Back

Include threat assessment in the internal control framework.


CONTROL ID
01347
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an internal control framework., CC ID: 00820

This Control has the following implementation support Control(s):
  • Automate threat assessments, as necessary., CC ID: 06877


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Depending on the selected method for risk analysis, the information security management must define how basic threats, potentials for causing damage, probabilities of occurrence, and the risks resulting thereof should be classified and assessed. However, it is difficult, complex, and moreover prone … (§ 8.1 Subsection 2 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • The organization should have an effective information system security program (ISSP). To be effective, the ISSP should be cost effective, have available resources, have written policies and procedures to explicitly define responsibility and accountability of the ISSP, and ensure reviews are conducte… (Pg 12-IV-1, Pg 12-IV-2, Protection of Assets Manual, ASIS International)
  • The information security governance framework should include a process that requires the governing body to monitor the overall implications of the changing threat landscape. (SG.01.01.05c-3, The Standard of Good Practice for Information Security)
  • The information security governance framework should include a process that requires the governing body to monitor the overall implications of the changing threat landscape. (SG.01.01.05c-3, The Standard of Good Practice for Information Security, 2013)
  • ¶ 10 Selection of Safeguards According to Security Concerns and Threats. An organization should select safeguards according to security concerns and threats in the following way. • The first step is to identify and assess the security concerns. The requirements for confidentiality, integrity, ava… (¶ 10, ¶ 11, ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • The security analysis should contain a statement of the identified threats to the product. An assessment should be made of the likelihood for each threat developing into an actual attack. (§ 6.3.1, ISO 15408-1 Common Criteria for Information Technology Security Evaluation Part 1, 2005)
  • changes in external and internal issues that are relevant to the compliance management system; (§ 9.3.2 ¶ 1 b), ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • A threat assessment to help focus the risk identification efforts. (App A Objective 4.2.a, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Determine whether management has effective threat identification and assessment processes, including the following: (App A Objective 8.3, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Determine whether management has a means to collect data on potential threats to identify information security risks. Determine whether management uses threat modeling (e.g., development of attack trees) to assist in identifying and quantifying risk and in better understanding the nature, frequency,… (App A Objective 4.3, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should do the following: - Identify and assess threats. - Use threat knowledge to drive risk assessment and response. - Design policies to allow immediate and consequential threats to be dealt with expeditiously. (III.A Threat Identification and Assessment, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Performs a threat analysis. (App A Objective 11:1 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Auditors who previously provided nonaudit services for an entity that is a prospective subject of an engagement should evaluate the effect of those nonaudit services on independence before agreeing to conduct a GAGAS engagement. If auditors provided a nonaudit service in the period to be covered by … (3.83, GAO-21-368G, GOVERNMENT AUDITING STANDARDS 2018 Revision Technical Update April 2021)
  • § 4.7.3 Bullet 1: Identify preventive measures for each defined scenario that could result in critical service operation loss involving ePHI. § 4.7.3 Bullet 2: Ensure that identified preventive measures are practical and feasible in a given environment. (§ 4.7.3 Bullet 1, § 4.7.3 Bullet 2, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Identify threat tactics, and methodologies. (T0708, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization must document the results and the supporting rationale of the impact levels in the System Security Plan. (SG.RA-3 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Identify threat tactics, and methodologies. (T0708, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Licensees must, as part of the cyber security program, evaluate and manage cyber risks. (§ 73.54(d)(2), 10 CFR Part 73.54, Protection of digital computer and communication systems and networks)