PM-29—Risk Management Program Leadership Roles

>Control Description

Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and

Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization.

>Cross-Framework Mappings

NIST CSF 2.0

via NIST CSF 2.0 Concept Crosswalk

SCF

>Supplemental Guidance

The senior accountable official for risk management leads the risk executive (function) in organization-wide risk management activities.

>Related Controls

PM-2

PM-19

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

•What is the process for developing and maintaining privacy awareness and training programs?
•How does the organization determine training requirements for different roles?
•Who oversees privacy awareness and training activities?
•How frequently is privacy training provided, and how is effectiveness measured?
•What governance exists for ensuring privacy training remains current and relevant?

Technical Implementation:

•What platforms deliver privacy awareness and training?
•How are privacy training completions tracked?
•What content management supports privacy training materials?
•How are privacy training requirements enforced?

Evidence & Documentation:

•Provide privacy awareness and training program documentation.
•Provide privacy training completion records for the past year.
•Provide evidence of role-based privacy training.
•Provide privacy training effectiveness assessments.

Ask AI

Configure your API key to use AI features.