← Controls / RA

RA-03 Risk Assessment

Risk Assessment

Low Moderate High Privacy

Description

The organization conducts assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency (including information and information systems managed/operated by external parties).

Supplemental Guidance

Risk assessments take into account vulnerabilities, threat sources, and security controls planned or in place to determine the resulting level of residual risk posed to organizational operations, organizational assets, or individuals based on the operation of the information system. The organization also considers potential impacts to other organizations and, in accordance with the USA PATRIOT Act and Homeland Security Presidential Directives, potential national-level impacts in categorizing the information system. Risk assessments also take into account risk posed to organizational operations, organizational assets, or individuals from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems. The General Services Administration provides tools supporting that portion of the risk assessment dealing with public access to federal information systems. NIST Special Publication 800-30 provides guidance on conducting risk assessments including threat, vulnerability, and impact assessments.

Changes from Rev 4

Control text adds privacy and a statement about integrating risk assessment results and risk management decisions with system-level risk assessments Discussion adds information about the need for risk assessments to consider threats, vulnerabilities, likelihood, and impact based on the operation and use of systems, as well as risk from external parties, individuals accessing organizational systems, contractors operating systems on behalf of the organization, service providers, and outsourcing entities Incorporates privacy risk assessment elements of withdrawn App J control AR-02

Enhancements

(0) None.

Compliance Mappings

ISO 27001:2022

4.16.16.1.38.28.3A.5.7

ISO 27002:2022

5.7

COBIT 2019

APO12APO13EDM03

CIS Controls v8

CIS 16.14CIS 16.6

NIST CSF 2.0

DE.AE-04DE.AE-07GV.OV-02GV.RM-04GV.RM-06GV.SC-07ID.RA-03ID.RA-04ID.RA-05ID.RA-06RS.AN-08

SOC 2 TSC

A1.2CC3.2-POF1CC3.4-POF1CC3.4-POF2CC3.4-POF3CC4.1CC7.3

PCI DSS v4.0.1

12.3

CSA CCM v4

AA-03BCR-02CEK-06CEK-07DSP-09GRC-02STA-08STA-14TVM-08

CSA AICM v1

A&A-03BCR-02CEK-06CEK-07DSP-09DSP-21GRC-02GRC-11GRC-14MDS-12MDS-13STA-08STA-14TVM-08TVM-11

ISO 42001:2023

A.5.2A.5.3A.5.4A.5.5

IEC 62443

2-1 4.32-1 4.4

NIS2 Directive

Art. 21(2)(a)

PRA Operational Resilience

SS1/21-10.1SS1/21-4.1SS1/21-6.1SS2/21-16.1SS2/21-4.1SS2/21-5.1

MAS TRM

4

ANSSI

Hygiene.41RGS.3.1SecNumCloud.7.2

FINMA Circular 2023/1

IV.B.c(54)IV.B.c(55)IV.B.c(56)IV.B.c(57)IV.B.d(58)

OSFI B-13

B-13.1.3B-13.3.1

EU GDPR

Art.32(1)Art.35(1)Art.35(7)(c)

EU DORA

Art.6(2)Art.6(5)

BIO2

5.7

RBI CSF

ITGRCA.22ITGRCA.25

FISC Security Guidelines

FISC.O1

LGPD + BCB 4893

BCB.Art.12BCB.Art.18BCB.Art.3-SuppLGPD.Art.10LGPD.Art.37-38LGPD.BCB.Integration

HKMA TM-E-1

TME1.12.1TME1.2.3

MLPS 2.0

8.1.10.38.1.9.2

DNB Good Practice

DNB.10.2DNB.3.1DNB.4.1DNB.4.2

EU CRA

CRA.Info.5

SWIFT CSCF

SWIFT.7.4A

SAMA CSF

1.8

NCA ECC

1-52-135-1

UAE IA

T2

CBB TM

TM-15TM-4

Qatar NIA

RM

CBUAE

CR-2

CBE CSF

CD-1CRM-1

SA JS2

JS2-5JS2-6.2JS2-7.6

CBN CSF

Part2.1Part2.2Part4Part5.1

BoG CISD

CISD-IIICISD-ISMS

POPIA

s19

BoM CTRM

1.42.14.1

IOSCO Cyber Resilience

GOV-3ID-3PFMI-3RR-5SA-1

BCBS 239

Principle 1Principle 6Principle 8

CPMI-IOSCO PFMI

CG.IDCG.SAPFMI.P15PFMI.P17PFMI.P3

FFIEC IS

II.AII.A.1II.BII.DIII.A

NYDFS 500

500.2500.9

HIPAA Security Rule

§164.308(a)(1)(i)§164.308(a)(1)(ii)(A)§164.308(a)(1)(ii)(B)§164.308(a)(8)

ECB CROE

CROE.2.2.1CROE.2.7.1CROE.2.8.2

EBA ICT Guidelines

3.3.33.3.53.7.1

SEBI CSCRF

GV.RMID.RA

BOT Cyber Resilience

Ch1.2Ch8.1

CMMC 2.0

RA

NERC CIP

CIP-002-7CIP-014-3

10 CFR 73.54

RG5.71-C-PL

TSA Pipeline SD

SD-1 Sec 3

DOE C2M2 v2.1

THREATRISK

API 1164

Sec 4

AWIA

Sec 2013(a)

IAEA NSS 17-T

Sec 4

FIPS 140-3

FIPS 140-3 §7.12FIPS 140-3 §7.8

CBEST

CBEST.2

TIBER-EU

TIBER.GTLTIBER.TTI

ISAE 3402

Clause 1Clause 3

Solvency II

Art.44(1)Art.44(2)Art.45DR.260DR.266DR.267EIOPA-Cloud-GL3EIOPA-ICT-4.2

Lloyd's Minimum Standards

CRM.2MS10.1MS10.2MS8.11

NAIC Insurance Data Security

44A4E

PRA SS1/23

P1.2P3.5P5.1P5.4

FCA SYSC 13

SYSC 13.1-2SYSC 13.5.2SYSC 13.5.3SYSC 13.8.4SYSC 13.G.2

HITRUST CSF v11

00.b03.a

FDA 21 CFR Part 11

§11.2

FDA Cybersecurity Guidance

524B-4CRA-1CRA-2CRA-3INC-2MON-2SPDF-2TM-1TM-2TM-3TR-2VR-1

ISO 27799

H.1

NHS DSPT

NDG-5.2

MiCA

Art.34(5)Art.35(1)Art.41(1)Art.62(1)Art.66(1)Art.47(1)

Basel SCO60

SCO60.1SCO60.3SCO60.4SCO60.5SCO60.13SCO60.14SCO60.21SCO60.41SCO60.50SCO60.54SCO60.74SCO60.83SCO60.84SCO60.85

BSSC Standards

TIS-01TIS-04TIS-05TIS-06GSP-02

SEC Custody (Digital Assets)

SEC-CD-08SEC-CD-09SEC-CD-12SEC-CD-18

ISO 17799 (legacy)

4.04.14.26.2.110.10.210.10.512.5.112.6.114.1.114.1.2

COBIT 4.1 (legacy)

PO9.3PO9.4AI1.1