← Controls / PM

PM-11 Mission and Business Process Definition

Program Management

Description

a. Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and b. Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and c. Review and revise the mission and business processes [Assignment: organization-defined frequency].

Supplemental Guidance

Protection needs are technology-independent capabilities that are required to counter threats to organizations, individuals, systems, and the Nation through the compromise of information (i.e., loss of confidentiality, integrity, availability, or privacy). Information protection and personally identifiable information processing needs are derived from the mission and business needs defined by organizational stakeholders, the mission and business processes designed to meet those needs, and the organizational risk management strategy.

Changes from Rev 4

Title changed. Privacy and PII processing needs added. Review frequency added.

Compliance Mappings

ISO 27001:2022

4.14.2

COBIT 2019

APO02APO05BAI01BAI11

NIST CSF 2.0

GV.OC-01GV.OC-02GV.OC-04GV.OC-05ID.AM-05RC.RP-04

PRA Operational Resilience

SS1/21-11.1SS1/21-3.1SS1/21-4.1SS1/21-5.1SS1/21-9.1SS2/21-4.1

RBI CSF

ITGRCA.4

LGPD + BCB 4893

BCB.Art.3-Supp

HKMA TM-E-1

TME1.2.2TME1.6.1

DNB Good Practice

DNB.1.1DNB.11.1DNB.4.1

SAMA CSF

1.2

NCA ECC

1-13-1

UAE IA

T12

CBB TM

TM-14TM-2

Qatar NIA

BC

CBUAE

CR-13

CBE CSF

GOV-1OVM-2

SA JS2

JS2-5JS2-7.5

CBN CSF

Part3.7

BoG CISD

CISD-BCMCISD-ICISD-XIII

BoM CTRM

1.32.1

IOSCO Cyber Resilience

ID-1ID-2

BCBS 239

Principle 3Principle 4Principle 8

CPMI-IOSCO PFMI

CG.IDPFMI.P15PFMI.P17

FFIEC IS

II.A

NYDFS 500

500.19500.2500.9

HIPAA Security Rule

§164.308(a)(1)(i)§164.308(a)(7)(ii)(E)

ECB CROE

CROE.2.2.2CROE.2.2.3

EBA ICT Guidelines

3.3.23.7.1

SEBI CSCRF

BCP-DRCLASSIFYCYBER-INSGV.OCGV.PO

NERC CIP

CIP-002-7

10 CFR 73.54

73.54(a)

FERC CIP Orders

Order 2222

AWIA

Sec 2013(a)

CBEST

CBEST.3

ISAE 3402

Clause 1Clause 3

Solvency II

Art.44(2)DR.266

Lloyd's Minimum Standards

MS9.1

NAIC Insurance Data Security

349

PRA SS1/23

P1.2P1.3P3.6

FCA SYSC 13

SYSC 13.1-2SYSC 13.5.2SYSC 13.8.4

HITRUST CSF v11

00.a06.a12.a

FDA 21 CFR Part 11

§11.1§11.2

FDA Cybersecurity Guidance

CRA-2

ISO 27799

17.1H.1

NHS DSPT

NDG-7.1