Risk Management
Information security risk management is the process of identifying, evaluating, and treating risks around the organization’s valuable information. It addresses uncertainties around those assets to ensure the desired business outcomes are achieved. Thus, this series of activities supports information security risk management for the purpose of determining areas of vulnerability in corporate operations, products and services, and to initiate appropriate remediation.
Category | Sub-Category | Name | Activity |
|---|---|---|---|
Risk Management | Risk Assessment | Risk Assessment | [The organization] management performs a risk assessment [in accordance with the organization-defined frequency]. Results from risk assessment activities are reviewed to prioritize mitigation of identified risks |
Risk Management | Risk Assessment | Risk Assessment: HIPAA Criteria | [The organization]s periodic risk assessment for systems that process, transmit or store Protected Health Information (PHI) includes the following: |
Risk Management | Risk Assessment | Continuous Monitoring | The design and operating effectiveness of internal controls are continuously evaluated against the established [organization-defined controls framework] by [the organization]. Corrective actions related to identified deficiencies are tracked to resolution. |
Risk Management | Risk Assessment | Self- Assessments | [In accordance with the organization-defined frequency], reviews shall be performed with approved documented specification to confirm personnel are following security policies and operational procedures pertaining to: |
Risk Management | Risk Assessment | Service Risk Rating Assignment | [In accordance with the organization-defined frequency], [the organization] prioritizes the frequency of vulnerability discovery activities based on an assigned service risk rating. |
Risk Management | Internal and External Audit | Internal Audits | [The organization] establishes internal audit requirements and executes audits on information systems and processes [in accordance with the organization-defined frequency]. |
Risk Management | Internal and External Audit | ISMS Internal Audit Requirements | Internal audit establishes and executes a plan to evaluate applicable controls in the Information Security Management System (ISMS) at least once every 3 years. |
Risk Management | Controls Implementation | Remediation Tracking | Management prepares a remediation plan to formally manage the resolution of findings identified in risk assessment activities. |
Risk Management | Controls Implementation | ISMS Corrective Action Plans | Management prepares a Corrective Action Plan (CAP) to manage the resolution of nonconformities identified in independent audits. |
Risk Management | Controls Implementation | Statement of Applicability | Management prepares a statement of applicability that includes control objectives, implemented controls, and business justification for excluded controls. Management aligns the statement of applicability with the results of the risk assessment. |