Skip to main content

πŸ’Ό PM-9 Risk Management Strategy

  • Contextual name: πŸ’Ό PM-9 Risk Management Strategy
  • ID: /frameworks/nist-sp-800-53-r5/pm/09
  • Located in: πŸ’Ό PM Program Management

Description​

a. Develops a comprehensive strategy to manage:

  1. Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and
  2. Privacy risk to individuals resulting from the authorized processing of personally identifiable information; b. Implement the risk management strategy consistently across the organization; and c. Review and update the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes.

Similar​

  • Internal
    • ID: dec-c-2589581a

Similar Sections (Give Policies To)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-04: The estimated impact and scope of adverse events are understood14
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.OC-02: Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered7
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.OV-01: Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.OV-02: The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.RM-01: Risk management objectives are established and agreed to by organizational stakeholders
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.RM-02: Risk appetite and risk tolerance statements are established, communicated, and maintained
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.RM-03: Cybersecurity risk management activities and outcomes are included in enterprise risk management processes
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.RM-04: Strategic direction that describes appropriate risk response options is established and communicated
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.RM-05: Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.RM-06: A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.RM-07: Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes7
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-04: Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded7
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-06: Risk responses are chosen, prioritized, planned, tracked, and communicated7
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-04: Adequate resource capacity to ensure availability is maintained1
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-04: Critical mission functions and cybersecurity risk management are considered to establish post-incident operational norms

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlags