IT Risk Management

Information risk management is the act of aligning exposure to risk and capability of managing it with the risk tolerance of the data owner. It is the primary means of decision support for information technology resources designed to protect the confidentiality, integrity, and availability of information assets. Ensures that risk of all types are identified, understood, communicated and either accepted, remediated, transferred, or avoided. Risk Management can look to the output of Compliance Management activities to assist the organization in evaluating the overall security posture and if it is in alignment the defined risk objectives.

Cloud Controls Matrix (CCM) Data

Array

RI-03 | Risk Management | Mitigation / Acceptance

Control Specification +-

Risks shall be mitigated to an acceptable level. Acceptance levels based on risk criteria shall be established and documented in accordance with reasonable resolution time frames and executive approval.

Architectural Relevance +-

PhysicalNetworkComputeAppData
True True True True True

Corp Gov Relevance +-

Corp Gov Relevance
True

Cloud Service Delivery Model Applicability +-

SaaSPaaSIaaS
True True True

Supplier Relationship +-

Service ProviderTenant / Consumer
True True

Scope Applicability +-

COBIT 4.1HIPAA / HITECH ActISO/IEC 27001-2005

PO 9.5

45 CFR 164.308 (a)(1)(ii)(B)

Clause 4.2.1 c) through g)
Clause 4.2.2 b)
Clause 4.3.1
Clause 5.1 f)
Clause 7.3
A.6.2.1
A.12.5.2
A.12.6.1
A.15.1.1
A.15.2.1
A.15.2.2

NIST SP800-53 R3FedRAMP (Final 2012) Low ImpactFedRAMP (Final 2012) Moderate ImpactPCI DSS v2.0

CA-5
CM-4

NIST SP 800-53 R3 CA-5
NIST SP 800-53 R3 CP-1
NIST SP 800-53 R3 RA-1

NIST SP 800-53 R3 CA-5
NIST SP 800-53 R3 CP-1
NIST SP 800-53 R3 RA-1

BITS Shared Assessments SIG v6.0BITS Shared Assessments SIG v5.0GAPP (Aug 2009)

I.3, L.9, L.10

I.4
L.2

Jericho ForumNERC CIP

CIP-009-3 - R1.2

Array

Consensus Assessments Initiative Questionnaire (CAIQ) Data

Risk Management (RI) | ID #RI-03.1

Are risks mitigated to acceptable levels based on company-established criteria in accordance with reasonable resolution time frames?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53

COBIT 4.1 PO 9.5

45 CFR 164.308 (a)(1)(ii)(B)

Clause 4.2.1 c) through g)
Clause 4.2.2 b)
Clause 4.3.1
Clause 5.1 f)
Clause 7.3
A.6.2.1
A.12.5.2
A.12.6.1
A.15.1.1
A.15.2.1
A.15.2.2

NIST SP800-53 R3 CA-5
NIST SP800-53 R3 CM-4

FedRAMPPCI_DSSBITSGAPP

NIST SP800-53 R3 CA-5
NIST SP800-53 R3 CM-4

AUP v5.0I.4 AUP v5.0 L.2 SIG v6.0: I.3, L.9, L.10

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True

Consensus Assessments Initiative Questionnaire (CAIQ) Data

Risk Management (RI) | ID #RI-03.2

Is remediation conducted at acceptable levels based on company-established criteria in accordance with reasonable time frames?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53
FedRAMPPCI_DSSBITSGAPP

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True