system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the
first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation. Related controls: RA-2, PM-9.
Control Enhancements: None.
References: OMB Memorandum 04-04; NIST Special Publication 800-30, 800-39; Web:idmanagement.gov. |
link |
4 |
| hipaa |
0121.05a2Organizational.12-05.a |
hipaa-0121.05a2Organizational.12-05.a |
0121.05a2Organizational.12-05.a |
01 Information Protection Program |
0121.05a2Organizational.12-05.a 05.01 Internal Organization |
Shared |
n/a |
The organization's information protection and risk management programs, including the risk assessment process, are formally approved, and are reviewed for effectiveness and updated annually. |
|
6 |
| hipaa |
0125.05a3Organizational.2-05.a |
hipaa-0125.05a3Organizational.2-05.a |
0125.05a3Organizational.2-05.a |
01 Information Protection Program |
0125.05a3Organizational.2-05.a 05.01 Internal Organization |
Shared |
n/a |
Annual risk assessments are performed by an independent organization. |
|
8 |
| hipaa |
0602.06g1Organizational.3-06.g |
hipaa-0602.06g1Organizational.3-06.g |
0602.06g1Organizational.3-06.g |
06 Configuration Management |
0602.06g1Organizational.3-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance |
Shared |
n/a |
The results and recommendations of the reviews are documented and approved by management. |
|
10 |
| hipaa |
069.06g2Organizational.56-06.g |
hipaa-069.06g2Organizational.56-06.g |
069.06g2Organizational.56-06.g |
06 Configuration Management |
069.06g2Organizational.56-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance |
Shared |
n/a |
The internal security organization reviews and maintains records of compliance results (e.g., organization-defined metrics) in order to better track security trends within the organization, respond to the results of correlation and analysis, and address longer term areas of concern as part of its formal risk assessment process. |
|
7 |
| hipaa |
0824.09m3Organizational.1-09.m |
hipaa-0824.09m3Organizational.1-09.m |
0824.09m3Organizational.1-09.m |
08 Network Protection |
0824.09m3Organizational.1-09.m 09.06 Network Security Management |
Shared |
n/a |
The impact of the loss of network service to the business is defined. |
|
10 |
| hipaa |
1637.12b2Organizational.2-12.b |
hipaa-1637.12b2Organizational.2-12.b |
1637.12b2Organizational.2-12.b |
16 Business Continuity & Disaster Recovery |
1637.12b2Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
Business impact analyses are used to evaluate the consequences of disasters, security failures, loss of service, and service availability. |
|
8 |
| hipaa |
1704.03b1Organizational.12-03.b |
hipaa-1704.03b1Organizational.12-03.b |
1704.03b1Organizational.12-03.b |
17 Risk Management |
1704.03b1Organizational.12-03.b 03.01 Risk Management Program |
Shared |
n/a |
The organization performs risk assessments in a consistent way and at planned intervals, or when there are major changes to the organization's environment, and reviews the risk assessment results annually. |
|
2 |
| hipaa |
1705.03b2Organizational.12-03.b |
hipaa-1705.03b2Organizational.12-03.b |
1705.03b2Organizational.12-03.b |
17 Risk Management |
1705.03b2Organizational.12-03.b 03.01 Risk Management Program |
Shared |
n/a |
The organization updates the results of a formal, comprehensive risk assessment every two (2) years, or whenever there is a significant change to the information system or operational environment, assesses a subset of the security controls within every three hundred sixty-five (365) days during continuous monitoring, and reviews the risk assessment results annually. |
|
2 |
| hipaa |
1733.03d1Organizational.1-03.d |
hipaa-1733.03d1Organizational.1-03.d |
1733.03d1Organizational.1-03.d |
17 Risk Management |
1733.03d1Organizational.1-03.d 03.01 Risk Management Program |
Shared |
n/a |
The risk management program includes the requirement that risk assessments be re-evaluated at least annually, or when there are significant changes in the environment. |
|
3 |
| hipaa |
1737.03d2Organizational.5-03.d |
hipaa-1737.03d2Organizational.5-03.d |
1737.03d2Organizational.5-03.d |
17 Risk Management |
1737.03d2Organizational.5-03.d 03.01 Risk Management Program |
Shared |
n/a |
The privacy, security and risk management program(s) is/are updated to reflect changes in risks. |
|
4 |
| ISO27001-2013 |
A.12.6.1 |
ISO27001-2013_A.12.6.1 |
ISO 27001:2013 A.12.6.1 |
Operations Security |
Management of technical vulnerabilities |
Shared |
n/a |
Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization's exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. |
link |
13 |
| ISO27001-2013 |
C.9.3.a |
ISO27001-2013_C.9.3.a |
ISO 27001:2013 C.9.3.a |
Performance Evaluation |
Management review |
Shared |
n/a |
Top management shall review the organization’s information security management system at planned
intervals to ensure its continuing suitability, adequacy and effectiveness.
The management review shall include consideration of:
a) the status of actions from previous management reviews;
The outputs of the management review shall include decisions related to continual improvement
opportunities and any needs for changes to the information security management system.
The organization shall retain documented information as evidence of the results of management reviews. |
link |
5 |
| ISO27001-2013 |
C.9.3.b |
ISO27001-2013_C.9.3.b |
ISO 27001:2013 C.9.3.b |
Performance Evaluation |
Management review |
Shared |
n/a |
Top management shall review the organization’s information security management system at planned
intervals to ensure its continuing suitability, adequacy and effectiveness.
The management review shall include consideration of:
b) changes in external and internal issues that are relevant to the information security management
system.
The outputs of the management review shall include decisions related to continual improvement
opportunities and any needs for changes to the information security management system.
The organization shall retain documented information as evidence of the results of management reviews. |
link |
4 |
| ISO27001-2013 |
C.9.3.c.1 |
ISO27001-2013_C.9.3.c.1 |
ISO 27001:2013 C.9.3.c.1 |
Performance Evaluation |
Management review |
Shared |
n/a |
Top management shall review the organization’s information security management system at planned
intervals to ensure its continuing suitability, adequacy and effectiveness.
The management review shall include consideration of:
c) feedback on the information security performance, including trends in:
- 1) nonconformities and corrective actions.
The outputs of the management review shall include decisions related to continual improvement
opportunities and any needs for changes to the information security management system.
The organization shall retain documented information as evidence of the results of management reviews. |
link |
6 |
| ISO27001-2013 |
C.9.3.c.2 |
ISO27001-2013_C.9.3.c.2 |
ISO 27001:2013 C.9.3.c.2 |
Performance Evaluation |
Management review |
Shared |
n/a |
Top management shall review the organization’s information security management system at planned
intervals to ensure its continuing suitability, adequacy and effectiveness.
The management review shall include consideration of:
c) feedback on the information security performance, including trends in:
- 2) monitoring and measurement results.
The outputs of the management review shall include decisions related to continual improvement
opportunities and any needs for changes to the information security management system.
The organization shall retain documented information as evidence of the results of management reviews. |
link |
4 |
| ISO27001-2013 |
C.9.3.c.3 |
ISO27001-2013_C.9.3.c.3 |
ISO 27001:2013 C.9.3.c.3 |
Performance Evaluation |
Management review |
Shared |
n/a |
Top management shall review the organization’s information security management system at planned
intervals to ensure its continuing suitability, adequacy and effectiveness.
The management review shall include consideration of:
c) feedback on the information security performance, including trends in:
- 3) audit results.
The outputs of the management review shall include decisions related to continual improvement
opportunities and any needs for changes to the information security management system.
The organization shall retain documented information as evidence of the results of management reviews. |
link |
4 |
| ISO27001-2013 |
C.9.3.c.4 |
ISO27001-2013_C.9.3.c.4 |
ISO 27001:2013 C.9.3.c.4 |
Performance Evaluation |
Management review |
Shared |
n/a |
Top management shall review the organization’s information security management system at planned
intervals to ensure its continuing suitability, adequacy and effectiveness.
The management review shall include consideration of:
c) feedback on the information security performance, including trends in:
- 4) fulfilment of information security objectives;
The outputs of the management review shall include decisions related to continual improvement
opportunities and any needs for changes to the information security management system.
The organization shall retain documented information as evidence of the results of management reviews. |
link |
4 |
| ISO27001-2013 |
C.9.3.d |
ISO27001-2013_C.9.3.d |
ISO 27001:2013 C.9.3.d |
Performance Evaluation |
Management review |
Shared |
n/a |
Top management shall review the organization’s information security management system at planned
intervals to ensure its continuing suitability, adequacy and effectiveness.
The management review shall include consideration of:
d) feedback from interested parties;
The outputs of the management review shall include decisions related to continual improvement
opportunities and any needs for changes to the information security management system.
The organization shall retain documented information as evidence of the results of management reviews. |
link |
3 |
| ISO27001-2013 |
C.9.3.e |
ISO27001-2013_C.9.3.e |
ISO 27001:2013 C.9.3.e |
Performance Evaluation |
Management review |
Shared |
n/a |
Top management shall review the organization’s information security management system at planned
intervals to ensure its continuing suitability, adequacy and effectiveness.
The management review shall include consideration of:
e) results of risk assessment and status of risk treatment plan; and
The outputs of the management review shall include decisions related to continual improvement
opportunities and any needs for changes to the information security management system.
The organization shall retain documented information as evidence of the results of management reviews. |
link |
3 |
| ISO27001-2013 |
C.9.3.f |
ISO27001-2013_C.9.3.f |
ISO 27001:2013 C.9.3.f |
Performance Evaluation |
Management review |
Shared |
n/a |
Top management shall review the organization’s information security management system at planned
intervals to ensure its continuing suitability, adequacy and effectiveness.
The management review shall include consideration of:
f) opportunities for continual improvement.
The outputs of the management review shall include decisions related to continual improvement
opportunities and any needs for changes to the information security management system.
The organization shall retain documented information as evidence of the results of management reviews. |
link |
3 |
| NIST_SP_800-53_R4 |
RA-3 |
NIST_SP_800-53_R4_RA-3 |
NIST SP 800-53 Rev. 4 RA-3 |
Risk Assessment |
Risk Assessment |
Shared |
n/a |
The organization:
a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];
c. Reviews risk assessment results [Assignment: organization-defined frequency];
d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.
Supplemental Guidance: Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing
entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems.
Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information
system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the
first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation. Related controls: RA-2, PM-9.
Control Enhancements: None.
References: OMB Memorandum 04-04; NIST Special Publication 800-30, 800-39; Web:idmanagement.gov. |
link |
4 |
| NIST_SP_800-53_R5 |
RA-3 |
NIST_SP_800-53_R5_RA-3 |
NIST SP 800-53 Rev. 5 RA-3 |
Risk Assessment |
Risk Assessment |
Shared |
n/a |
a. Conduct a risk assessment, including:
1. Identifying threats to and vulnerabilities in the system;
2. Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and
3. Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;
b. Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;
c. Document risk assessment results in [Selection: security and privacy plans;risk assessment report; [Assignment: organization-defined document] ] ;
d. Review risk assessment results [Assignment: organization-defined frequency];
e. Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and
f. Update the risk assessment [Assignment: organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system. |
link |
4 |
| PCI_DSS_v4.0 |
12.3.1 |
PCI_DSS_v4.0_12.3.1 |
PCI DSS v4.0 12.3.1 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
Risks to the cardholder data environment are formally identified, evaluated, and managed |
Shared |
n/a |
Each PCI DSS requirement that provides flexibility for how frequently it is performed (for example, requirements to be performed periodically) is supported by a targeted risk analysis that is documented and includes:
• Identification of the assets being protected.
• Identification of the threat(s) that the requirement is protecting against.
• Identification of factors that contribute to the likelihood and/or impact of a threat being realized.
• Resulting analysis that determines, and includes justification for, how frequently the requirement must be performed to minimize the likelihood of the threat being realized.
• Review of each targeted risk analysis at least once every 12 months to determine whether the results are still valid or if an updated risk analysis is needed.
• Performance of updated risk analyses when needed, as determined by the annual review. |
link |
4 |
| PCI_DSS_v4.0 |
12.3.2 |
PCI_DSS_v4.0_12.3.2 |
PCI DSS v4.0 12.3.2 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
Risks to the cardholder data environment are formally identified, evaluated, and managed |
Shared |
n/a |
A targeted risk analysis is performed for each PCI DSS requirement that the entity meets with the customized approach, to include:
• Documented evidence detailing each element specified in Appendix D: Customized Approach (including, at a minimum, a controls matrix and risk analysis).
• Approval of documented evidence by senior management.
• Performance of the targeted analysis of risk at least once every 12 months. |
link |
4 |
| PCI_DSS_v4.0 |
5.2.3.1 |
PCI_DSS_v4.0_5.2.3.1 |
PCI DSS v4.0 5.2.3.1 |
Requirement 05: Protect All Systems and Networks from Malicious Software |
Malicious software (malware) is prevented, or detected and addressed |
Shared |
n/a |
The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. |
link |
3 |
| SWIFT_CSCF_v2022 |
7.4A |
SWIFT_CSCF_v2022_7.4A |
SWIFT CSCF v2022 7.4A |
7. Plan for Incident Response and Information Sharing |
Evaluate the risk and readiness of the organisation based on plausible cyber-attack scenarios. |
Shared |
n/a |
Scenario-based risk assessments are conducted regularly to improve incident response preparedness and to increase the maturity of the organisation’s security programme. |
link |
7 |