NISTIR 8286(Draft) Integrating Cybersecurity and Enterprise Risk Management (ERM)
こんにちは、丸山満彦です。
NISTがNISTIR 8286(Draft) Integrating Cybersecurity and Enterprise Risk Management (ERM)を公表して、意見募集をしていますね。
● NIST ITL
・2020.03.19 NISTIR 8286(Draft) Integrating Cybersecurity and Enterprise Risk Management (ERM)
・[PDF]NISTIR 8286 (Draft) (DOI)
-----
1 Introduction
1.1 Purpose and Scope
1.2 Document Structure
2 Gaps in Managing Cybersecurity Risk Versus Enterprise Risk
2.1 Overview of ERM
2.2 Shortcomings of Typical Approaches to Cybersecurity Risk Management
2.3 The Gap Between Cybersecurity Risk Management Output and ERM Input
3 Cybersecurity Risk Considerations Throughout the ERM Process
3.1 Identify the Context
3.2 Identify the Risks
3.3 Analyze the Risks
3.4 Prioritize Risks
3.5 Plan and Execute Risk Response Strategies
3.6 Monitor, Evaluate, and Adjust
4 Cybersecurity Risk Management as Part of a Portfolio View
4.1 Applying the Enterprise Risk Register
4.2 Information and Decision Flows in Support of ERM
4.3 Conclusion
Abstract
Executive Summary
Enterprise risk management (ERM) calls for understanding all of the negative risks (from threats) and positive risks (from opportunities) facing an enterprise, determining how best to address those risks, and ensuring the necessary actions are taken. Cybersecurity risk is only one portion of an enterprise’s risks. Other commonly identified risk types include, but are not limited to, financial, legal, legislative, operational, privacy, reputational, and strategic risks. As part of an ERM program, enterprises manage the combined set of risks holistically.
The individual organizations comprising every enterprise are experiencing an increasing frequency, creativity, and variety of cybersecurity attacks. All organizations and enterprises, regardless of size or type, should ensure that cybersecurity risk gets the appropriate attention as they carry out their ERM functions. This document offers NIST’s cybersecurity risk management expertise to help organizations improve the cybersecurity risk information they provide as inputs to their enterprise’s ERM processes.
Many resources document ERM frameworks and processes. They generally include similar approaches: identify context, identify risks, analyze risk, estimate risk importance, determine and execute the risk response, and identify and respond to changes over time. The critical risk document used to track and communicate risk information for all these steps throughout the enterprise is called a risk register.
For example, cybersecurity risk registers are a key aspect of managing and communicating about those particular risks. Each register is updated, evolves, and matures as other risk activities take place.
At higher levels in the enterprise structure, those cybersecurity and other risk registers ideally are aggregated, normalized, and prioritized into risk profiles. A risk profile is defined by Office of Management and Budget (OMB) Circular A-123 as “a prioritized inventory of the most significant risks identified and assessed through the risk assessment process versus a complete inventory of risks.” Enterprise-level decision makers use those risk profiles to choose which enterprise risks to address and then to delegate responsibilities to appropriate risk owners.
Cybersecurity risk inputs to ERM processes should be documented and tracked in written cybersecurity risk registers. However, most enterprises do not communicate their cybersecurity risk in consistent, repeatable ways. Methods such as quantifying cybersecurity risk in dollars and aggregating cybersecurity risks are largely ad hoc and are not performed with the same rigor as other types of risk within the enterprise. Improving the risk measurements and risk analysis methods used in cybersecurity risk management, along with widely adopting the use of cybersecurity risk registers, would improve the quality of the risk information communicated to ERM. In turn, this practice would promote better management of cybersecurity risk—and risks in general—at the enterprise level.
Table of Contents
Executive Summary
1 Introduction
1.1 Purpose and Scope
1.2 Document Structure
2 Gaps in Managing Cybersecurity Risk Versus Enterprise Risk
2.1 Overview of ERM
2.1.1 Common Use of ERM
2.1.2 ERM Framework Steps
2.2 Shortcomings of Typical Approaches to Cybersecurity Risk Management
2.2.1 Lack of Asset Information
2.2.2 Lack of Measures
2.2.3 Informal Analysis Methods
2.2.4 Focus on the System Level
2.2.5 Increasing System and Ecosystem Complexity
2.3 The Gap Between Cybersecurity Risk Management Output and ERM Input
3 Cybersecurity Risk Considerations Throughout the ERM Process
3.1 Identify the Context
3.2 Identify the Risks
3.2.1 Inventory and Valuation of Assets
3.2.2 Determination of Potential Opportunities and Threats
3.2.3 Determination of Exploitable and Susceptible Conditions
3.2.4 Evaluation of Potential Consequences
3.3 Analyze the Risks
3.3.1 Risk Analysis Types
3.3.2 Techniques for Estimating Likelihood and Impact of Consequences
3.4 Prioritize Risks
3.5 Plan and Execute Risk Response Strategies
3.5.1 Applying Security Controls to Reduce Risk Exposure
3.5.2 Responding to Residual Risk
3.5.3 When a Risk Event Passes Without Triggering the Event
3.6 Monitor, Evaluate, and Adjust
3.6.1 Continuous Risk Monitoring
3.6.2 Key Risk Indicators
3.6.3 Continuous Improvement
4 Cybersecurity Risk Management as Part of a Portfolio View
4.1 Applying the Enterprise Risk Register
4.2 Information and Decision Flows in Support of ERM
4.3 Conclusion
References
List of Appendices
Appendix A— Acronyms and Abbreviations
Appendix B— Glossary
Appendix C— Federal Government Sources for Identifying Risks.
« NISTIR 8170 Approaches for Federal Agencies to Use the Cybersecurity Framework | Main | NIST SP 800-140 FIPS 140-3 Derived Test Requirements (DTR): CMVP Validation Authority Updates to ISO/IEC 24759 »
Comments