myctrl.tools
Compare

PM-28Risk Framing

PRIVACY

>Control Description

a

Identify and document:

1.

Assumptions affecting risk assessments, risk responses, and risk monitoring;

2.

Constraints affecting risk assessments, risk responses, and risk monitoring;

3.

Priorities and trade-offs considered by the organization for managing risk; and

4.

Organizational risk tolerance;

b

Distribute the results of risk framing activities to organization-defined personnel; and

c

Review and update risk framing considerations organization-defined frequency.

>Cross-Framework Mappings

NIST CSF 2.0

via NIST CSF 2.0 Concept Crosswalk
DE.AE-04
Compare
GV.OC-03
Compare
GV.RM-04
Compare
GV.RM-06
Compare
GV.RM-07
Compare
GV.SC-09
Compare

SCF

RSK-01.1
Compare

>Supplemental Guidance

Risk framing is most effective when conducted at the organization level and in consultation with stakeholders throughout the organization including mission, business, and system owners. The assumptions, constraints, risk tolerance, priorities, and trade-offs identified as part of the risk framing process inform the risk management strategy, which in turn informs the conduct of risk assessment, risk response, and risk monitoring activities. Risk framing results are shared with organizational personnel, including mission and business owners, information owners or stewards, system owners, authorizing officials, senior agency information security officer, senior agency official for privacy, and senior accountable official for risk management.

>Related Controls

CA-7
PM-9
RA-3
RA-7

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What is the process for managing privacy risk assessment results?
  • How does the organization integrate privacy risks into overall risk management?
  • Who is responsible for reviewing and acting on privacy risk assessments?
  • How are privacy risks communicated to senior leadership and decision-makers?
  • What governance exists for tracking and mitigating identified privacy risks?

Technical Implementation:

  • What tools integrate privacy risk assessment with organizational risk management?
  • How are privacy risks quantified and tracked?
  • What reporting capabilities exist for privacy risk posture?

Evidence & Documentation:

  • Provide privacy risk assessment results.
  • Provide evidence of privacy risk integration into organizational risk management.
  • Provide privacy risk reports to senior leadership.
  • Provide records of privacy risk mitigation tracking.

Ask AI

Configure your API key to use AI features.