Cybersecurity Risk Management Program Framework


Cybersecurity Risk Management Program (RMP) Framework - Based on COSO 2013, COBIT 5, NIST 800-37 & ISO 31010 Best Practices!

All companies have a need to manage risk. Most companies are compelled to management risk and these requirements come from a broad range of sources. Regardless of your industry, there are likely requirements to manage cybersecurity risk and failing to manage risk could leave your company liable from non-compliance from these requirements:

  • Payment Card Industry Data Security Standard (PCI DSS) - Section#12.2 requires companies to perform a formal risk assessment!
  • Massachusetts MA 201 CMR 17.00 - Section# 17.03(2)(b) requires companies to "identify & assess" reasonably-foreseeable internal and external risks! 
  • Oregon Identity Theft Protection Act - Section 646A.622(2)(d)(B)(ii) requires companies to assess risks in information processing, transmission & storage!
  • Health Insurance Portability and Accountability Act (HIPAA) - Security Rule (Section 45 C.F.R. §§ 164.302 – 318) requires companies to conduct an accurate & thorough assessment of potential risks!
  • Gramm-Leach-Bliley Act - Safeguard Rule requires company to identify and assess risks to customer information!
  • NIST 800-171 - Protecting CUI in Nonfederal Information Systems and Organizations - Section 3.11 requires risks to be periodically assessed!
  • Federal Trade Commission (FTC) Act - 15 U.S. Code § 45 deems unfair or deceptive acts or practices in or affecting commerce to be unlawful - poor security practices are covered under this requirement and not managing cybersecurity risk is an indication of poor security practices!
  • Vendor Contracts - It is increasingly common for vendors, partners and subcontractors to be contractually-bound to perform recurring risk assessments. Not having a risk management program could lead to breach of contract or losing a bid!

Unfortunately, most companies lack a coherent approach to managing risks across the enterprise. Even with larger organizations that have Enterprise Risk Management (ERM) departments, the RMP can tie into the broader risk management framework for any organization. What did was simply reduce the complexity by creating a usable risk management framework that any company can implement to manage risks.

  What Problem Does The RMP Solve?  

  • Audit Failures - Similar to vulnerability management, most organizations run into trouble in audits when asked HOW risk is managed, since they cannot provide documentation beyond policies and standards. The RMP addresses the HOW for you!
  • Vendor Requirements - It is very common for clients and partners to request evidence of a risk management program during their due diligence. The RMP provides this evidence!
  • Compliance Requirements - Requirements such as PCI DSS, HIPAA, MA 201 CMR 17.00 and NIST 800-171 establish a mandate to formally manage risk. The RMP addresses these compliance requirements!

 How Does the RMP Solve It?  

  • Clear Documentation - The RMP provides the comprehensive documentation to prove that your risk program exists.
  • Actionable Steps - The RMP provides actionable guidance on what steps can be taken to categorize, calculate and manage risk in a sustainable manner.
  • Alignment With Leading Practices - The RMP is written to support COSO, COBIT, NIST and ISO frameworks that provide you with significant flexibility to assess risks.


RMP Cost Savings

From surveying cybersecurity professionals, we created the following chart to provide a comparison of options for companies needing a documented cybersecurity risk management program. As you can see, when you factor in internal staff time to perform reviews and refinements with key stakeholders, purchasing a RMP from ComplianceForge is approximately 10% ($13,500+ savings) of the cost as compared to writing your own documentation and 4% ($36,00+ savings) of the cost as compared to hiring a consultant to write it for you!


What Does The Cybersecurity Risk Management Program Framework (RMP) Do?

The RMP is an editable Microsoft Word document that contains the requirements needed to establish a risk management program. Quite simply, the Cybersecurity Risk Management Program (RMP) provides your company with evidence that a documented risk management program exists to address operational risks associated with information and technology. From a Capability Maturity Model (CMM) perspective, if a risk program is not documented, incomplete or ad-hoc, it could be a liability for a company, since it indicates negligence with a statutory, regulatory or contractual requirement to manage risk. The RMP addresses the due care component of getting an organization to a mature level for managing risk.

Determine the Potential Likelihood of Threat Occurrence

Organizations must take into account the probability of potential risks, since that identifies the legitimate threat landscape. The results of this assessment, combined with the initial list of threats, will influence the determination of which threats require protection against because those are “reasonably anticipated” based on your unique situation.

Determine the Potential Impact of Threat Occurrence

Organizations must consider the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of their data and information systems. Not all systems are equal – some systems could go down and no one would be impacted, but some systems could bring your business operations to an immediate halt.

The RMP helps assess the magnitude of the potential impact resulting from a threat triggering or exploiting a specific vulnerability. This can be qualitative, quantitative or a combination of the two methods to measure the impact on your organization.

Determine the Level of Risk

From likelihood and potential impact, organizations can assign risk levels for all threat and vulnerability combinations identified during the risk analysis. The RMP allows you to assign a level of risk by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence.


The Cybersecurity Risk Management Program (RMP) provides best-practices guidance on risk management at the strategic, operational and tactical levels! This is important, since this hybrid or "best of breed" approach to risk management takes advantage of the strengths of each best practice mdoel (e.g., COSO, COBIT, ISO & NIST). This allows you to have a considerable amount of flexibility to conduct risk management operations.




Due Care Considerations - Reasonable Expectations For Managing Risk

Are you prepared to answer the "why" or "how" questions for your risk assessments? It is a pretty scary question for many people, since their risk assessments are not based on anything beyond “gut feelings” and are overly subjective. When an auditor comes knocking, it is critically important to be able to point to program documentation that justifies your decisions. The Cybersecurity Risk Assessment Framework is intended to be the foundational documentation that you implement to define and manage risk at your company.


The Cybersecurity Risk Management Program clearly lays out and defines cybersecurity risk for your organization - how you plan to address risk management at the strategic, operational, and tactical levels! This is based on industry-recognized best practices for risk management from COSO, ISO and NIST, so the framework is based on what reasonable expectations are for managing cybersecurity risk. For simple risk assessments, the 6x6 risk matrix can be used to quickly identify the appropriate level of risk the scenario represents. With that knowledge, it is easy to then escalate the risk to the appropriate level of management for resolution (e.g., accept, transfer, mitigate or avoid the risk).


Make Assessing Risk More Efficient- Understanding Layers of Risk 

Dependencies are of critical importance when assessing risk, since risk can have a cascading effect. Ideally, a risk assessment at a tactical level (e.g., assessment of a specific application or host) should leverage existing risk assessments that address “upstream” risks. For example, a well-designed and securely-coded application could be compromised if the host system it is running on is insecure. Similarly, the application could be made unavailable if the datacenter lacks measures to ensure uptime against natural or man-made threats.

As part of overall risk management, your company should perform several formal risk assessments, which are meant to be used as references for more detailed project-specific risk assessments. At a minimum, risk assessments should exist for commonly-leveraged aspects of your company's IT environment:

        • Datacenters (including infrastructure risks)
        • Secure configurations for hosts and major applications (e.g., databases, email, Intranet)


 By being able to leverage those existing risk assessments, it will allow for more efficient assessments of applications. The CRMF helps build this foundation for efficient risk management

        • Application-Specific Risk

          Risks associated with applications include, but are not limited to:

          • Insecure code (developers did not follow secure coding practices)
          • Default/weak credentials
          • Weak encryption
          • Passwords/sensitive data stored in clear text
          • Permissions management 
          • Missing software patches
          • Logging/monitoring not being performed


        • Host-Specific Risk

          Risks associated with hosts include, but are not limited to:

          • Lack of system hardening 
          • Default/weak credentials
          • Lack of encryption at rest 
          • Role-Based Access Control (RBAC)
          • Missing software patches
          • Logging/monitoring not being performed
          • Backups not being performed

        • Infrastructure-Specific Risk

          Risks associated with infrastructure include, but are not limited to:

          • Improper equipment (e.g., consumer-grade networking hardware vs business/enterprise-grade) 
          • Lack of system hardening 
          • Default/weak credentials
          • Lack of encryption in transit
          • Role-Based Access Control (RBAC)
          • Missing software patches
          • Logging/monitoring not being performed


        • Facility-Specific Risk

          Risks associated with facilities include, but are not limited to:

          • Physical access controls
          • Environmental controls
          • Redundant utilities
          • Trained response personnel (disaster recovery plan)


        • Risk Associated With Other Dependencies

          Risks associated with other dependencies include, but are not limited to:

          • Software escrow agreements
          • Developer/vendor management
          • Trans-border data transfers (international law ramifications)
          • Business limitations (e.g., timelines, funding, regulations, politics, etc.)


SEE FOR YOURSELF - EXAMPLE Cybersecurity Risk Management Program (RMP) 

Don't take our word for it - take a look at the example Cybersecurity Risk Management Framework (CRMF) to see for yourself the level of professionalism and detail that went into it.



Professionally-Written, Editable & Easily-Implemented Cybersecurity Risk Management Framework

Our latest version of the Cybersecurity Risk Management Program (RMP) is a Microsoft Word document that is fully editable, so that you can customize it for your own unique needs. 

The Cybersecurity Risk Management Program (RMP) includes the following content to establish a comprehensive basis for defining and documenting how your company manages cybersecurity risk:

        • Risk Taxonomy
          • What Is Risk?
          • Risk Management Activities
          • Risk Management Benefits
          • Who Has The Authority To Manage Risk
          • Risk Management Decisions
        • How Risk Is Categorized
          • Low Risk
          • Medium Risk
          • High Risk
          • Severe Risk
          • Extreme Risk
        • Risk Management Fundamentals
          • Risk Management Principles
          • Risk Management Maturity Levels
          • Defining The Risk Appetite
          • Situation Awareness
          • Analyzing Risks
          • Evaluating & Prioritizing Risks
          • Risk Treatment
          • Monitoring Risk
          • Documenting Risk & Reporting Findings
        • Cybersecurity Risk Management Methodology
          • COSO – Strategic (Enterprise-Level Approach to Risk Management)
          • ISO – Operational (Initiative / Program-Level Approach to Risk Management)
          • NIST – Tactical (Asset / Project-Level Approach to Risk Management)
        • Threat & Risk Assessment (TRA) Methodology
          • Defining Potential Impact
          • Defining Potential Likelihood
          • Defining Criticality Levels for Assets / Systems / Data
        • Risk Considerations for Vulnerability Management
          • Cybersecurity Considerations for Protecting Systems
          • Proactive Response Planning
          • Flaw Remediation (Patch Management)
          • Vulnerability Scanning
          • Security Testing & Evaluation (ST&E)
        • Appendices
          • Sources of Risk
          • Risk Roles & Responsibilities
          • Risk Assessment Techniques



Sort by: