3.2.3 Risk Treatment
| No: 43028139 | Date(g): 4/11/2021 | Date(h): 29/3/1443 | Status: In-Force |
Principle
IT risks associated with the Member Organization's information assets should be adequately treated based on the applicable criteria (i.e. accepted, avoided, transferred or mitigated).
Control Requirements
| 1. | IT risk treatment plan should be defined, approved and communicated. | |||
| 2. | IT risk treatment plan should be implemented and periodically evaluated. | |||
| 3. | IT risks should be treated according to the Member Organization's risk appetite defined by the relevant governance function owner and approved by the ITSC. | |||
| 4. | IT risk treatment plan should include detail design and implementation of required controls to mitigate the identified risks. | |||
| 5. | IT risk treatment plan should ensure that the list of risk treatment options are formally documented (i.e. accepting, avoiding, transferring or mitigating risks by applying IT controls). | |||
| 6. | Risk acceptance should be least preferred over risk mitigation through implementation of primary controls. | |||
| 7. | Accepting IT risks should be formally documented, approved and signed-off by the business owner and reported to the risk committee, ensuring that: | |||
| a. | risk acceptance should be provided with detail justification including but not limited to the following: | |||
| 1. | impact (i.e. operational, financial and reputational) of not implementing the primary control(s); and | |||
| 2. | compensating control(s) in place of primary control(s) for risk mitigation. | |||
| b. | the accepted IT risk should be within the risk appetite of the Member Organization; | |||
| c. | the accepted IT risk should not contradict with the SAMA regulations; | |||
| d. | a separate exception should be documented for each unique risk; | |||
| e. | risk acceptance should be renewed periodically; and | |||
| f. | Risk acceptance should be presented and reported to the risk committee. | |||
| 8. | Avoiding IT risks should involve a decision by a business owner and risk committee to cancel or postpone a particular activity or project that introduces an unacceptable IT risk to the business. | |||
| 9. | Transferring or sharing the IT risks should: | |||
| a. | involve sharing the IT risks with relevant (internal or external) providers; and | |||
| b. | be accepted by the receiving (internal or external) provider(s). | |||
| 10. | Applying IT controls to mitigate IT risks should include: | |||
| a. | identifying appropriate IT controls; | |||
| b. | evaluating the strengths and weaknesses of the IT controls; | |||
| c. | selection of adequate IT controls; and | |||
| d. | documenting and obtaining sign-off for any residual risk by the business owner and risk committee. | |||
| 11. | IT risk treatment actions should be documented in a risk treatment plan. | |||