GV.RM-04.021

Has your organization established documented risk acceptance criteria for different data classifications?

Explanation

Risk acceptance criteria define the thresholds at which your organization is willing to accept, mitigate, transfer, or avoid cybersecurity risks based on data sensitivity levels. These criteria should align with your data classification scheme (e.g., public, internal, confidential, restricted) and specify different handling requirements for each level. For example, risks to public data might have higher acceptance thresholds than those affecting restricted data containing regulated information. Evidence could include a formal risk management policy document that clearly outlines acceptance criteria for each data classification, risk assessment templates showing different thresholds by data type, or documented risk acceptance decisions that reference these criteria.

Implementation Example

Specify criteria for accepting and avoiding cybersecurity risk for various classifications of data

ID: GV.RM-04.021

Context

Function: GV: GOVERN
Category: GV.RM: Risk Management Strategy
Sub-Category: Strategic direction that describes appropriate risk response options is established and communicated

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub