myctrl.tools
Compare

PM-9Risk Management Strategy

PRIVACY

>Control Description

a

Develops a comprehensive strategy to manage:

1.

Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and

2.

Privacy risk to individuals resulting from the authorized processing of personally identifiable information;

b

Implement the risk management strategy consistently across the organization; and

c

Review and update the risk management strategy organization-defined frequency or as required, to address organizational changes.

>Cross-Framework Mappings

SOC 2 TSC

CC3.1
Compare
CC3.2
Compare
CC5.1
Compare

SCF

RSK-01
Compare

>Supplemental Guidance

An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization, security and privacy risk mitigation strategies, acceptable risk assessment methodologies, a process for evaluating security and privacy risk across the organization with respect to the organization's risk tolerance, and approaches for monitoring risk over time. The senior accountable official for risk management (agency head or designated official) aligns information security management processes with strategic, operational, and budgetary planning processes. The risk executive function, led by the senior accountable official for risk management, can facilitate consistent application of the risk management strategy organization-wide.

The risk management strategy can be informed by security and privacy risk-related inputs from other sources, both internal and external to the organization, to ensure that the strategy is broad-based and comprehensive. The supply chain risk management strategy described in PM-30 can also provide useful inputs to the organization-wide risk management strategy.

>Related Controls

AC-1
AT-1
AU-1
CA-1
CA-2
CA-5
CA-6
CA-7
CM-1
CP-1
IA-1
IR-1
MA-1
MP-1
PE-1
PL-1
PL-2
PM-2
PM-8
PM-18
PM-28
PM-30
PS-1
PT-1
PT-2
PT-3
RA-1
RA-3
RA-9
SA-1
SA-4
SC-1
SC-38
SI-1
SI-12
SR-1
SR-2

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What is the process for developing and maintaining the organization's risk management strategy?
  • How does the risk management strategy integrate with organizational strategic planning and decision-making?
  • Who reviews and approves the risk management strategy?
  • How is the risk management strategy communicated and implemented across the organization?
  • What governance exists for updating the risk management strategy in response to changing threat environments?

Technical Implementation:

  • What systems or tools support organizational risk management?
  • How are risk data collected, analyzed, and reported at the enterprise level?
  • What integration exists between risk management and other security tools?

Evidence & Documentation:

  • Provide the organizational risk management strategy document.
  • Provide evidence of risk management strategy review and approval.
  • Provide documentation of strategy integration with organizational planning.
  • Provide records of risk management strategy updates.
  • Provide evidence of strategy communication across the organization.

Ask AI

Configure your API key to use AI features.