Navigate

CCI-004465

CCI-004465 Definition

Establish a Risk Executive (function) to ensure management of risk is consistent across the organization.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if: - a Risk Executive (function) is established. - a Risk Executive (function) views and analyzes risk from an organization-wide perspective. - a Risk Executive (function) ensures that the management of risk is consistent across the organization.

Validation Procedures

Examine: [SELECT FROM: Information security program plan; privacy program plan; risk management strategy; supply chain risk management strategy; documentation of appointment, roles, and responsibilities of a Senior Accountable Official for Risk Management; documentation of actions taken by the Official; documentation of the establishment, policies, and procedures of a Risk Executive (function)]. Interview: [SELECT FROM: Senior Accountable Official for Risk Management; chief information officer; senior agency information security officer; senior agency official for privacy; organizational personnel with information security and privacy program responsibilities].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-004465.

Control	Description
PM-29	a: Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and b: Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization.