Security & Privacy Risk Management Model (SP-RMM) version 2022.

START HERE

1
Identify one or more risk management principles that will form the basis of how the entity approaches its risk management processes.
The alignment with risk management principles must support the entity's policies and standards for risk management objectives.
www.ComplianceForge.com
" NIST-aligned" principles " ISO-aligned" principles " COSO-aligned" principles " OMB-aligned" principles
NIST SP 800-37
NIST SP 800-39 OR ISO 31010 OR COSO 2019 OR OMB A-123
NIST IR 8286

2 www.SecureControlsFramework.com
Identify, implement and document critical dependencies that are necessary to legitimately identify, assess and manage risk.

2a 2b 2c
Establish technology dependencies that affect risk Establish business dependencies that affect risk management
Establish risk management dependencies
management decisions decisions

Define the "acceptable
risk" threshold for the entity
Accurate & current
Define risk occurrence
hardware & software
likelihoods
inventories
Establish a data
classification scheme,
Accurate & current network Enforce policies and
including what constitutes
diagrams standards across the entity
the "crown jewels" for data
protection requirements

Identify the risk authority Define "what right looks

Understanding of
for various levels of Accurate & current Data like" by identifying a target Enforce the documentation
Define risk impact effects technology dependencies
management Flow Diagrams (DFD) maturity level for security & of business practices
that affect operations
privacy

Implement third-party
Establish a Plan of Action Assign competent &
governance as part of a
& Milestones (POA&M) or Consistent application of Results from vulnerability trained personnel to the
Define risk levels Supply Chain Risk
risk register security & privacy controls assessments roles that make risk
Management (SCRM)
Risk Grouping Risk # Risk management decisions
program
R-AC-1 Inability to maintain individual accountability

R-AC-2 Improper assignment of privileged functions

Access Control
R-AC-3 Privilege escalation

R-AC-4 Unauthorized access

R-AM-1 Lost, damaged or stolen asset(s)

Asset Management Document a formal Risk Management
R-AM-2 Loss of integrity through unauthorized changes 3 Formalize Program (RMP) that supports the
R-BC-1 Business interruption Risk entity's policies & standards. The RMP
Practices is meant to document the program-level
R-BC-2 Data loss / corruption
guidance that defines the "who, what,
Business Continuity R-BC-3 Reduction in productivity why, when & how" about the entity's
specific risk management practices.
R-BC-4 Information loss / corruption or system compromise due to technical attack

R-BC-5 Information loss / corruption or system compromise due to non-technical attack

4
R-EX-1 Loss of revenue

R-EX-2 Canceled contract

Develop a RISK CATALOG that identifies the
R-EX-3 Diminished competitive advantage possible risks that affect the entity.
Exposure R-EX-4 Diminished reputation Definition of " risk" in the context of the SP-RMM:
noun A situation where someone or something valued is exposed to danger, harm or loss.*
R-EX-5 Fines and judgments
verb To expose someone or something valued to danger, harm or loss.
R-EX-6 Unmitigated vulnerabilities Definition of " threat" in the context of the SP-RMM:
* Danger: state of possibly suffering harm or injury 5 noun A person or thing likely to cause damage or danger.
R-EX-7 System compromise
* Harm: material / physical damage verb To indicate impending damage or danger.
R-GV-1 Inability to support business processes * Loss: destruction, deprivation or inability to use Develop a THREAT CATALOG that identifies
R-GV-2 Incorrect controls scoping
possible natural and man-made threats that
affect the entity's security & privacy controls.
R-GV-3 Lack of roles & responsibilities

R-GV-4 Inadequate internal practices

Governance
R-GV-5 Inadequate third-party practices

R-GV-6 Lack of oversight of internal controls 6

Develop a CONTROLS CATALOG that
R-GV-7 Lack of oversight of third-party controls addresses the entity's applicable statutory,
R-GV-8 Illegal content or abusive action regulatory and contractual obligations. Risks
must map to the entity's security & privacy
R-IR-1 Inability to investigate / prosecute incidents controls. Ideally, the controls are weighted
R-IR-2 Improper response to incidents since not all security & privacy controls are
Incident Response equal. SCF has built-In Control Weighting Values SP-CMM 0
R-IR-3 Ineffective remediation actions
[1-10] , the Security & Privacy Capability Not Performed
R-IR-4 Expense associated with managing a loss event Maturity Model (SP-CMM) and the SCF
controls written in question format. Non-Existent Practices
R-SA-1 Inability to maintain situational awareness 7
Situational Awareness
R-SA-2 Lack of a security-minded workforce
Per the entity's target Capability Maturity
Model (CMM) target, identify "what right looks SP-CMM 1
like" for each security & privacy control. Performed Informally
** Assessing risks in the context of the SP-RMM
applies to various assessment scenarios:
- Cybersecurity Risk Assessment Capability Maturity Model Ad Hoc Practices
- Third-Party Risk Assessment
- Data Protection Impact Assessment (DPIA) Risk Assessment Rigor Define "what right looks like" by
- Business Impact Assessment (BIA) 8
Perform Risk identifying a target maturity SP-CMM 2
- Privacy Impact Assessment (PIA) Level 1 - Basic level. This can be done through Planned & Tracked
Assessments
(Minimum Assurance) the Security & Privacy
**
Capability Maturity Model
Requirement-Driven Practices
(SP-CMM).
Level 2 - Focused
(Minimum Assurance) The criteria of the SP-CMM can
be used for both planning SP-CMM 3
Category System Security & Privacy Plan (SSPP) Components 9 Well Defined
Establish the context of the Security & Level 3 - Comprehensive purposes and as a benchmark
General description & purpose Privacy Risk Environment (SPRE). The to assess against.
(Minimum Assurance)
Applicable statutory, regulatory & contractual requirements SPRE is the overall operating environment that Enterprise-Wide Standardization
Background is in scope for the risk assessment. This is
Applicable contracts where the threats, risks and vulnerabilities
Information
Stakeholders (internal & external) affect the entity?s protection measures. This SP-CMM 4
can be addressed through a well-documented Quantitatively Controlled
Unique data protection considerations System Security & Privacy Plan (SSPP).
Hardware & software in use
Metrics-Driven Governance
Geo-location considerations (storage & processing)
System Identity & Access Management (IAM) 10
Environment From the applicable security & privacy SP-CMM 5
Description Network boundaries
controls, evaluate those controls based on the Continuously Improving
Supply chain overview entity's THREAT CATALOG to identify current
or potential control deficiencies. Utilize the
Ongoing maintenance & support plan World-Class Practices
RISK CATALOG to identify the applicable
risks from the control deficiencies.

Assessment Methods
Findings

Satisfactory Method 1
11 Qualitative

Not Applicable Utilize entity-accepted methods to assess the

control in the most objective method possible. Method 2
Semi-Qualitative
Alternative

Method 3
Deficient
Quantitative
Occurrence Likelihood (OL)
Virtual certainty the event will occur at some time, under normal business
Almost Certain conditions, that can be quantified as greater than a 99% chance of occurrence.

Likely to expect the event to occur at some time, under normal business
Likely conditions, that can be quantified as between a 70%-99% chance of occurrence.

Reasonable to expect the event could occur at some time, under normal
Possible business conditions, that can be quantified as between a 25%-70% chance of
occurrence.
Impact Effect (IE)
Unlikely to expect the event to occur at some time, under normal business
Critical, long-term damage or service impact. Financial and reputational damage
Unlikely conditions, that can be quantified as between a 10%-25% chance of occurrence.
Catastrophic could be enough to ruin the business.

Critical, short-term damage or service impact. Financial and reputational Highly-unlikely event that can be quantified as between a 1%-10% chance of
Critical Highly Unlikely occurrence.
damage could create noticeable loss of market share.

Major damage or service impact. Extensive reputational and financial impact,

Major but not enough to ruin the business. Remote
Theoretically possible. The likelihood of occurring can be quantified as less than
a 1% chance of occurrence.
Noticeable damage or service impact. Harmful reputational and financial impact,
Moderate but not enough to ruin the business.

Localized or minimal damage or service impact. Minor reputational and financial

Minor impact.

Insignificant Little to no damage or service impact. No reputational or financial impact.

Risk Assessment Report

Priority 1
Emergency
Plan of Action & Milestones
12 (POA&M)
Priority 2
Prioritize and document the identified risks. Elevated
Risk Register
NVD Vulnerability Severity Ratings
CVSS 3.0 Ratings*** Priority 3
*** Where feasible, the NVD Vulnerability Severity
Standard
Critical 9.0 - 10.0 Ratings should be leveraged to provide objectivity
when evaluating a technical risk. The CVSS 3.0 System Security & Privacy Plan
High 7.0 - 8.9 rating can be leveraged to determine an appropriate (SSPP)
Medium 4.0 - 6.9 Risk Impact Effect that is specific to the entity's use
Low
of the technology in question.
Low 0.1 - 3.9
***CALCULATING INHERENT RISK:
None 0.0 Moderate 13 The Occurrence Likelihood (OL), in combination with the Impact Effect (IE) will provide
the "inherent risk" score. This is considered a raw or unmitigated risk score. It is
High Calculate important to note that inherent risk does not take into account any control weighting,
Risk *** the maturity of implemented controls or any other mitigating factors.

Severe CALCULATING RESIDUAL RISK:

To understand the "residual risk" that takes into account control weighting, the maturity
of implemented controls and other mitigating factor, it requires expanding upon
Extreme inherent risk calculations. To identify the residual risk score, Occurrence Likelihood
(OL) is calculated by Risk Impact Effect (IE), Control Weighting (CW), Maturity Level
(ML) and Mitigating Factors (MF).

Conforms
14
Report on
Conformity Significant Deficiency
(ROC)
Material Weakness

Tier 1 Management
Line Management

Tier 2 Management 15
Senior Management Identify
Appropriate
Management
Tier 3 Management Audience
Executive Management

Risk Treatment Option # 1

Tier 4 Management Reduce the risk to an acceptable level
Board of Directors

16 Risk Treatment Option # 2

Management Avoid the risk
Determines
Risk Treatment
Risk Treatment Option # 3
Transfer the risk to another party

Risk Treatment Option # 4

Accept the risk

Risk Status 1 17
Open (unacceptable risk)

Implement risk
Risk Status 2 treatment options.
Open (acceptable risk) Document risk status
through remediation.
[continuous risk monitoring & assessments]

Risk Status 3
Closed

Copyright © 2022 by Compliance Forge, LLC (ComplianceForge). All rights reserved.

All text, images, logos, trademarks and information contained in this document are the intellectual property of ComplianceForge, unless otherwise indicated. Modification of any content, including text and images, requires the prior written permission of ComplianceForge. Requests may be sent to support@complianceforge.com.
 Calculating Risk Using The Security & Privacy Risk Management Model (SP-RMM) version 2022.2

Occurrence
Score Description
Likelihood (OL)

Almost Certain 6 Virtual certainty the event will occur at some time, under normal business conditions, that can be quantified as greater than a 99% chance of occurrence.
Likely 5 Likely to expect the event to occur at some time, under normal business conditions, that can be quantified as between a 70%-99% chance of occurrence.
Possible 4 Reasonable to expect the event could occur at some time, under normal business conditions, that can be quantified as between a 25%-70% chance of occurrence.
Unlikely 3 Unlikely to expect the event to occur at some time, under normal business conditions, that can be quantified as between a 10%-25% chance of occurrence.
Highly Unlikely 2 Highly-unlikely event that can be quantified as between a 1%-10% chance of occurrence.
Remote 1 Theoretically possible. The likelihood of occurring can be quantified as less than a 1% chance of occurrence.

Impact Effect
Score Description
(IE)
Catastrophic 6 Critical, long-term damage or service impact. Financial and reputational damage could be enough to ruin the business.
Critical 5 Critical, short-term damage or service impact. Financial and reputational damage could create noticeable loss of market share.
Major 4 Major damage or service impact. Extensive reputational and financial impact, but not enough to ruin the business.
Moderate 3 Noticeable damage or service impact. Harmful reputational and financial impact, but not enough to ruin the business.
Minor 2 Localized or minimal damage or service impact. Minor reputational and financial impact.
Insignificant 1 Little to no damage or service impact. No reputational or financial impact.

Occurrence Likelihood (OL) Impact Effect (IE)

X
[1-6] [1-6] *CALCULATING INHERENT RISK: [OL * IE ]
The Occurrence Likelihood (OL), in combination with the Impact Effect (IE) will provide the "inherent
risk" score.
Raw / Unweighted
Risk Score Note - Inherent risk does not take into account any control weighting, the maturity of implemented
controls or any other mitigating factors.

SCF has built-In Control

Weighting Values [1-10]
**CALCULATING RESIDUAL RISK: [OL* IE * CW * ML * MF]
To understand the "residual risk" that takes into account control weighting, the maturity of implemented
INHERENT OL * IE Control Weighting (CW) controls and other mitigating factor, it requires expanding upon inherent risk calculations.
X
[1-36] [1-10]
RISK*
To identify the residual risk score, Occurrence Likelihood (OL) is calculated by Risk Impact Effect (IE),
Control Weighting (CW), Maturity Level (ML) and Mitigating Factors (MF).
Weighted
Risk Score

Maturity Level (ML) ML Description ML Value

0 Not Performed 1.0
1 Performed Informally 1.0
OL * IE * CW Maturity Level (ML)
X 2 Planned & Tracked 0.9
[1-360] [0-50%]
3 Well Defined 0.7
4 Quantitatively Controlled 0.6
Weighted Maturity 5 Continuously Improving 0.5
Risk Score

Mitigating Factor (MF) Risk Reduction MF Value

N/A - Not Required Not Applicable 1.0

OL * IE * CW * ML Mitigating Factors (MF) No Mitigating Factors Available 0% 1.0

[1-360] X [0-50%] Minimal Impact Reduction (Occurrence and/or Impact ) 10% 0.9
Moderate Impact Reduction (Occurrence and/or Impact ) 30% 0.7
Significant Impact Reduction (Occurrence and/or Impact ) 50% 0.5
Compensated,
Weighted Maturity
Risk Score

Risk Level Residual Risk Values

Low 1 <= 36
RESIDUAL OL * IE * CW * ML * MF Moderate >36 <= 108

RISK** [1-360] High >108 <= 198

Severe >198 <= 288
Extreme >288 <= 360

Both Inherent Risk & Residual Risk map into the SP-RMM Risk Matrix (graphic shown below.
- For Inherent Risk, find the cell where Occurrence Likelihood (OL) intersects Impact Effect (IE) to determine the risk level.
- For Residual Risk, utilize the calculated Residual Risk values (see chart above) to determine the corresponding risk level.

www.ComplianceForge.com www.SecureControlsFramework.com

Copyright © 2022 by Compliance Forge, LLC (ComplianceForge). All rights reserved.

All text, images, logos, trademarks and information contained in this document are the intellectual property of ComplianceForge, unless otherwise indicated. Modification of any content, including text and images, requires the prior written permission of
ComplianceForge. Requests may be sent to support@complianceforge.com.