Navigate

CCI-004457

CCI-004457 Definition

Identify and document the organizational risk tolerance.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if Organizational risk tolerance is identified and documented.

Validation Procedures

Examine: [SELECT FROM: Information security program plan; privacy program plan; supply chain risk management strategy; documentation of risk framing activities; policies and procedures for risk framing activities; risk management strategy]. Interview: [SELECT FROM: Organizational personnel (including mission, business, and system owners or stewards; authorizing officials; senior agency information security officer; senior agency official for privacy; and senior accountable official for risk management)]. Test: [SELECT FROM: Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing; organizational processes for risk framing; mechanisms supporting the development, review, update, and approval of risk framing].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-004457.

Control	Description
PM-28	a: Identify and document: 1: Assumptions affecting risk assessments, risk responses, and risk monitoring; 2: Constraints affecting risk assessments, risk responses, and risk monitoring; 3: Priorities and trade-offs considered by the organization for managing risk; and 4: Organizational risk tolerance; b: Distribute the results of risk framing activities to [the personnel to receive the results of risk framing activities is/are defined;] ; and c: Review and update risk framing considerations [the frequency for reviewing and updating risk framing considerations is defined;].

Control

Description

PM-28

a: Identify and document:
- 1: Assumptions affecting risk assessments, risk responses, and risk monitoring;
- 2: Constraints affecting risk assessments, risk responses, and risk monitoring;
- 3: Priorities and trade-offs considered by the organization for managing risk; and
- 4: Organizational risk tolerance;

b: Distribute the results of risk framing activities to [the personnel to receive the results of risk framing activities is/are defined;] ; and

c: Review and update risk framing considerations [the frequency for reviewing and updating risk framing considerations is defined;].