Cybersecurity & Data Privacy Risk Management Model (C|P-RMM)

Thank you for showing interest in the Cybersecurity & Data Privacy Risk Management Model (C|P-RMM)! The C|P-RMM is designed to be an integral tool of an organization’s ability to demonstrate evidence of due diligence and due care. This not only benefits your organization by having solid risk management practices, but it can also serve as a way to reduce risk for those who have to initiate the hard discussions on risk management topics.

The concept of creating the C|P-RMM was to create an efficient methodology to identify, assess, report and mitigate risk. The C|P-RMM project was a collaboration between ComplianceForge and the SCF that was approached from the perspective of asking the question, “How should I manage risk?”

Why You Should Care About The C|P-RMM

Ask yourself these two questions about your organization and your personal exposure in risk & threat management operations:

Can you prove that the right people within your organization are both aware of risks and have taken direct responsibility for mitigating those risks?
If there was a breach or incident that is due to identified risks that went unmitigated, where does the “finger pointing” for blame immediately go to? (Is it you? Would you have guilt by association?

Risks & Threats Do Not Exist In A Vacuum

It is vitally important to understand that risks and threats do not exist in a vacuum. If your cybersecurity and privacy program is appropriately built, you will have a robust controls framework where risks and threats will map directly to controls. Why is this?

Controls are central to managing risks, threats, procedures and metrics; and
Risks, threats, metrics and procedures need to map into the controls, which then map to standards and policies.

If you worry about having to preface risk management discussions with, “Please don't shoot the messenger!” then the C|P-RMM can be an additional layer of protection for your professional reputation. Where the C|P-RMM benefits security, technology and privacy personnel is the potential “get out of jail” documentation that quality risk assessments and risk management practices can provide. Just like with compliance documentation, if risk management discussions are not documented then risk management practices do not exist.

Instead of executive leadership hanging blame on the CIO or CISO, quality risk management documentation can prove that reasonable steps were taken to identify, assess, report and mitigate risk. This type of documentation can provide evidence of due diligence and due care on the part of the CIO/CISO/CRO, which firmly puts the responsibility back on the management of the team/department/line of business that “owns” the risk.

Based on the applicable statutory, regulatory and contractual obligations that impact the scope of a risk assessment, an organization is expected to have an applicable set of cybersecurity and privacy controls to cover those needs.

That set of controls identifies the in-scope requirements that must be evaluated to determine what risk exists. This is generally considered to be a “gap assessment” where the assessor:

Evaluates those controls based on the entity's THREAT CATALOG to identify current or potential control deficiencies; and
Utilize the RISK CATALOG to identify the applicable risks, based on the identified control deficiencies.

Risks vs Threats vs Vulnerabilities

Risks, threats and vulnerabilities are commonly misunderstood. Fundamentally, vulnerability and risk management practices exist to achieve a minimum level of protection for an organization, which equates to a reduction in the total risk due to the protections offered by implemented controls. This can be conceptualized as a "risk management ecosystem" as it pertains to an organization's overall cybersecurity & data protection efforts. These ecosystem components have unique meanings that need to be understood to reasonably protect people, processes, technology and data, as shown below:

SCF Threat Catalog

The threat catalog use case is: What natural and man-made threats affect control execution? (e.g., if the threat materializes, will the control function as expected?)

This use case relies on the following definition of a threat:

Noun - A person or thing likely to cause damage or danger.
Verb - To indicate impending damage or danger.

Threat Grouping	Threat #	Threat*	Threat Description
Natural Threat	NT-1	Drought & Water Shortage	Regardless of geographic location, periods of reduced rainfall are expected. For non-agricultural industries, drought may not be impactful to operations until it reaches the extent of water rationing.
	NT-2	Earthquakes	Earthquakes are sudden rolling or shaking events caused by movement under the earth’s surface. Although earthquakes usually last less than one minute, the scope of devastation can be widespread and have long-lasting impact.
	NT-3	Fire & Wildfires	Regardless of geographic location or even building material, fire is a concern for every business. When thinking of a fire in a building, envision a total loss to all technology hardware, including backup tapes, and all paper files being consumed in the fire.
	NT-4	Floods	Flooding is the most common of natural hazards and requires an understanding of the local environment, including floodplains and the frequency of flooding events. Location of critical technologies should be considered (e.g., server room is in the basement or first floor of the facility).
	NT-5	Hurricanes & Tropical Storms	Hurricanes and tropical storms are among the most powerful natural disasters because of their size and destructive potential. In addition to high winds, regional flooding and infrastructure damage should be considered when assessing hurricanes and tropical storms.
	NT-6	Landslides & Debris Flow	Landslides occur throughout the world and can be caused by a variety of factors including earthquakes, storms, volcanic eruptions, fire, and by human modification of land. Landslides can occur quickly, often with little notice. Location of critical technologies should be considered (e.g., server room is in the basement or first floor of the facility).
	NT-7	Pandemic (Disease) Outbreaks	Due to the wide variety of possible scenarios, consideration should be given both to the magnitude of what can reasonably happen during a pandemic outbreak (e.g., COVID-19, Influenza, SARS, Ebola, etc.) and what actions the business can be taken to help lessen the impact of a pandemic on operations.
	NT-8	Severe Weather	Severe weather is a broad category of meteorological events that include events that range from damaging winds to hail.
	NT-9	Space Weather	Space weather includes natural events in space that can affect the near-earth environment and satellites. Most commonly, this is associated with solar flares from the Sun, so an understanding of how solar flares may impact the business is of critical importance in assessing this threat.
	NT-10	Thunderstorms & Lightning	Thunderstorms are most prevalent in the spring and summer months and generally occur during the afternoon and evening hours, but they can occur year-round and at all hours. Many hazardous weather events are associated with thunderstorms. Under the right conditions, rainfall from thunderstorms causes flash flooding and lightning is responsible for equipment damage, fires and fatalities.
	NT-11	Tornadoes	Tornadoes occur in many parts of the world, including the US, Australia, Europe, Africa, Asia, and South America. Tornadoes can happen at any time of year and occur at any time of day or night, but most tornadoes occur between 4–9 p.m. Tornadoes (with winds up to about 300 mph) can destroy all but the best-built man-made structures.
	NT-12	Tsunamis	All tsunamis are potentially dangerous, even though they may not damage every coastline they strike. A tsunami can strike anywhere along most of the US coastline. The most destructive tsunamis have occurred along the coasts of California, Oregon, Washington, Alaska and Hawaii.
	NT-13	Volcanoes	While volcanoes are geographically fixed objects, volcanic fallout can have significant downwind impacts for thousands of miles. Far outside of the blast zone, volcanoes can significantly damage or degrade transportation systems and also cause electrical grids to fail.
	NT-14	Winter Storms & Extreme Cold	Winter storms is a broad category of meteorological events that include events that range from ice storms, to heavy snowfall, to unseasonably (e.g., record breaking) cold temperatures. Winter storms can significantly impact business operations and transportation systems over a wide geographic region.
Man-Made Threat	MT-1	Civil or Political Unrest	Civil or political unrest can be singular or wide-spread events that can be unexpected and unpredictable. These events can occur anywhere, at any time.
	MT-2	Hacking & Other Cybersecurity Crimes	Unlike physical threats that prompt immediate action (e.g., "stop, drop, and roll" in the event of a fire), cyber incidents are often difficult to identify as the incident is occurring. Detection generally occurs after the incident has occurred, with the exception of "denial of service" attacks. The spectrum of cybersecurity risks is limitless and threats can have wide-ranging effects on the individual, organizational, geographic, and national levels.
	MT-3	Hazardous Materials Emergencies	Hazardous materials emergencies are focused on accidental disasters that occur in industrialized nations. These incidents can range from industrial chemical spills to groundwater contamination.
	MT-4	Nuclear, Biological and Chemical (NBC) Weapons	The use of NBC weapons are in the possible arsenals of international terrorists and it must be a consideration. Terrorist use of a “dirty bomb” — is considered far more likely than use of a traditional nuclear explosive device. This may be a combination a conventional explosive device with radioactive / chemical / biological material and be designed to scatter lethal and sub-lethal amounts of material over a wide area.
	MT-5	Physical Crime	Physical crime includes "traditional" crimes of opportunity. These incidents can range from theft, to vandalism, riots, looting, arson and other forms of criminal activities.
	MT-6	Terrorism & Armed Attacks	Armed attacks, regardless of the motivation of the attacker, can impact a businesses. Scenarios can range from single actors (e.g., "disgruntled" employee) all the way to a coordinated terrorist attack by multiple assailants. These incidents can range from the use of blade weapons (e.g., knives), blunt objects (e.g., clubs), to firearms and explosives.
	MT-7	Utility Service Disruption	Utility service disruptions are focused on the sustained loss of electricity, Internet, natural gas, water, and/or sanitation services. These incidents can have a variety of causes but directly impact the fulfillment of utility services that your business needs to operate.
	MT-8	Dysfunctional Management Practices	Dysfunctional management practices are a manmade threat that expose an organization to significant risk. The threat stems from the inability of weak, ineffective and/or incompetent management to (1) make a risk-based decision and (2) support that decision. The resulting risk manifests due (1) an absence of a required control or (2) a control deficiency.
	MT-9	Human Error	Human error is a broad category that includes non-malicious actions that are unexpected and unpredictable by humans. These incidents can range from misconfigurations, to misunderstandings or other unintentional accidents.
	MT-10	Technical / Mechanical Failure	Technical /mechanical failure is a broad category that includes non-malicious failure due to a defect in the technology, materials or workmanship. Technical / mechanical failures are unexpected and unpredictable, even when routine and preventative maintenance is performed. These incidents can range from malfunctions, to reliability concerns to catastrophic damage (including loss of life).
	MT-11	Statutory / Regulatory / Contractual Obligation	Laws, regulations and/or contractual obligations that directly or indirectly weaken an organization's security & privacy controls. This includes hostile nation states that leverage statutory and/or regulatory means for economic or political espionage and/or cyberwarfare activities.
	MT-12	Redundant, Obsolete/Outdated, Toxic or Trivial (ROT) Data	Redundant, Obsolete/Outdated, Toxic or Trivial (ROT) data is information an organization utilizes for business processes even though the data is untrustworthy, due to the data's currency, accuracy, integrity and/or applicability.
	MT-13	Artificial Intelligence & Autonomous Technologies (AAT)	Artificial Intelligence & Autonomous Technologies (AAT) is a broad category that range from non-malicious failure due to a defect in the algorithm to emergent properties or unintended consequences. AAT failures can be due to hardware failures, inherent biases or other flaws in the underlying algorithm. These incidents can range from malfunctions, to reliability concerns to catastrophic damage (including loss of life).
	MT-14	Fraud, Corruption and/or Willful Criminal Conduct	Willful criminal conduct is a broad category that includes consciously-committed criminal acts performed by individuals (e.g., mens rea). These incidents can include a wide-range of activities that includes fraud, corruption, theft and illegal content. Criminal conduct generally involves one of the following kinds of mens rea: (1) intent, (2) knowledge, (3) recklessness and/or (4) negligence.
	MT-15	Conflict of Interest (COI)	Conflict of Interest (COI) is a broad category but pertains to an ethical incompatibility. COI exist when (1) the concerns or goals of different parties are incompatible or (2) a person in a decision-making position is able to derive personal benefit from actions taken or decisions made in their official capacity.
	MT-16	Macroeconomics	Macroeconomic factors that can negatively affect the global supply chain. Macroeconomic factors directly impact unemployment rates, interest rates, exchange rates and commodity prices. Due to how fiscal and monetary policies can negatively affect the global supply chain, this can disrupt or degrade an organization's business operations.
	MT-17	Foreign Ownership, Control, or Influence (FOCI)	Foreign Ownership, Control, or Influence (FOCI) is a Supply Chain Risk Management (SCRM) threat category that pertains to the ownership of, control of, or influence over an organization. Primarily, the concern is if a foreign interest (e.g., foreign government or parties owned or controlled by a foreign government) has the direct or indirect ability to influence decisions that affect the management or operations of the organization.
	MT-18	Geopolitical	Geopolitical is a Supply Chain Risk Management (SCRM) threat category that pertains to a specific geographic location, or region of relevance, that affects the supply chain. Primarily, the concern is if a foreign state can affect the supply chain through political intervention within the host nation.
	MT-19	Sanctions	Sanctions is a Supply Chain Risk Management (SCRM) threat category that pertains to past or present fraudulent activity or corruption. Primarily, the concern is if the third-party is subject to suspension, exclusion or other sanctions that can affect the supply chain.
	MT-20	Counterfeit / Non-Conforming Products	Counterfeit / Non-Conforming Products is a Supply Chain Risk Management (SCRM) threat category that pertains to the integrity of components within the supply chain. Counterfeits are products introduced to the supply chain that falsely claim to be produced by the legitimate Original Equipment Manufacturer (OEM), whereas non-conforming are OEM products / materials that fail to meet the customer specifications. Both can have a detrimental effect on the supply chain.
	MT-21	Operational Environment	Operational Environment is a Supply Chain Risk Management (SCRM) threat category that pertains to the user environment (e.g., place of performance). Primarily, the concern is if the operational environment is hazardous that could expose the organization operationally or financially.
	MT-22	Manufacturing & Supply	Manufacturing & Supply is a Supply Chain Risk Management (SCRM) threat category pertaining to interdependencies related to data, systems and mission functions. Concerns include the availability of supply, capacity to surge, sole-source and concentration within or over-reliance on a single source. At issue is a single supplier or sector/market that is incapable of meeting market demand. This can be due to reduced throughput or production delays caused by capacity constraints, obsolescence, industrial limitations, market conditions, disrupted material delivery and other conditions.
	MT-23	Product Quality & Design	Product Quality & Design s a Supply Chain Risk Management (SCRM) threat category that pertains to inherent design and quality problems (e.g., raw materials, ingredients, production, logistics, packaging) that result in the product and/or service failing to meet performance specifications and quality standards. This includes an understanding of the quality assurance practices associated with preventing mistakes or defects in manufactured/ developed products and avoiding problems when delivering solutions or services to customers.
	MT-24	Financial	Financial is a Supply Chain Risk Management (SCRM) threat category that pertains to financial distress that can lead to the inability to meet contractual obligations, hostile takeovers, or bankruptcy. This involves situations where a supplier cannot generate revenue or income resulting in the inability to meet financial obligations.
	MT-25	Human Capital	Human Capital is a threat category that pertains to human skills, knowledge and actions that may impact a market's ability to produce goods and/or services to meet demand. This includes industrial disputes, labor availability and unrest, attrition of required skills and consumer behavior that disrupts a given market or industry.
	MT-26	Transportation & Distribution	Transportation & Distribution is a threat category that pertains to dynamic disruptions within the transportation and logistics of moving a product from one point to another. The transportation industry is among the most risk-prone of all industries due to accidents, losses of cargo, driver shortages and deteriorating infrastructure. These risks can cause shipment delays, supply chain disruptions, increased costs and damaged reputations. In addition, the inability to predict and plan for disruptions in the logistics plan presents risk in meeting delivery requirements and maintaining operations.
	MT-27	Infrastructure	Infrastructure is a threat category that pertains to the availability and functioning of fundamental facilities and systems necessary to support an industry and its supply chains within a country. This includes buildings, transportation networks, utilities and equipment. Additionally, this includes how well those facilities and systems are protected from both natural and man-made threats.SCF Risk Catalog

The risk catalog use case is: What are the risks associated with a control deficiency? (e.g., if the control fails, what risk(s) is the organization exposed to?)

This use case relies on the following definition of a risk:

Noun - A situation where someone or something valued is exposed to danger, harm or loss.**
Verb - To expose someone or something valued to danger, harm or loss.

** Danger: state of possibly suffering harm or injury
** Harm: material / physical damage
** Loss: destruction, deprivation or inability to use

Note - Some of these risks may indicate a deficiency that could be considered a failure to meet "reasonable security practices"

Risk Grouping	Risk #	Risk	Description of Possible Risk Due To Control Deficiency IF THE CONTROL FAILS, RISK THAT THE ORGANIZATION IS EXPOSED TO IS:
Access Control	R-AC-1	Inability to maintain individual accountability	The inability to maintain accountability (e.g., asset ownership, non-repudiation of actions or inactions, etc.).
	R-AC-2	Improper assignment of privileged functions	The inability to implement least privileges (e.g., Role-Based Access Control (RBAC), Privileged Account Management (PAM), etc.).
	R-AC-3	Privilege escalation	The inability to restrict access to privileged functions.
	R-AC-4	Unauthorized access	The inability to restrict access to only authorized individuals, groups or services.
Asset Management	R-AM-1	Lost, damaged or stolen asset(s)	Lost, damaged or stolen assets.
	R-AM-2	Loss of integrity through unauthorized changes	Unauthorized changes that corrupt the integrity of the system / application / service.
	R-AM-3	Emergent properties and/or unintended consequences	Emergent properties and/or unintended consequences from Artificial Intelligence & Autonomous Technologies (AAT).
Business Continuity	R-BC-1	Business interruption	Increased latency, or a service outage, that negatively impact business operations.
	R-BC-2	Data loss / corruption	The inability to maintain the confidentiality of the data (compromise) or prevent data corruption (loss).
	R-BC-3	Reduction in productivity	Diminished user productivity.
	R-BC-4	Information loss / corruption or system compromise due to technical attack	A technical attack that compromises data, systems, applications or services (e.g., malware, phishing, hacking, etc.).
	R-BC-5	Information loss / corruption or system compromise due to non-technical attack	A non-technical attack that compromises data, systems, applications or services (e.g., social engineering, sabotage, etc.).
Exposure	R-EX-1	Loss of revenue	A negatively impact on the ability to generate revenue (e.g., a loss of clients or an inability to generate future revenue).
	R-EX-2	Cancelled contract	A cancelled contract with a client or other entity for cause (e.g., failure to fulfill obligations for secure practices).
	R-EX-3	Diminished competitive advantage	Diminished competitive advantage (e.g., lose market share, internal dysfunction, etc.).
	R-EX-4	Diminished reputation	Diminished brand value (e.g., tarnished reputation).
	R-EX-5	Fines and judgements	Financial damages due to fines and/or judgements from statutory / regulatory / contractual non-compliance.
	R-EX-6	Unmitigated vulnerabilities	Unmitigated technical vulnerabilities that lack compensating controls or other mitigation actions.
	R-EX-7	System compromise	A compromise of a system, application or service that affects confidentiality, integrity, availability and/or safety.
Governance	R-GV-1	Inability to support business processes	Insufficient cybersecurity and/or privacy practices that cannot securely support the organization's technologies & processes.
	R-GV-2	Incorrect controls scoping	Missing or incorrect cybersecurity and/or privacy controls due to incorrect or inadequate control scoping practices.
	R-GV-3	Lack of roles & responsibilities	Insufficient cybersecurity and/or privacy roles & responsibilities that cannot securely support the organization's technologies & processes.
	R-GV-4	Inadequate internal practices	Insufficient cybersecurity and/or privacy practices that can securely support the organization's technologies & processes.
	R-GV-5	Inadequate third-party practices	Insufficient Cybersecurity Supply Chain Risk Management (C-SCRM) practices that cannot securely support the organization's technologies & processes.
	R-GV-6	Lack of oversight of internal controls	The inability to demonstrate appropriate evidence of due diligence and due care in overseeing the organization's internal cybersecurity and/or privacy controls.
	R-GV-7	Lack of oversight of third-party controls	The inability to demonstrate appropriate evidence of due diligence and due care in overseeing third-party cybersecurity and/or privacy controls.
	R-GV-8	Illegal content or abusive action	Disruptive content or actions that negatively affect business operations (e.g., abusive content, harmful speech, threats of violence, illegal content, etc.).
Incident Response	R-IR-1	Inability to investigate / prosecute incidents	Insufficient incident response practices that prevent the organization from investigating and/or prosecuting incidents (e.g., chain of custody corruption, available sources of evidence, etc.).
	R-IR-2	Improper response to incidents	The inability to appropriately respond to incidents in a timely manner.
	R-IR-3	Ineffective remediation actions	The inability to ensure incident response actions were correct and/or effective.
	R-IR-4	Expense associated with managing a loss event	Financial repercussions from responding to an incident or loss.
Situational Awareness	R-SA-1	Inability to maintain situational awareness	The inability to detect cybersecurity and/or privacy incidents (e.g., a lack of situational awareness).
Situational Awareness	R-SA-2	Lack of a security-minded workforce	The inability to appropriately educate and train personnel to foster a security-minded workforce.
Supply Chain	R-SC-1	Third-party cybersecurity exposure	Loss of Confidentiality, Integrity, Availability and/or Safety (CIAS) from third-party cybersecurity practices, vulnerabilities and/or incidents that affects the supply chain through impacted products and/or services.
	R-SC-2	Third-party physical security exposure	Loss of Confidentiality, Integrity, Availability and/or Safety (CIAS) from physical security exposure of third-party structures, facilities and/or other physical assets that affects the supply chain through impacted products and/or services.
	R-SC-3	Third-party supply chain relationships, visibility and controls	Loss of Confidentiality, Integrity, Availability and/or Safety (CIAS) from "downstream" third-party relationships, visibility and controls that affect the supply chain through impacted products and/or services.
	R-SC-4	Third-party compliance / legal exposure	The inability to maintain compliance due to third-party non-compliance, criminal acts, or other relevant legal action(s).
	R-SC-5	Use of product / service	The misuse of the product / service in a manner that it was not designed or how it was approved for use.
	R-SC-6	Reliance on the third-party	The inability to continue business operations, due to the reliance on the third-party product and/or service.

Risk Management: The Path To Hell Is Paved With Good Intentions

In risk management, the old adage is applicable that “the path to hell is paved with good intentions.” Often, risk management personnel are tasked with creating risk assessments and questions to ask without having a centralized set of organization-wide cybersecurity and privacy controls to work from. This generally leads to risk teams making up risks and asking questions that are not supported by the organization’s policies and standards. For example, an organization is an “ISO shop” that operates an ISO 27002-based Information Security Management System (ISMS) to govern its policies and standards, but its risk team is asking questions about NIST SP 800-53 or 800-171 controls that are not applicable to the organization.

This scenario of “making up risks” points to a few security program governance issues:

If the need for additional controls to cover risks is legitimate, then the organization is improperly scoped and does not have the appropriate cybersecurity and privacy controls to address its applicable statutory, regulatory, contractual or industry-expected practices.
If the organization is properly scoped, then the risk team is essentially making up requirements that are not supported by the organization’s policies and standards.

The C|P-RMM takes a holistic approach to controls, risks and threats as a way to reduce or eliminate the traditional Fear, Uncertainty and Doubt (FUD) that makes many risk assessments meaningless.

Risk Management Basics

The most important concept to understand in cybersecurity and privacy-related risk management is that the cybersecurity and IT departments generally do not “own” risk. The reality of the situation is that risk management is a business management decision, where the cybersecurity and privacy functions primarily serve as a mechanism to educate those business stakeholders on identified risks and provide possible risk treatment solutions. Right or wrong, business management is ultimately able to decide how risk is to be handled.

Where the Cybersecurity & Data Privacy Risk Management Model (C|P-RMM) exists is to help cybersecurity and privacy functions create a repeatable methodology to identify, assess, report and mitigate risk. This is based on the understanding that the responsibility to approve a risk treatment solution rests with the management of the team/department/line of business that “owns” the risk. The C|P-RMM is meant to guide the decision to one of these common risk treatment options:

Reduce the risk to an acceptable level;
Avoid the risk;
Transfer the risk to another party; or
Accept the risk

It is a common problem for individuals who are directly impacted by risk to simply say, “I accept the risk” and wish the risk away so that the project/initiative can proceed without having to first address deficiencies. This is why it is critically important that as part of a risk management program to identify the various levels of management who have the legitimate authority to make risk management decisions. This can help prevent low-level managers from recklessly accepting risk that should be reserved for more senior management.

Cybersecurity & Data Privacy Risk Management Model (C|P-RMM) - "Start To Finish" Steps

The C|P-RMM breaks risk management down to seventeen (17) steps. Please download the guide for the overview and you can click on the image below for a PDF version of the C|P-RMM infographic. The C|P-RMM breaks risk management down to 16 steps. Please download the guide for the overview and you can click on the image below for a PDF version of the C|P-RMM infographic. The C|P-RMM provides a clear method to calculate both inherent and residual risk. Please download the guide for the overview and you can click on the image below for a PDF version of the C|P-RMM infographic.