ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis
PF v1.0 References:
Description
[csf.tools Note: Subcategories do not have detailed descriptions.]
Related Controls
NIST Special Publication 800-53 Revision 5
PM-8: Critical Infrastructure Plan
Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.
PM-9: Risk Management Strategy
Develops a comprehensive strategy to manage: Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and Privacy risk to individuals resulting from the authorized processing of personally identifiable information; Implement the risk management strategy consistently across the organization; and Review and update…
PM-11: Mission and Business Process Definition
Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and Review and revise the mission and business processes…
RA-9: Criticality Analysis
Identify critical system components and functions by performing a criticality analysis for [Assignment: organization-defined systems, system components, or system services] at [Assignment: organization-defined decision points in the system development life cycle].
Cloud Controls Matrix v3.0.1
AAC-03: Information System Regulatory Mapping
Organizations shall create and maintain a control framework which captures standards, regulatory, legal, and statutory requirements relevant for their business needs. The control framework shall be reviewed at least annually to ensure changes that could affect the business processes are reflected.
GRM-05: Management Support/Involvement
Executive and line management shall take formal action to support information security through clearly-documented direction and commitment, and shall ensure the action has been assigned.
GRM-11: Risk Management Framework
Risks shall be mitigated to an acceptable level. Acceptance levels based on risk criteria shall be established and documented in accordance with reasonable resolution time frames and stakeholder approval.
NIST Special Publication 800-53 Revision 4
PM-8: Critical Infrastructure Plan
The organization addresses information security issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.
PM-9: Risk Management Strategy
The organization: Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems; Implements the risk management strategy consistently across the organization; and Reviews and updates the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational…
PM-11: Mission/Business Process Definition
The organization: Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained.
SA-14: Criticality Analysis
The organization identifies critical information system components and functions by performing a criticality analysis for [Assignment: organization-defined information systems, information system components, or information system services] at [Assignment: organization-defined decision points in the system development life cycle].