GV.RM-04: Strategic direction that describes appropriate risk response options is established and communicated
Ex1: Specify criteria for accepting and avoiding cybersecurity risk for various classifications of data
Ex2: Determine whether to purchase cybersecurity insurance
Ex3: Document conditions under which shared responsibility models are acceptable (e.g., outsourcing certain cybersecurity functions, having a third party perform financial transactions on behalf of the organization, using public cloud-based services)
Tier
Description
Strategic direction that describes appropriate risk response options is established and communicated