Benchmark: CC3.2 COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed
Description
Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels - The entity identifies and assesses risk at the entity, subsidiary, division, operating unit, and functional levels relevant to the achievement of objectives.
Analyzes Internal and External Factors - Risk identification considers both internal and external factors and their impact on the achievement of objectives.
Involves Appropriate Levels of Management - The entity puts into place effective risk assessment mechanisms that involve appropriate levels of management.
Estimates Significance of Risks Identified - Identified risks are analyzed through a process that includes estimating the potential significance of the risk.
Determines How to Respond to Risks - Risk assessment includes considering how the risk should be managed and whether to accept, avoid, reduce, or share the risk.
Additional points of focus specifically related to all engagements using the trust services criteria:
Identifies and Assesses Criticality of Information Assets and Identifies Threats and Vulnerabilities - The entity's risk identification and assessment process includes (1) identifying information assets, including physical devices and systems, virtual devices, software, data and data flows, external information systems, and organizational roles; (2) assessing the criticality of those information assets; (3) identifying the threats to the assets from intentional (including malicious) and unintentional acts and environmental events; and (4) identifying the vulnerabilities of the identified assets.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select CC3.2 COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.soc_2_cc_3_2
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.soc_2_cc_3_2 --share
Controls
- EC2 instances should be managed by AWS Systems Manager
- GuardDuty should be enabled
- GuardDuty findings should be archived
- IAM users with console access should have MFA enabled
- SSM managed instance associations should be compliant
- SSM managed instance patching should be compliant