3.2.3 Risk Treatment
| No: 43028139 | Date(g): 4/11/2021 | Date(h): 29/3/1443 |
Effective from 2021-11-04 - Nov 03 2021
To view other versions open the versions tab on the right
Principle
IT risks associated with the Member Organization's information assets should be adequately treated based on the applicable criteria (i.e. accepted, avoided, transferred or mitigated).
Control Requirements
| 1. | IT risk treatment plan should be defined, approved and communicated. | |||
| 2. | IT risk treatment plan should be implemented and periodically evaluated. | |||
| 3. | IT risks should be treated according to the Member Organization's risk appetite defined by the relevant governance function owner and approved by the ITSC. | |||
| 4. | IT risk treatment plan should include detail design and implementation of required controls to mitigate the identified risks. | |||
| 5. | IT risk treatment plan should ensure that the list of risk treatment options are formally documented (i.e. accepting, avoiding, transferring or mitigating risks by applying IT controls). | |||
| 6. | Risk acceptance should be least preferred over risk mitigation through implementation of primary controls. | |||
| 7. | Accepting IT risks should be formally documented, approved and signed-off by the business owner and reported to the risk committee, ensuring that: | |||
| a. | risk acceptance should be provided with detail justification including but not limited to the following: | |||
| 1. | impact (i.e. operational, financial and reputational) of not implementing the primary control(s); and | |||
| 2. | compensating control(s) in place of primary control(s) for risk mitigation. | |||
| b. | the accepted IT risk should be within the risk appetite of the Member Organization; | |||
| c. | the accepted IT risk should not contradict with the SAMA regulations; | |||
| d. | a separate exception should be documented for each unique risk; | |||
| e. | risk acceptance should be renewed periodically; and | |||
| f. | Risk acceptance should be presented and reported to the risk committee. | |||
| 8. | Avoiding IT risks should involve a decision by a business owner and risk committee to cancel or postpone a particular activity or project that introduces an unacceptable IT risk to the business. | |||
| 9. | Transferring or sharing the IT risks should: | |||
| a. | involve sharing the IT risks with relevant (internal or external) providers; and | |||
| b. | be accepted by the receiving (internal or external) provider(s). | |||
| 10. | Applying IT controls to mitigate IT risks should include: | |||
| a. | identifying appropriate IT controls; | |||
| b. | evaluating the strengths and weaknesses of the IT controls; | |||
| c. | selection of adequate IT controls; and | |||
| d. | documenting and obtaining sign-off for any residual risk by the business owner and risk committee. | |||
| 11. | IT risk treatment actions should be documented in a risk treatment plan. | |||