The recent issuance of several guidelines relative to the Cybersecurity Risk Assessment Tool requires a moderate amount of response to ensure compliance. Below, we summarize the impact and list actions recommended for you to take in response to the guidance from your regulator.
Inherent risk levels are not intended to be rigid. When in doubt, use the higher risk level.
- When in doubt about the risk of an individual activity, use the higher risk level.
- Don’t exclusively use the inherent activity risk definitions where known risks are higher.
- If there is a choice in levels of risk, choose the higher measure.
- The inherent risk profile should consider whether specific categories pose an additional risk.
- Don’t simply use the mode for the 39 inherent risk activities. Take into account judgmental factors as to the relative importance/volume of risk activities.
- Controls defined in declarative statements can be achieved by compensating controls.
- If a declarative statement objective is achieved by other means, document those other means (compensating controls).
- Understand the maturity levels (see May 2017 Users Guide) and ensure that the ITSC understands the levels when they choose the target level.
Your ISO’s Plan of Action
- Report the regulatory change to the board and/or ITSC.
- Recommend to the Board or ITSC changes to policies, standards or procedures as needed based upon changing circumstances AND new guidance (amended Policies and Standards are available).
- Report to the ITSC the ISO’s evaluation of 39 inherent activity risks for changes due to changed activities OR re-evaluation of each activity risk in light of recommended flexibility in the new guidance.
- Report to ITSC the ISO’s evaluate of aggregate risk for potential increase resulting from changes in inherent risk activities OR due to consideration of the relative impact of specific risks (i.e. no longer selecting merely the mode of individual inherent risk measures but considering the relative impact of some individual activities) recommended by new guidance.
- Recommend to the ITSC the ISO’s review of declarative statements in the CRAT and define those that employ compensating controls and obtain documented approval.