Risk Management Program (RMP)

$1,650.00

The RMP addresses the “how?” questions for how your company manages risk. This is an editable Microsoft Word document that provides program-level guidance to directly supports the WISP and DSP policies and standards for managing cybersecurity risk.

SKU: P05-RMP Categories: , Tags: ,

Description

  • The RMP addresses the “how?” questions for how your company manages risk.
  • This is an editable Microsoft Word document that provides program-level guidance to directly supports the WISP and DSP policies and standards for managing cybersecurity risk.
  • In summary, this addresses fundamental needs when it comes to risk management requirements:
    • How risk is defined.
    • Who can accept risk.
    • How risk is calculated by defining potential impact and likelihood.
    • Necessary steps to reduce risk.
    • Risk considerations for vulnerability management.
  • The RMP is based on leading frameworks, such as NIST 800-37, NIST 800-39, ISO 31010 and COSO 2013.

Cybersecurity Risk Management Framework

All companies have a need to manage risk. Most companies are compelled to management risk and these requirements come from a broad range of sources. Regardless of your industry, there are likely requirements to manage cybersecurity risk and failing to manage risk could leave your company liable from non-compliance from these requirements:

  • Payment Card Industry Data Security Standard (PCI DSS) – Section#12.2 requires companies to perform a formal risk assessment!
  • Massachusetts MA 201 CMR 17.00 – Section# 17.03(2)(b) requires companies to “identify & assess” reasonably-foreseeable internal and external risks!
  • Oregon Identity Theft Protection Act – Section 646A.622(2)(d)(B)(ii) requires companies to assess risks in information processing, transmission & storage!
  • Health Insurance Portability and Accountability Act (HIPAA) – Security Rule (Section 45 C.F.R. §§ 164.302 – 318) requires companies to conduct an accurate & thorough assessment of potential risks!
  • Gramm-Leach-Bliley Act – Safeguard Rule requires company to identify and assess risks to customer information!
  • NIST 800-171 – Protecting CUI in Nonfederal Information Systems and Organizations – Section 3.11 requires risks to be periodically assessed!
  • Federal Trade Commission (FTC) Act – 15 U.S. Code § 45 deems unfair or deceptive acts or practices in or affecting commerce to be unlawful – poor security practices are covered under this requirement and not managing cybersecurity risk is an indication of poor security practices!
  • Vendor Contracts – It is increasingly common for vendors, partners and subcontractors to be contractually-bound to perform recurring risk assessments. Not having a risk management program could lead to breach of contract or losing a bid!

Cybersecurity Risk Management Program Documentation

The RMP serves as a foundational element in your organization’s cybersecurity risk program. It can stand alone or be paired with other specialized products we offer.

Even with larger organizations that have Enterprise Risk Management (ERM) departments, the RMP can tie into the broader risk management framework for any organization. What ComplianceForge.com did was simply reduce the complexity by creating a usable risk management framework that any company can implement to manage risks:

  • How risk is categorized
  • Risk management fundamentals
  • Risk maturity levels
  • Defining the risk appetite
  • Evaluating & prioritizing risks
  • Risk treatment
  • Documenting risk & reporting findings
  • Defining potential impact
  • Defining potential likelihood
  • Defining criticality levels for assets / systems / data
  • Sources of risk

What Is The Risk Management Program (RMP)

Our products are one-time purchases with no software to install – you are buying Microsoft Office-based documentation templates that you can edit for your specific needs. If you can use Microsoft Office or OpenOffice, you can use this product! The RMP is an editable Microsoft Word document that providers program-level guidance to directly supports your organization’s policies and standards for managing cybersecurity risk. Unfortunately, most companies lack a coherent approach to managing risks across the enterprise:

  • When you look at getting audit ready, your policies and standards only cover the “why?” and “what?” questions of an audit. This product addresses the “how?” questions for how your company manages risk.
  • The RMP provides clear, concise documentation that provides a “paint by numbers” approach to how risk is managed.
  • The RMP addresses fundamental needs when it comes to what is expected in cybersecurity risk management:
    • How risk is defined.
    • Who can accept risk.
    • How risk is calculated by defining potential the impact and likelihood.
    • Necessary steps to reduce risk.
    • Risk considerations for vulnerability management.
  • The RMP is based on leading frameworks, such as NIST 800-37, NIST 800-39, ISO 31010 and COSO 2013.
  • Just as Human Resources publishes an “employee handbook” to let employees know what is expected for employees from a HR perspective, the RMP does this from a cybersecurity risk management perspective.

 What Problem Does The RMP Solve?

  • Lack of In House Security Experience – Writing security documentation is a skill that many good cybersecurity professionals simple are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. The RMP is an efficient method to obtain comprehensive risk management documentation for your organization!
  • Compliance Requirements – Requirements such as PCI DSS, HIPAA, MA 201 CMR 17.00 and NIST 800-171 establish a mandate to formally manage risk. The RMP addresses these compliance requirements!
  • Audit Failures – Similar to vulnerability management, most organizations run into trouble in audits when asked HOW risk is managed, since they cannot provide documentation beyond policies and standards. The RMP addresses the HOW for you!
  • Vendor Requirements – It is very common for clients and partners to request evidence of a risk management program during their due diligence. The RMP provides this evidence!

How Does The RMP Solve It?

  • Clear Documentation – The RMP provides the comprehensive documentation to prove that your risk program exists.
  • Time Savings – The RMP provides actionable guidance on what steps can be taken to categorize, calculate and manage risk in a sustainable manner.
  • Alignment With Leading Practices – The RMP is written to support COSO, COBIT, NIST and ISO frameworks that provide you with significant flexibility to assess risks.

Related products