Navigate

CCI-000228

CCI-000228 Definition

Implement the risk management strategy consistently across the organization.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if the risk management strategy is implemented consistently across the organization.

Validation Procedures

Examine: [SELECT FROM: Information security program plan; privacy program plan; risk management strategy; supply chain risk management strategy; procedures addressing the development, implementation, review, and update of the risk management strategy; risk assessment results relevant to the risk management strategy; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with information security and privacy program planning and plan implementation responsibilities; organizational personnel responsible for the development, implementation, review, and update of the risk management strategy; organizational personnel with information security and privacy responsibilities]. Test: [SELECT FROM: Organizational processes for the development, implementation, review, and update of the risk management strategy; mechanisms supporting the development, implementation, review, and update of the risk management strategy].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000228.

Control	Description
PM-9	a: Develops a comprehensive strategy to manage: 1: Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and 2: Privacy risk to individuals resulting from the authorized processing of personally identifiable information; b: Implement the risk management strategy consistently across the organization; and c: Review and update the risk management strategy [the frequency at which to review and update the risk management strategy is defined;] or as required, to address organizational changes.

Control

Description

PM-9

a: Develops a comprehensive strategy to manage:
- 1: Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and
- 2: Privacy risk to individuals resulting from the authorized processing of personally identifiable information;

b: Implement the risk management strategy consistently across the organization; and

c: Review and update the risk management strategy [the frequency at which to review and update the risk management strategy is defined;] or as required, to address organizational changes.