cc3-3 Medium priority Security / Risk Assessment

Fraud risk is identified and assessed

Fraud risk — the risk that someone intentionally circumvents controls to misuse the system or its data — must be explicitly considered in your risk assessment. This is separate from accidental errors or external attackers. It includes insider threats, management override of controls, and misuse by privileged users. Most engineering-led companies under-weight this risk because they trust their team. The control requires that it is at least considered and documented.

4h estimated effort

fraud insider-threat risk segregation-of-duties

Complete first: cc3-2

Implementation steps

1

Include fraud risk categories in your risk assessment

When running your annual risk assessment, explicitly include fraud risk scenarios: employee data exfiltration before resignation, privileged user abuse, circumvention of financial approval controls, falsification of compliance evidence. Documenting consideration of these risks — even if you conclude the risk is low — satisfies this criterion.

google-sheets notion confluence
2

Implement controls that reduce fraud opportunity

Apply the fraud triangle countermeasures: reduce opportunity (segregation of duties, least privilege access, audit logs), reduce incentive (fair compensation, healthy culture), and increase detection (monitoring, surprise audits, whistleblower channels). Document which controls address which fraud risks.

aws-iam okta datadog splunk
3

Document management's fraud risk assessment

Have management formally sign off on the fraud risk assessment. This creates accountability and demonstrates that leadership is aware of fraud risks and has consciously accepted or mitigated them.

google-docs notion confluence