💼 PM-9 Risk Management Strategy

• Contextual name: 💼 PM-9 Risk Management Strategy
• ID: /frameworks/nist-sp-800-53-r5/pm/09
• Located in: 💼 PM Program Management

Description

a. Develops a comprehensive strategy to manage:

1. Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and
2. Privacy risk to individuals resulting from the authorized processing of personally identifiable information; b. Implement the risk management strategy consistently across the organization; and c. Review and update the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes.

Similar

• Internal
  • ID: dec-c-2589581a

Similar Sections (Give Policies To)

Section	Sub Sections	Internal Rules	Policies	Flags
💼 NIST CSF v2.0 → 💼 DE.AE-04: The estimated impact and scope of adverse events are understood			13
💼 NIST CSF v2.0 → 💼 GV.OC-02: Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered			7
💼 NIST CSF v2.0 → 💼 GV.OV-01: Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction			3
💼 NIST CSF v2.0 → 💼 GV.OV-02: The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks
💼 NIST CSF v2.0 → 💼 GV.RM-01: Risk management objectives are established and agreed to by organizational stakeholders
💼 NIST CSF v2.0 → 💼 GV.RM-02: Risk appetite and risk tolerance statements are established, communicated, and maintained
💼 NIST CSF v2.0 → 💼 GV.RM-03: Cybersecurity risk management activities and outcomes are included in enterprise risk management processes
💼 NIST CSF v2.0 → 💼 GV.RM-04: Strategic direction that describes appropriate risk response options is established and communicated
💼 NIST CSF v2.0 → 💼 GV.RM-05: Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties
💼 NIST CSF v2.0 → 💼 GV.RM-06: A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated
💼 NIST CSF v2.0 → 💼 GV.RM-07: Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions
💼 NIST CSF v2.0 → 💼 GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes			10
💼 NIST CSF v2.0 → 💼 GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle
💼 NIST CSF v2.0 → 💼 ID.RA-04: Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded			7
💼 NIST CSF v2.0 → 💼 ID.RA-06: Risk responses are chosen, prioritized, planned, tracked, and communicated			7
💼 NIST CSF v2.0 → 💼 PR.IR-04: Adequate resource capacity to ensure availability is maintained
💼 NIST CSF v2.0 → 💼 RC.RP-04: Critical mission functions and cybersecurity risk management are considered to establish post-incident operational norms

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags