RSK-04.2: Risk Assessment Methodology

There is no evidence of a capability to implement a risk assessment methodology to ensure coverage for organizational components relevant for secure, compliant and resilient operations.

C|P-CMM1 is N/A, since a structured process is required to implement a risk assessment methodology to ensure coverage for organizational components relevant for secure, compliant and resilient operations.

C|P-CMM2 is N/A, since a well-defined process is required to implement a risk assessment methodology to ensure coverage for organizational components relevant for secure, compliant and resilient operations.

Risk Management efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Analyzes the organization's business strategy to determine prioritized and authoritative guidance for Risk Management (RM) practices. o Develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the enterprise for RM. o Provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to RM. o Maintains a common taxonomy of risk-relevant terminology to minimize assumptions and misunderstandings. o Enables data/process owners to conduct annual risk assessment of their operations that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's systems and data. o Assists users in making informed risk decisions to ensure data and processes are appropriately protected. o Enables the documentation of risk assessments, risk response and risk monitoring to support statutory, regulatory and contractual obligations for risk management practices. o Maintains a centralized risk register to reflect an active recording and disposition of identified risks. The risk register identifies and assigns a risk ranking to vulnerabilities and risks that is based on industry-recognized practices and facilitates monitoring and reporting of those risks. o Governs supply chain risks associated with the development, acquisition, maintenance and disposal of systems, system components and services.

• A formal Risk Management Program (RMP) provides enterprise-wide guidance on how risk is to be identified, framed (e.g., risk appetite, risk tolerance, risk thresholds, etc.) assessed, mitigated/remediated and reported.
• Criteria to define materiality for risk management decisions is defined.
• A steering committee is formally established to provide executive oversight of the cybersecurity and data privacy program, including appropriately resourcing risk management operations.
• A formally-documented Cybersecurity Supply Chain Risk Management (C-SCRM) plan exists to identify, assess and mitigate supply chain-related risks and threats;
• The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns,
• A Governance, Risk & Compliance (GRC) function, or similar function:
• An IT Asset Management (ITAM) function, or similar function, categorizes assets according to the data the asset stores, transmits and/ or processes, applying the appropriate technology controls to protect the asset and data.

Risk Management efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
• Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
• Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
• Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
• Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
• Both business and technical stakeholders are involved in reviewing and approving proposed changes.

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to implement a risk assessment methodology to ensure coverage for organizational components relevant for secure, compliant and resilient operations.