The RMP serves as a foundational element in your organization's cybersecurity risk program.

It can stand alone or be paired

with other specialized products we offer.

Even with larger organizations that have Enterprise Risk Management (ERM) departments, the RMP can tie into the
broader risk management framework for any organization. What ComplianceForge.com did was simply reduce the
complexity by creating a usable risk management framework that any company can implement to manage risks:

 How risk is categorized

 Risk management fundamentals

 Risk maturity levels

 Defining the risk appetite

 Evaluating & prioritizing risks

 Risk treatment

 Documenting risk & reporting findings

 Defining potential impact

 Defining potential likelihood

 Defining criticality levels for assets / systems / data

 Sources of risk

CYBERSECURITY RISK MANAGEMENT PROGRAM (RMP) FRAMEWORK - BASED ON COSO 2013, COBIT 5, NIST 800-37 &
ISO 31010 BEST PRACTICES!

The RMP is an editable Microsoft Word document that contains the requirements needed to establish a risk management
program. Quite simply, the Cybersecurity Risk Management Program (RMP) provides your company with evidence that a
documented risk management program exists to address operational risks associated with information and technology.
From a Capability Maturity Model (CMM) perspective, if a risk program is not documented, incomplete or ad-hoc, it could
be a liability for a company, since it indicates negligence with a statutory, regulatory or contractual requirement to manage
risk. The RMP addresses the due care component of getting an organization to a mature level for managing risk.

DETERMINE THE POTENTIAL LIKELIHOOD OF THREAT OCCURRENCE

Organizations must take into account the probability of potential risks, since that identifies the legitimate threat landscape.
The results of this assessment, combined with the initial list of threats, will influence the determination of which threats
require protection against because those are “reasonably anticipated” based on your unique situation.

DETERMINE THE POTENTIAL IMPACT OF THREAT OCCURRENCE

Organizations must consider the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of
their data and information systems. Not all systems are equal – some systems could go down and no one would be
impacted, but some systems could bring your business operations to an immediate halt.
The RMP helps assess the magnitude of the potential impact resulting from a threat triggering or exploiting a specific
vulnerability. This can be qualitative, quantitative or a combination of the two methods to measure the impact on your
organization.

DETERMINE THE LEVEL OF RISK

From likelihood and potential impact, organizations can assign risk levels for all threat and vulnerability combinations
identified during the risk analysis. The RMP allows you to assign a level of risk by analyzing the values assigned to the
likelihood of threat occurrence and resulting impact of threat occurrence.

The Cybersecurity Risk Management Program (RMP) provides best-practices guidance on risk management at the
strategic, operational and tactical levels! This is important, since this hybrid or "best of breed" approach to risk
management takes advantage of the strengths of each best practice mdoel (e.g., COSO, COBIT, ISO & NIST). This allows you
to have a considerable amount of flexibility to conduct risk management operations.

DUE CARE CONSIDERATIONS - REASONABLE EXPECTATIONS FOR MANAGING RISK

Are you prepared to answer the "why" or "how" questions for your risk assessments? It is a pretty scary question for many
people, since their risk assessments are not based on anything beyond “gut feelings” and are overly subjective. When an
auditor comes knocking, it is critically important to be able to point to program documentation that justifies your decisions.
The Cybersecurity Risk Assessment Framework is intended to be the foundational documentation that you implement to
define and manage risk at your company.
The Cybersecurity Risk Management Program clearly lays out and defines cybersecurity risk for your organization - how
you plan to address risk management at the strategic, operational, and tactical levels! This is based on industry-recognized
best practices for risk management from COSO, ISO and NIST, so the framework is based on what reasonable expectations
are for managing cybersecurity risk. For simple risk assessments, the 6x6 risk matrix can be used to quickly identify the
appropriate level of risk the scenario represents. With that knowledge, it is easy to then escalate the risk to the appropriate
level of management for resolution (e.g., accept, transfer, mitigate or avoid the risk).