RSK-12: Risk Culture

There is no evidence of a capability to ensure teams are committed to a culture that considers and communicates technology-related risk.

C|P-CMM1 is N/A, since a structured process is required to ensure teams are committed to a culture that considers and communicates technology-related risk.

C|P-CMM2 is N/A, since a well-defined process is required to ensure teams are committed to a culture that considers and communicates technology-related risk.

Risk Management efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Analyzes the organization's business strategy to determine prioritized and authoritative guidance for Risk Management (RM) practices. o Develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the enterprise for RM. o Provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to RM. o Maintains a common taxonomy of risk-relevant terminology to minimize assumptions and misunderstandings. o Enables data/process owners to conduct annual risk assessment of their operations that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's systems and data. o Assists users in making informed risk decisions to ensure data and processes are appropriately protected. o Enables the documentation of risk assessments, risk response and risk monitoring to support statutory, regulatory and contractual obligations for risk management practices. o Maintains a centralized risk register to reflect an active recording and disposition of identified risks. The risk register identifies and assigns a risk ranking to vulnerabilities and risks that is based on industry-recognized practices and facilitates monitoring and reporting of those risks. o Governs supply chain risks associated with the development, acquisition, maintenance and disposal of systems, system components and services.

• A formal Risk Management Program (RMP) provides enterprise-wide guidance on how risk is to be identified, framed (e.g., risk appetite, risk tolerance, risk thresholds, etc.) assessed, mitigated/remediated and reported.
• Criteria to define materiality for risk management decisions is defined.
• A steering committee is formally established to provide executive oversight of the cybersecurity and data privacy program, including appropriately resourcing risk management operations.
• A formally-documented Cybersecurity Supply Chain Risk Management (C-SCRM) plan exists to identify, assess and mitigate supply chain-related risks and threats;
• The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns,
• A Governance, Risk & Compliance (GRC) function, or similar function:
• An IT Asset Management (ITAM) function, or similar function, categorizes assets according to the data the asset stores, transmits and/ or processes, applying the appropriate technology controls to protect the asset and data.

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to ensure teams are committed to a culture that considers and communicates technology-related risk.

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to ensure teams are committed to a culture that considers and communicates technology-related risk.