Overview:
The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
Action Items:
1) Create a risk assessment policy and related procedures that outlines the organization's risk assessment approach and publish on the company intranet for employees to access and review.
2) Create an asset management policy and related procedures and publish to the company intranet for employees to access and review.
3) Create a threat and vulnerability management policy and related procedures and publish to the company intranet for employees to access and review.
4) Inspect the policies and procedures to determine that documented policies and procedures are in place to guide personnel in identifying business objective risks, assessing changes to the system, and developing risk management strategies as a part of the risk assessment process.
5) Inspect the most recent risk assessment to determine that a formal risk assessment is performed on an annual basis and that identified risks are rated using a risk evaluation process and formally documented, along with mitigation strategies, for management review.
6) Inspect the system inventory listing to determine that a system inventory is maintained that includes physical devices and systems, virtual devices, software, data and data flows, external information systems, and organizational roles.
7) Inspect the most recent vulnerability assessment to determine that vulnerability assessments are performed by third-party vendors on a periodic basis to identify the functionality of control activities, and that any critical or high vulnerabilities detected are triaged by the information security team and monitored through resolution.
Related Documents:
1) Risk assessment policy
2) Asset management policy
3) Threat and vulnerability management policy
4) Asset / system inventory
5) Sample of recent business risk assessments
6) Sample of recent vulnerability assessments
Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:
1) Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels—The entity identifies and assesses risk at the entity, subsidiary, division, operating unit, and functional levels relevant to the achievement of objectives.
2) Analyzes Internal and External Factors—Risk identification considers both internal and external factors and their impact on the achievement of objectives.
3) Involves Appropriate Levels of Management—The entity puts into place effective risk assessment mechanisms that involve appropriate levels of management.
4) Estimates Significance of Risks Identified—Identified risks are analyzed through a process that includes estimating the potential significance of the risk.
5) Determines How to Respond to Risks—Risk assessment includes considering how the risk should be managed and whether to accept, avoid, reduce, or share the risk.
6) Identifies and Assesses Criticality of Information Assets and Identifies Threats and Vulnerabilities—The entity's risk identification and assessment process includes (1) identifying information assets, including physical devices and systems, virtual devices, software, data and data flows, external information systems, and organizational roles; (2) assessing the criticality of those information assets; (3) identifying the threats to the assets from intentional (including malicious) and unintentional acts and environmental events; and (4) identifying the vulnerabilities of the identified assets.
7) Analyzes Threats and Vulnerabilities From Vendors, Business Partners, and Other Parties—The entity's risk assessment process includes the analysis of potential threats and vulnerabilities arising from vendors providing goods and services, as well as threats and vulnerabilities arising from business partners, customers, and others with access to the entity's information systems.
8) Considers the Significance of the Risk—The entity's consideration of the potential significance of the identified risks includes (1) determining the criticality of identified assets in meeting objectives; (2) assessing the impact of identified threats and vulnerabilities in meeting objectives; (3) assessing the likelihood of identified threats; and (4) determining the risk associated with assets based on asset criticality, threat impact, and likelihood.
Article ID: 225
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/soc-2-risk-identification-and-analysis-principle-7-cc3-2-225.html