3.2.1 Cyber Security Risk Management
| No: 381000091275 | Date(g): 24/5/2017 | Date(h): 28/8/1438 | Status: In-Force |
Principle
A cyber security risk management process should be defined, approved and implemented, and should be aligned with the Member Organization's enterprise risk management process.
Objective
To ensure cyber security risks are properly managed to protect the confidentiality, integrity and availability of the Member Organization's information assets, and to ensure the cyber security risk management process is aligned with the Member Organization's enterprise risk management process.
Control considerations
| 1. | The cyber security risk management process should be defined, approved and implemented. | |
| 2. | The cyber security risk management process should focus on safeguarding the confidentiality, integrity and availability of information assets. | |
| 3. | The cyber security risk management process should be aligned with the existing enterprise risk management process. | |
| 4. | The cyber security risk management process should be documented and address: | |
| a. | risk identification; | |
| b. | risk analysis; | |
| c. | risk response; | |
| d. | risk monitoring and review. | |
| 5. | The cyber security risk management process should address the Member Organization's information assets, including (but not limited to): | |
| a. | business processes; | |
| b. | business applications; | |
| c. | infrastructure components. | |
| 6. | The cyber security risk management process should be initiated: | |
| a. | at an early stage of the project; | |
| b. | prior to critical change; | |
| c. | when outsourcing is being considered; | |
| d. | when launching new products and technologies. | |
| 7. | Existing information assets should be periodically subject to cyber security risk assessment based on their classification or risk profile. | |
| 8. | The cyber security risk management activities should involve: | |
| a. | business owners; | |
| b. | IT specialists; | |
| c. | cyber security specialists; | |
| d. | key user representatives. | |
| 9. | The result of the risk assessment should be reported to the relevant business owner (i.e., risk owner) within the Member Organization; | |
| 10. | The relevant business owner (i.e., risk owner) within the Member Organization should accept and endorse the risk assessment results. | |
| 11. | The Member Organization's cyber security risk appetite and risk tolerance should be clearly defined and formally approved. | |