Government and Risk Management

A key component of the Information Security Program are government and risk management policies.

GRM Control Domains

GRM-01: Baseline Requirements -

  • GRM-01.1: Do you have documented information security baselines for every component of your infrastructure (e.g., hypervisors, operating systems, routers, DNS servers, etc.)?


Policy to be referenced here is INSERT
*Action item: INSERT

  • GRM-01.2: Do you have the capability to continuously monitor and report the compliance of your infrastructure against your information security baselines?


Policy to be referenced here is INSERT
*Action item: INSERT

GRM-02: Risk Assessments -

  • GRM-02.1: Does your organization's risk assessments take into account awareness of data residency, legal and statutory requirements for retention periods and data protection and classification?


Policy to be referenced here is INSERT
*Action item: INSERT

  • GRM-02.2: Do you conduct risk assessments associated with data governance requirements at least once a year?


Policy to be referenced here is INSERT
*Action item: INSERT

GRM-03: Management Oversight -

  • GRM-03.1: Are your technical, business, and executive managers responsible for maintaining awareness of and compliance with security policies, procedures, and standards for both themselves and their employees as they pertain to the manager and employees' area of responsibility?


Policy to be referenced here is INSERT
*Action item: INSERT

GRM-04: Management Program -

  • GRM-04.1: Do you provide tenants with documentation describing your Information Security Management Program (ISMP)?


Policy to be referenced here is INSERT
*Action item: INSERT

  • GRM-04.2: Do you review your Information Security Management Program (ISMP) at least once a year?


Policy to be referenced here is INSERT
*Action item: INSERT

GRM-05: Support / Involvement -

  • GRM-05.1: Do executive and line management take formal action to support information security through clearly-documented direction and commitment, and ensure the action has been assigned?


Policy to be referenced here is INSERT
*Action item: INSERT

GRM-06: Policy -

  • GRM-06.1: Are your information security policies and procedures made available to all impacted personnel and business partners, authorized by accountable business role/function and supported by the information security management program as per industry best practices (e.g. ISO 27001, SOC 2)?


Policy to be referenced here is INSERT
*Action item: INSERT

  • GRM-06.2: Are information security policies authorized by the organization's business leadership (or other accountable business role or function) and supported by a strategic business plan and an information security management program inclusive of defined information security roles and responsibilities for business leadership?


Policy to be referenced here is INSERT
*Action item: INSERT

  • GRM-06.3: Do you have agreements to ensure your providers adhere to your information security and privacy policies?


Policy to be referenced here is INSERT
*Action item: INSERT

  • GRM-06.4: Can you provide evidence of due diligence mapping of your controls, architecture, and processes to regulations and/or standards?


Policy to be referenced here is INSERT
*Action item: INSERT

  • GRM-06.5: Do you disclose which controls, standards, certifications, and/or regulations you comply with?


Policy to be referenced here is INSERT
*Action item: INSERT

GRM-07: Policy Enforcement -

  • GRM-07.1: Is a formal disciplinary or sanction policy established for employees who have violated security policies and procedures?


Policy to be referenced here is INSERT
*Action item: INSERT

  • GRM-07.2: Are employees made aware of what actions could be taken in the event of a violation via their policies and procedures?


Policy to be referenced here is INSERT
*Action item: INSERT

GRM-08: Business / Policy Change Impacts -

  • GRM-08.1: Do risk assessment results include updates to security policies, procedures, standards, and controls to ensure they remain relevant and effective?


Policy to be referenced here is INSERT
*Action item: INSERT

GRM-09: Policy Reviews -

  • GRM-09.1: Do you notify your tenants when you make material changes to your information security and/or privacy policies?


Policy to be referenced here is INSERT
*Action item: INSERT

  • GRM-09.2: Do you perform, at minimum, annual reviews to your privacy and security policies?


Policy to be referenced here is INSERT
*Action item: INSERT

GRM-10: Assessments -

  • GRM-10.1: Are formal risk assessments aligned with the enterprise-wide framework and performed at least annually, or at planned intervals, determining the likelihood and impact of all identified risks, using qualitative and quantitative methods?


Policy to be referenced here is INSERT
*Action item: INSERT

  • GRM-10.2: Is the likelihood and impact associated with inherent and residual risk determined independently, considering all risk categories?


Policy to be referenced here is INSERT
*Action item: INSERT

GRM-11: Program -

  • GRM-11.1: Do you have a documented, organization-wide program in place to manage risk?


Policy to be referenced here is INSERT
*Action item: INSERT

  • GRM-11.2: Do you make available documentation of your organization-wide risk management program?


Policy to be referenced here is INSERT
*Action item: INSERT

Related Documents

  • None