← Back to catalog
PM-11

Mission and Business Process Definition

Program Management (PM)
Baselines
Low · Not includedModerate · Not includedHigh · Not included
Description

Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and Review and revise the mission and business processes [assignment].

Discussion

Protection needs are technology-independent capabilities that are required to counter threats to organizations, individuals, systems, and the Nation through the compromise of information (i.e., loss of confidentiality, integrity, availability, or privacy). Information protection and personally identifiable information processing needs are derived from the mission and business needs defined by organizational stakeholders, the mission and business processes designed to meet those needs, and the organizational risk management strategy. Information protection and personally identifiable information processing needs determine the required controls for the organization and the systems. Inherent to defining protection and personally identifiable information processing needs is an understanding of the adverse impact that could result if a compromise or breach of information occurs. The categorization process is used to make such potential impact determinations. Privacy risks to individuals can arise from the compromise of personally identifiable information, but they can also arise as unintended consequences or a byproduct of the processing of personally identifiable information at any stage of the information life cycle. Privacy risk assessments are used to prioritize the risks that are created for individuals from system processing of personally identifiable information. These risk assessments enable the selection of the required privacy controls for the organization and systems. Mission and business process definitions and the associated protection requirements are documented in accordance with organizational policies and procedures.

Implementation guidance

No content available.

CSF 2.0 crosswalk
DE.AE-04The estimated impact and scope of adverse events are understoodDetect
GV.OC-01The organizational mission is understood and informs cybersecurity risk managementGovern
GV.OC-04Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicatedGovern
GV.OC-05Outcomes, capabilities, and services that the organization depends on are understood and communicatedGovern
ID.RA-04Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recordedIdentify
RC.RP-04Critical mission functions and cybersecurity risk management are considered to establish post-incident operational normsRecover