Digital Security Program (DSP)
| Control | Status | |
|---|---|---|
| Risk Management Program | Mechanisms exist to facilitate the implementation of strategic, operational and tactical risk management controls. | |
| Risk Framing | Mechanisms exist to identify: (1) Assumptions affecting risk assessments, risk response and risk monitoring; (2) Constraints affecting risk assessments, risk response and risk monitoring; (3) The organizational risk tolerance; and (4) Priorities, benefits and trade-offs considered by the organization for managing risk. | |
| Risk Tolerance | Mechanisms exist to define organizational risk tolerance, the specified range of acceptable results. | |
| Risk Threshold | Mechanisms exist to define organizational risk threshold, the level of risk exposure above which risks are addressed and below which risks may be accepted. | |
| Risk Appetite | Mechanisms exist to define organizational risk appetite, the degree of uncertainty the organization is willing to accept in anticipation of a reward. | |
| Risk-Based Security Categorization | Mechanisms exist to categorize systems and data in accordance with applicable laws, regulations and contractual obligations that: (1) Document the security categorization results (including supporting rationale) in the security plan for systems; and (2) Ensure the security categorization decision is reviewed and approved by the asset owner. | |
| Impact-Level Prioritization | Mechanisms exist to prioritize the impact level for systems, applications and/or services to prevent potential disruptions. | |
| Risk Identification | Mechanisms exist to identify and document risks, both internal and external. | |
| Risk Catalog | Mechanisms exist to develop and keep current a catalog of applicable risks associated with the organization's business operations and technologies in use. | |
| Risk Assessment | Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's systems and data. | |
| Risk Register | Mechanisms exist to maintain a risk register that facilitates monitoring and reporting of risks. | |
| Risk Ranking | Mechanisms exist to identify and assign a risk ranking to newly discovered security vulnerabilities that is based on industry-recognized practices. | |
| Risk Remediation | Mechanisms exist to remediate risks to an acceptable level. | |
| Risk Response | Mechanisms exist to respond to findings from cybersecurity & data privacy assessments, incidents and audits to ensure proper remediation has been performed. | |
| Compensating Countermeasures | Mechanisms exist to identify and implement compensating countermeasures to reduce risk and exposure to threats. | |
| Risk Assessment Update | Mechanisms exist to routinely update risk assessments and react accordingly upon identifying new security vulnerabilities, including using outside sources for security vulnerability information. | |
| Business Impact Analysis (BIA) | Mechanisms exist to conduct a Business Impact Analysis (BIA) to identify and assess cybersecurity and data protection risks. | |
| Supply Chain Risk Management (SCRM) Plan | Mechanisms exist to develop a plan for Supply Chain Risk Management (SCRM) associated with the development, acquisition, maintenance and disposal of systems, system components and services, including documenting selected mitigating actions and monitoring performance against those plans. | |
| Supply Chain Risk Assessment | Mechanisms exist to periodically assess supply chain risks associated with systems, system components and services. | |
| Data Protection Impact Assessment (DPIA) | Mechanisms exist to conduct a Data Protection Impact Assessment (DPIA) on systems, applications and services that store, process and/or transmit Personal Data (PD) to identify and remediate reasonably-expected risks. | |
| Risk Culture | Mechanisms exist to ensure teams are committed to a culture that considers and communicates technology-related risk. |