NISTIR 8286 (Draft) Integrating Cybersecurity and Enterprise Risk Management (ERM) (2nd Draft)

こんにちは、丸山満彦です。

NISTがNISTIR 8286(Draft) Integrating Cybersecurity and Enterprise Risk Management (ERM)(2nd Draft)を公表して、2020.08.21きげんで意見募集をしていますね。

● NIST ITL
・2020.07.09 NISTIR 8286 (Draft) Integrating Cybersecurity and Enterprise Risk Management (ERM) (2nd Draft)

 ・2020.07.09 [PDF]NISTIR 8286 (2nd Draft) (DOI)

First Draftから目次レベルで若干の変更がありますね。。。

Executive Summary

1 Introduction

1.1 Purpose and Scope
1.2 Document Structure

2 Gaps in Managing Cybersecurity Risk as an ERM Input

2.1 Overview of ERM
2.2 Shortcomings of Typical Approaches to Cybersecurity Risk Management
2.3 The Gap Between Cybersecurity Risk Management Output and ERM Input

3 Cybersecurity Risk Considerations Throughout the ERM Process

3.1 Identify the Context
3.2 Identify the Risks
3.3 Analyze the Risks
3.4 Prioritize Risks
3.5 Plan and Execute Risk Response Strategies
3.6 Monitor, Evaluate, and Adjust
3.7 Considerations of Positive Risks as an Input to ERM
3.8 Creating and Maintaining an Enterprise-Level Risk Register
3.9 Cybersecurity Risk Data Conditioned for Enterprise Risk Rollup

4 Cybersecurity Risk Management as Part of a Portfolio View

4.1 Applying the Enterprise Risk Register and Developing the Enterprise Risk Profile
4.2 Translating the Risk Profile to Inform Boardroom Decisions
4.3 Information and Decision Flows in Support of ERM
4.4 Conclusion

 

-----

■ 参考

● NIST ITL
・2020.03.19 NISTIR 8286(Draft) Integrating Cybersecurity and Enterprise Risk Management (ERM)
 ・[PDF]NISTIR 8286 (Draft) (DOI)

● まるちゃんの情報セキュリティ気まぐれ日記
・2020.03.20 NISTIR 8286(Draft) Integrating Cybersecurity and Enterprise Risk Management (ERM)

 

Executive Summary 

Office of Management and Budget (OMB) Circular A-11 defines risk as “the effect of uncertainty on objectives”  ^[1] . The effect of uncertainty on enterprise mission and objectives may then be considered an “enterprise risk” that must be similarly managed. An enterprise is an organization that exists at the top level of a hierarchy with unique risk management responsibilities. Managing risks at that level is known as enterprise risk management (ERM) and calls for understanding the core risks that an enterprise faces, determining how best to address those risks, and ensuring that the necessary actions are taken. In the Federal Government, ERM is considered to be “an effective agency-wide approach to addressing the full spectrum of the organization’s significant risks by understanding the combined impact of risks as an interrelated portfolio, rather than addressing risks only within silos” ^[1].

Cybersecurity risk is an important type of risk for any enterprise. Others include but are not limited to financial, legal, legislative, operational, privacy, reputational, safety, strategic, and supply chain risks [2]. As part of an ERM program, corporate officers and board members at the highest levels of governance and direction for the enterprise who have fiduciary and reporting responsibilities not performed anywhere else in the enterprise are expected to holistically manage the combined set of risks.

The individual organizations that comprise every enterprise are experiencing an increase in the frequency, creativity, and severity of cybersecurity attacks. All organizations and enterprises, regardless of size or type, should ensure that cybersecurity risk receives appropriate attention as they carry out their ERM functions.

Since enterprises are at various degrees of maturity regarding the implementation of risk management, this document offers NIST’s cybersecurity risk management expertise to help organizations improve the cybersecurity risk information they provide as inputs to their enterprise’s ERM programs.

Many resources—such as well-known frameworks from the Committee of Sponsoring Organizations (COSO), Office of Management and Budget (OMB) circulars, and the International Organization for Standardization (ISO)—document ERM frameworks and processes. They generally include similar approaches: identify context, identify risks, analyze risk, estimate risk importance, determine and execute the risk response, and identify and respond to changes over time. A critical risk document used to track and communicate risk information for all of these steps throughout the enterprise is called a risk register [1].¹ The risk register  provides a formal communication vehicle for sharing and collaborating cybersecurity risk activities as an input to ERM decision makers. For example, cybersecurity risk registers are key aspects of managing and communicating about those particular risks.

At higher levels in the enterprise structure, those cybersecurity and other risk registers are ideally aggregated, normalized, and prioritized into risk profiles. A risk profile is defined by OMB Circular A-123 as “a prioritized inventory of the most significant risks identified and assessed through the risk assessment process versus a complete inventory of risks” [3]. While it is critical that enterprises address potential negative impacts on mission and objectives, it is equally critical (and required for federal agencies) that enterprises plan for success. OMB states in Circular A- 123 that “the [Enterprise Risk] profile must identify sources of uncertainty, both positive (opportunities) and negative (threats).” Enterprise-level decision makers use the risk profile to choose which enterprise risks to address and to allocate resources and delegate responsibilities to appropriate risk owners. ERM programs should define terminology, formats, criteria, and other guidance for risk inputs from lower levels of the enterprise.

Cybersecurity risk inputs to ERM programs should be documented and tracked in written cybersecurity risk registers that comply with the ERM program guidance. However, most enterprises do not communicate their cybersecurity risk in consistent, repeatable ways. Methods such as quantifying cybersecurity risk in dollars and aggregating cybersecurity risks are largely ad hoc and are sometimes not performed with the same rigor as methods for quantifying other types of risk within the enterprise.

In addition to widely using cybersecurity risk registers, improving the risk measurement and analysis methods used in cybersecurity risk management would boost the quality of the risk information provided to ERM. In turn, this practice would promote better management of cybersecurity at the enterprise level and support the enterprise’s objectives.

There are readily available options for accomplishing each of these actions. Following these  steps will help cybersecurity professionals understand what executives and corporate officers need to carry out ERM. They will also help high-level executives and corporate officers understand the challenges that cybersecurity professionals face when providing them with the information they are accustomed to getting for other types of risk.

[1] Office of Management and Budget (2019) Preparation, Submission, and Execution of the Budget. (The White House, Washington, DC), OMB Circular No. A-11, December 18, 2019. Available at https://www.whitehouse.gov/wpcontent/uploads/2018/06/a11.pdf

 

Table of Contents

Executive Summary

1 Introduction
1.1 Purpose and Scope
1.2 Document Structure

2 Gaps in Managing Cybersecurity Risk as an ERM Input
2.1 Overview of ERM
 2.1.1 Common Use of ERM
 2.1.2 ERM Framework Steps
2.2 Shortcomings of Typical Approaches to Cybersecurity Risk Management
 2.2.1 Lack of Asset Information
 2.2.2 Lack of Standardized Measures
 2.2.3 Informal Analysis Methods
 2.2.4 Focus on the System Level
 2.2.5 Increasing System and Ecosystem Complexity
2.3 The Gap Between Cybersecurity Risk Management Output and ERM Input

3 Cybersecurity Risk Considerations Throughout the ERM Process
3.1 Identify the Context
 3.1.1 Risk Management Roles
 3.1.2 Risk Management Strategy
3.2 Identify the Risks
 3.2.1 Inventory and Valuation of Assets
 3.2.2 Determination of Potential Threats
 3.2.3 Determination of Exploitable and Susceptible Conditions
 3.2.4 Evaluation of Potential Consequences
3.3 Analyze the Risks
 3.3.1 Risk Analysis Types
 3.3.2 Techniques for Estimating Likelihood and Impact of Consequences
3.4 Prioritize Risks
3.5 Plan and Execute Risk Response Strategies
 3.5.1 Applying Security Controls to Reduce Risk Exposure
 3.5.2 Responding to Residual Risk
 3.5.3 When a Risk Event Passes Without Triggering the Event
3.6 Monitor, Evaluate, and Adjust
 3.6.1 Continuous Risk Monitoring
 3.6.2 Key Risk Indicators
 3.6.3 Continuous Improvement
3.7 Considerations of Positive Risks as an Input to ERM
3.8 Creating and Maintaining an Enterprise-Level Risk Register
3.9 Cybersecurity Risk Data Conditioned for Enterprise Risk Rollup

4 Cybersecurity Risk Management as Part of a Portfolio View
4.1 Applying the Enterprise Risk Register and Developing the Enterprise Risk Profile
4.2 Translating the Risk Profile to Inform Boardroom Decisions
4.3 Information and Decision Flows in Support of ERM
4.4 Conclusion

References

List of Appendices
Appendix A— Acronyms and Abbreviations
Appendix B— Glossary
Appendix C— Federal Government Sources for Identifying Risks
 
List of Figures
Figure 1: Enterprise Hierarchy for Cybersecurity Risk Management
Figure 2: ERM Framework Example
Figure 3: Information Flow Between System, Organization, and Enterprise Levels
Figure 4: Notional Cybersecurity Risk Register Template
Figure 5: Probability and Impact Matrix
Figure 6: Example Cybersecurity Risk Register
Figure 7: Notional Information and Decision Flows Diagram from NIST Cybersecurity Framework
Figure 8: Illustrative Example of a Risk Profile (OMB A-123)
Figure 9: Notional Information and Decision Flows Diagram with Steps Numbered

-----