← Controls / PM

PM-09 Risk Management Strategy

Program Management

Description

a. Develop a comprehensive strategy to manage: 1. Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and 2. Privacy risk to individuals resulting from the authorized processing of personally identifiable information; b. Implement the risk management strategy consistently across the organization; and c. Review and update the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes.

Supplemental Guidance

An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization, security and privacy risk mitigation strategies, acceptable risk assessment methodologies, a process for evaluating security and privacy risk across the organization with respect to the organization's risk tolerance, and approaches for monitoring risk over time. The senior accountable official for risk management (agency head or designated official) aligns information security management processes with strategic, operational, and budgetary planning processes.

Changes from Rev 4

Privacy risk added. Review and update frequency added as assignment parameter.

Compliance Mappings

ISO 27001:2022

6.16.1.3

COBIT 2019

APO12APO13EDM01EDM03

NIST CSF 2.0

GV.OV-01GV.OV-02GV.PO-01GV.RM-01GV.RM-02GV.RM-03GV.RM-04GV.RM-06GV.RM-07GV.SC-03ID.RA-05ID.RA-06ID.RA-07

PCI DSS v4.0.1

12.3

CSA CCM v4

GRC-02

CSA AICM v1

CCC-08GRC-02GRC-09GRC-10GRC-11GRC-14MDS-13

IEC 62443

2-1 4.22-1 4.4

NIS2 Directive

Art. 21(2)(a)

PRA Operational Resilience

PS6/21-2.1SS1/21-10.1SS1/21-3.2SS1/21-4.1SS2/21-12.1SS2/21-3.1SS2/21-4.1SS2/21-9.1

MAS TRM

34

APRA CPS 234

Para 15

BSI IT-Grundschutz

ISMS.1

RBI CSF

ITGRCA.22ITGRCA.25

FISC Security Guidelines

FISC.O1

LGPD + BCB 4893

BCB.Art.17BCB.Art.2BCB.Art.3-SuppLGPD.Art.50LGPD.BCB.Integration

HKMA TM-E-1

TME1.2.1TME1.2.3TME1.7.1

DNB Good Practice

DNB.1.1DNB.4.1DNB.4.2DNB.4.3

EU CRA

CRA.Info.5

SAMA CSF

1.11.21.31.82.2

NCA ECC

1-11-21-5

UAE IA

T1T2

CBB TM

TM-1TM-2TM-3TM-4

Qatar NIA

GVRM

CBUAE

CR-1CR-2

CBE CSF

CRM-1GOV-1

SA JS2

JS2-4JS2-5JS2-6.2

CBN CSF

Part1.1Part2.1Part2.2

BoG CISD

CISD-ICISD-IICISD-IIICISD-ISMSCISD-XIII

POPIA

s19s8

BoM CTRM

1.11.42.13.10

IOSCO Cyber Resilience

GOV-2GOV-3PFMI-2PFMI-3

BCBS 239

Principle 1Principle 12Principle 13Principle 5Principle 8Principle 9

CPMI-IOSCO PFMI

PFMI.P15PFMI.P17PFMI.P3

FFIEC IS

II.AII.B

NYDFS 500

500.2500.3500.9

HIPAA Security Rule

§164.308(a)(1)(i)§164.308(a)(1)(ii)(A)§164.308(a)(1)(ii)(B)§164.316(a)

ECB CROE

CROE.2.1.1CROE.2.2.1

EBA ICT Guidelines

3.3.33.4.13.7.1

SEBI CSCRF

CCMPCYBER-INSGV.OCGV.POGV.RM

BOT Cyber Resilience

Ch1.1Ch1.2

CMMC 2.0

RA

NERC CIP

CIP-003-9

10 CFR 73.54

73.54(b)

TSA Pipeline SD

SD-2 Sec E

FERC CIP Orders

Order 706Order 893

DOE C2M2 v2.1

RISKPROGRAM

API 1164

Sec 4

AWIA

Sec 2013(a)AWWA Sec 1

IAEA NSS 17-T

Sec 3Sec 4

CBEST

CBEST.1

TIBER-EU

TIBER.CONFTIBER.PREP

ISAE 3402

Clause 1Clause 2Clause 3Clause 8

Solvency II

Art.44(2)Art.45DR.260DR.266DR.267EIOPA-ICT-4.2

Lloyd's Minimum Standards

CRM.1GOV.1MS10.1MS10.2MS8.1

NAIC Insurance Data Security

44A

PRA SS1/23

P1.2P2.1P3.5P5.1P5.4

FCA SYSC 13

SYSC 13.1-2SYSC 13.3SYSC 13.5.2SYSC 13.8.4SYSC 13.8.5SYSC 13.G.2

HITRUST CSF v11

00.a00.b03.a03.b12.a

FDA 21 CFR Part 11

§11.2

FDA Cybersecurity Guidance

524B-4CRA-2CRA-3SPDF-2TM-3TR-2VR-1

ISO 27799

H.1

NHS DSPT

NDG-5.2NDG-9.1

CCSS v9.0

1.02.5

MiCA

Art.34(5)Art.35(1)Art.41(1)Art.54(1)Art.59(1)Art.62(1)Art.66(1)Art.62(6)Art.111(1)Art.47(1)

Basel SCO60

SCO60.1SCO60.3SCO60.4SCO60.5SCO60.13SCO60.50SCO60.54SCO60.60SCO60.72SCO60.83SCO60.85

BSSC Standards

NOS-01TIS-01GSP-01GSP-02GSP-10

SEC Custody (Digital Assets)

SEC-CD-09SEC-CD-10SEC-CD-18