Cybersecurity & Data Privacy Risk Management Model (C|P-RMM)
The concept of creating the C|P-RMM was to create an efficient methodology to identify, assess, report and mitigate risk. This project was approached from the perspective of asking the question, “How should I management risk?” and was a collaboration between ComplianceForge and the Secure Controls Framework (SCF). The C|P-RMM takes a holistic approach to controls, risks and threats as a way to reduce or eliminate the traditional Fear, Uncertainty and Doubt (FUD) that makes many risk assessments meaningless. The C|P-RMM is free to use and is licensed under the Creative Commons licensing model.
All organizations have a need to manage risk. Most organizations are compelled to management risk and these requirements come from a broad range of statutory, regulatory and contractual origins. Regardless of your industry, requirements to manage cybersecurity risk exist and failing to manage risk could leave your organization exposed to liabilities from non-compliance:
NIST 800-171 & CMMC. Protecting CUI in Nonfederal Information Systems and Organizations – Multiple sections of NIST SP 800-171 & CMMC requires risk to be periodically assessed (see Appendix A for more information on this).
Federal Trade Commission (FTC) Act. 15 U.S. Code § 45 deems unfair or deceptive acts or practices in or affecting commerce to be unlawful - poor security practices are covered under this requirement and not managing cybersecurity risk is an indication of poor security practices.
Payment Card Industry Data Security Standard (PCI DSS). Section#12.2 requires companies to perform a formal risk assessment.
Health Insurance Portability and Accountability Act (HIPAA). Security Rule (Section 45 C.F.R. §§ 164.302 – 318) requires companies to conduct an accurate & thorough assessment of potential risks.
Gramm-Leach-Bliley Act (GLBA). Safeguard Rule requires company to identify and assess risks to customer information.
Massachusetts MA 201 CMR 17.00. Section# 17.03(2)(b) requires companies to "identify & assess" reasonably-foreseeable internal and external risks.
Oregon Identity Theft Protection Act. Section 646A.622(2)(d)(B)(ii) requires companies to assess risks in information processing, transmission & storage.
In risk management, the old adage of “the path to hell is paved with good intentions” is very applicable. The reason for this is all too often, risk management personnel are tasked with generating risk assessments and creating the questions to ask in those assessments without having a centralized set of organization-wide cybersecurity and privacy controls to work from. This generally leads to risk teams making up risks and asking questions that are not supported by the organization’s policies and standards. For example, an organization is an “ISO shop” that operates an ISO 27002-based Information Security Management System (ISMS) to govern its policies and standards, but its risk team is asking questions about NIST SP 800-53 or 800-171 controls that are not applicable to the organization. This scenario of “making up risks” points to a few security program governance issues:
If the need for additional controls to cover risks is legitimate, then the organization is improperly scoped and does not have the appropriate cybersecurity and privacy controls to address its applicable statutory, regulatory, contractual or industry-expected practices.
If the organization is properly scoped, then the risk team is essentially making up requirements that are not supported by the organization’s policies and standards.
C|P-RMM: Applicability To NIST 800-171 & CMMC
An immediate need for many organizations is compliance with NIST SP 800-171 and the Cybersecurity Maturity Model Certification (CMMC). The Cybersecurity & Data Privacy Risk Management Model (C|P-RMM) is a tool that can be used to address the following NIST SP 800-171 requirements:
3.11.1. Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
3.11.2. Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
3.11.3. Remediate vulnerabilities in accordance with risk assessments.
3.12.1. Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
3.12.2. Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
3.12.3. Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
Enterprise-Class, Hybrid Framework For Cybersecurity & Privacy
What Is The Digital Security Program (DSP)?
The DSP is an enterprise-class solution for cybersecurity & data privacy documentation consisting of thirty-three (33) domains that...
Cybersecurity Standardized Operating Procedures (CSOP) DSP | SCF Version
What Is The Cybersecurity Standardized Operating Procedures (CSOP)?
The Digital Security Program (DSP) / Secure Controls Framework (SCF) version of the CSOP contains a...
UPDATED FOR CMMC 2.0 NIST SP 800-171 & CMMC "Easy Button" Solution - Editable & Affordable Cybersecurity Documentation
What Is The NIST 800-171 Compliance Program (NCP)?
The NCP is a compilation of editable Microsoft...
Cybersecurity Supply Chain Risk Management (C-SCRM) Bundle #2 - DSP Version (45% discount)
This is a bundle that includes the following thirteen (13) ComplianceForge products that are focused on operationalizing Cybersecurity Supply Chain Risk...
Digital Security Plan (DSP) Bundle #1 - SCF-Aligned Policies, Standards & Procedures (25% Discount)
This is a bundle that includes the following two (2) ComplianceForge products that are focused on operationalizing the Secure Controls Framework...
Digital Security Plan (DSP) Bundle #2 - ENHANCED DIGITAL SECURITY (35% Discount)
This is a bundle that includes the following seven (7) ComplianceForge products that are focused on operationalizing the Secure Controls Framework (SCF):
Digital Security Plan (DSP) Bundle #3 - ROBUST DIGITAL SECURITY (45% Discount)
This is a bundle that includes the following thirteen (13) ComplianceForge products that are focused on operationalizing the Secure Controls Framework (SCF):
NIST 800-171 & CMMC 2.0 Compliance Bundle #4 - EXPERT CMMC 2.0 Levels 1-3 (45% discount)
This is a bundle that includes the following thirteen (13) ComplianceForge products that are focused on operationalizing NIST SP 800-171...
Privacy Bundle #2 - DSP Version (45% discount)
This is a bundle that includes the following twelve (12) ComplianceForge products that are focused on operationalizing the cybersecurity and privacy principles:
Cybersecurity & Data Protection Program...