Risk Management Controls
Purpose
Bramble governs a risk management program and ensures that security and privacy-related risks are visible to and understood by the business unit(s) that own the assets and / or processes involved and are consistently identified, assessed, categorized and appropriately remediated. The security and privacy teams only advise and educate on risk management matters, while it is the business units and other key stakeholders who ultimately own the risk.
Scope
This control is applicable to the Bramble organization as a whole.
Ownership
This control is owned by the Field Security Team.
Controls
| Control Number | Control Title | Control Statement | Goal | TOD | TOE |
|---|---|---|---|---|---|
| RSK-01 | Risk Management Program | Bramble Group Corp. has implemented mechanisms of risk management controls. | Does the organization facilitate the implementation of risk management controls? | 1. Identify policies and procedures responsible for identification and implementation of risk and cybersecurity risk management controls and processes. 2. Examine policies and procedures for: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; compliance; and implementation requirements. |
1. Examine policies, procedures and related documentation for evidence that risk management controls are defined as outlined in the ToD. 2. Examine policies, procedures and related controls for evidence that risk assessments, control activities, fraud and risk tolerance were evaluated as part of risk management control activities. |
| RSK-02 | Risk-Based Security Categorization | Bramble Group Corp. has implemented mechanisms to categorizes systems and data in accordance with applicable local, state and Federal laws that: ▪ Document the security categorization results (including supporting rationale) in the security plan for systems; and ▪ Ensure the security categorization decision is reviewed and approved by the asset owner. | Does the organization categorizes systems and data in accordance with applicable local, state and Federal laws that: - Document the security categorization results (including supporting rationale) in the security plan for systems; and - Ensure the security categorization decision is reviewed and approved by the asset owner? |
1. Identify applicable local, state and federal laws as they apply to risk based security categorization. 2. Examine the policies, procedures and related documents associated with the categorization of risk and cybersecurity risk management controls, processes and plans. 3. Examine the review and approval of the risk plans by the asset owner as defined (annual, quarter etc.). |
1. Examine the full population of risk plans for categorization results and review and approval by asset owner. 2. Examine the full population of risk plans for verification systems were categorized based on applicable local, state and federal laws. |
| RSK-03 | Risk Identification | Bramble Group Corp. has implemented mechanisms to identify and document risks, both internal and external. | Does the organization identify and document risks, both internal and external? | 1. Examine the policies, procedures and related documents associated with risk identification for both internal and external risks at the entity level. | 1. Examine the full population of risk plans for evidence that both internal and external risks were considered, identified, documented and monitored at the entity level. |
| RSK-04 | Risk Assessment | Bramble Group Corp. has implemented mechanisms to conduct an annual assessment of risk and to maintain a risk register that monitors the reporting of risks that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization’s systems and data. | Does the organization conduct an annual assessment of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization’s systems and data? | 1. Examine the policies, procedures and related documents associated with the documentation and reporting of the annual risk assessment and risk register. 2. Validate that the risk assessment and risk register were maintained and monitored. 3. Examine the risk register and risk assessment for evidence that, at a minimum, considerations for the organizations systems and data included: Likelihood and magnitude of harm Unauthorized access Use Disclosure Disruption Modification destruction. |
1. Examine the risk register and risk assessment to confirm an annual assessment occurred during the examination period. 2. Examine the risk register for evidence that the risk register was maintained and considerations outlined in the ToD were considered for each entity level risk identified. |
| RSK-05 | Risk Ranking | Bramble Group Corp. has implemented mechanisms to identify and assign a risk ranking to newly discovered security vulnerabilities that is based on industry-recognized practices. | Does the organization identify and assign a risk ranking to newly discovered security vulnerabilities that is based on industry-recognized practices? | 1. Identify which industry-recognized practice(s) are used for risk ranking. 2. Examine the policies, procedures and related documents associated with the risk register that outline the assignment of the risk ranking. |
1. Examine the annual risk assessment and risk register for evidence that each risk has an assigned risk ranking based on industry-recognized practices. |
| RSK-06 | Risk Remediation | Bramble Group Corp. has implemented mechanisms to remediate risks to an acceptable level and respond to findings from security and privacy assessments, incidents and audits to ensure proper remediation has been performed. | Does the organization remediate risks to an acceptable level? | 1. Examine the policies, procedures and related documents associated with the mechanisms to remediate risks and ensure proper remediation has been performed. | 1. Examine the full risk register and risk assessment for evidence that identified risks have remediation plans in place and/or have been performed. 2. Examine the full risk register and risk assessment for evidence that risks identified include findings from security and privacy assessments, incidents and that audits have been conducted after risk remediation to ensure remediation has been performed. |
| RSK-07 | Risk Assessment Update | Bramble Group Corp. has implemented mechanisms to routinely update risk assessments and react accordingly upon identifying new security vulnerabilities, including using outside sources for security vulnerability information. | Does the organization routinely update risk assessments and react accordingly upon identifying new security vulnerabilities, including using outside sources for security vulnerability information? | 1. Examine the policies, procedures and related documents associated with the mechanisms to react and update the risk assessment upon discoveries of new vulnerabilities including vulnerabilities identified using outside sources. | 1. Examine the full risk register and risk assessment for evidence that internal and external sources were utilized to update and react to new security vulnerabilities. 2. Examine the full risk register and risk assessment for evidence that the risk register and assessment were updated routinely when new security vulnerabilities were identified. |
| RSK-08 | Business Impact Analysis (BIA) | Bramble Group Corp. has implemented mechanisms to conduct a Business Impact Analysis (BIA). | Does the organization conduct a Business Impact Analysis (BIA)? | 1. Examine the policies, procedures and related documents associated with the mechanisms to conduct a Business Impact Analysis (BIA). 2. Examine the BIA for evidence that risk assessment, control activities, business impact and likelihood were considered. |
1. Examine all BIA(s) during the examination period for evidence that a BIA was conducted. 2. Examine all BIA(s) during the examination period for evidence that each BIA considered the factors outlined in the ToD. |
| RSK-09 | Supply Chain Risk Management Plan | Bramble Group Corp. has implemented mechanisms to develop a plan for Supply Chain Risk Management (SCRM) and periodically assess supply chain risks associated with the development, acquisition, maintenance and disposal of systems, system components and services, including documenting selected mitigating actions and monitoring performance against those plans. | Does the organization develop a plan for managing supply chain risks associated with the development, acquisition, maintenance and disposal of systems, system components and services? | 1. Examine the policies, procedures and related documents associated with the documentation mechanisms used to support Supply Chain Risk Management (SCRM). 2. Examine the SCRM documentation and mechanisms for evidence that the assessment of supply chain risk included, but not limited to: Development Acquisition Maintenance Disposal System components System services Mitigation actions Monitoring performance. |
1. Examine all SCRM(s) that were conducted in the examination period for evidence the factors outlined in the ToD were considered. |
| RSK-10 | Data Protection Impact Assessment (DPIA) | Bramble Group Corp. has implemented mechanisms to conduct a Data Protection Impact Assessment (DPIA) on systems, applications and services to evaluate privacy implications. | Does the organization conduct a Data Protection Impact Assessment (DPIA) on systems, applications and services to evaluate privacy implications? | 1. Examine the policies, procedures and related documents associated with the mechanisms to conduct a Data Protection Impact Analysis (DPIA) on systems, applications and services. 2. Examine the DPIA for evidence that privacy implications on systems, applications and services were considered and (if applicable) included in any risk assessment or control design and testing activities. |
1. Examine all DPIA(s) during the examination period for evidence that a DPIA was conducted. 2. Examine all DPIA(s) during the examination period for evidence that each DPIA evaluated privacy implications and were included in any risk or control design and testing activities. |
- Test of Design - (TOD) – verifies that a control is designed appropriately and that it will prevent or detect a particular risk.
- Test of Operating Effectiveness - (TOE) - used for verifying that the control is in place and it operates as it was designed.
Policy Reference
- Risk Policy (WIP)
- Risk Methodology (WIP)
- Responsible Disclosure Policy (RDP)
- DPIA Assessments
- Risk Remediation and Tracking