PM-9: RISK MANAGEMENT STRATEGY
PROGRAM MANAGEMENT & INDUSTRIAL CONTROL SYSTEMS
ICS Control Baselines:
- Program Management is baseline independent.
The organization:
- a. Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems;
- b. Implements the risk management strategy consistently across the organization; and
- c. Reviews and updates the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes.
SUPPLEMENTAL GUIDANCE
An organization-wide risk management strategy includes, for example, an unambiguous expression of the risk tolerance for the organization, acceptable risk assessment methodologies, risk mitigation strategies, a process for consistently evaluating risk across the organization with respect to the organization�s risk tolerance, and approaches for monitoring risk over time. The use of a risk executive function can facilitate consistent, organization-wide application of the risk management strategy. The organization-wide risk management strategy can be informed by risk-related inputs from other sources both internal and external to the organization to ensure the strategy is both broad-based and comprehensive.
ICS SUPPLEMENTAL GUIDANCE
Risk management of ICS is considered along with other organizational risks affecting mission/business success from an organization-wide perspective. Organization-wide risk management strategy includes sector-specific guidance as appropriate.
RELATED CONTROLS: PM-9
CONTROL ENHANCEMENTS
NO CONTROL ENHANCEMENTS
REFERENCES:
- NIST Special Publication 800-82
- NIST Special Publication 800-30
- NIST Special Publication 800-39