NISTIR 8286 Integrating Cybersecurity and Enterprise Risk Management (ERM)
こんにちは、丸山満彦です。
NISTのサイバーセキュリティとERMを統合する試みである、NISTIR 8286 Integrating Cybersecurity and Enterprise Risk Management (ERM)が過去2回にわたるパブリックコメントを経て最終化していますね。。。
CSFとのマッピング表つき。。。
政府の内部統制に関する規則であるOMB Circular No. A-123やGAOのGreen Book (Standards for Internal Control in the Federal Government) はもちろんですが、COSO-ERM、ISO31000も参考にされていますよね。
● NIST - ITL
・2020.10.13 NISTIR 8286 Integrating Cybersecurity and Enterprise Risk Management (ERM)
本文の構成は、
第1章は、本文書の目的、範囲等を説明しています。
第2章は、ERMとサイバーセキュリティ管理の基本を説明し、ERM とサイバーセキュリティリスク管理の現在の実践との間のハイレベルのギャップを説明しています。
第3章は、ERMプロセス全体を通じたサイバーセキュリティリスクの考慮事項を詳細に説明し、ERMのインプットとしてサイバーセキュリティリスクを文書化するための登録簿の使用を強調している。
第4章では、リスク登録を組織全体リスク登録簿に正規化・集約し、優先順位付けを適用して組織全体リスクプロファイルを生成することに基づいて、組織全体レベルでのリスクのポートフォリオビューを採用することを検討しています。
Executive Summary | エグゼクティブサマリー |
1 Introduction | 1 はじめに |
1.1 Purpose and Scope | 1.1 目的と範囲 |
1.2 Document Structure | 1.2 ドキュメントの構造 |
2 Gaps in Managing Cybersecurity Risk as an ERM Input | 2 ERMのインプットとしてのサイバーセキュリティリスク管理のギャップ |
2.1 Overview of ERM | 2.1 ERMの概要 |
2.2 Shortcomings of Typical Approaches to Cybersecurity Risk Management | 2.2 サイバーセキュリティリスク管理の典型的なアプローチの欠点 |
2.3 The Gap Between CSRM Output and ERM Input | 2.3 サイバーセキュリティリスク管理の出力とERM入力のギャップ |
3 Cybersecurity Risk Considerations Throughout the ERM Process | 3 ERMプロセスを通じたサイバーセキュリティリスクの考慮事項 |
3.1 Identify the Context | 3.1 コンテキストの識別 |
3.2 Identify the Risks | 3.2 リスクの特定 |
3.3 Analyze the Risks | 3.3 リスクの分析 |
3.4 Prioritize Risks | 3.4 リスクの優先順位付け |
3.5 Plan and Execute Risk Response Strategies | 3.5 リスク対応戦略の立案と実行 |
3.6 Monitor, Evaluate, and Adjust | 3.6 監視・評価・調整 |
3.7 Considerations of Positive Risks as an Input to ERM | 3.7 ERMへのインプットとしてのポジティブリスクの検討 |
3.8 Creating and Maintaining an Enterprise-Level Cybersecurity Risk Register | 3.8 組織全体レベルのサイバーセキュリティリスク登録簿の作成と維持 |
3.9 Cybersecurity Risk Data Conditioned for Enterprise Risk Rollup | 3.9 組織全体リスクロールアップのための条件付きサイバースセキュリティリスクデータ |
4 Cybersecurity Risk Management as Part of a Portfolio View | 4 ポートフォリオビューの一環としてのサイバーセキュリティリスク管理 |
4.1 Applying the Enterprise Risk Register and Developing the Enterprise Risk Profile | 4.1 組織全体リスク登録の適用と企業リスクプロファイルの開発 |
4.2 Translating the Risk Profile to Inform Leadership Decisions | 4.2 リーダシップの意思決定に情報を与えるためのリスクプロファイルの変換 |
4.3 Information and Decision Flows in Support of ERM | 4.3 ERMを支える情報と意思決定の流れ |
4.4 Conclusion | 4.4 まとめ |
References | 参考文献 |
List of Appendices | 付録一覧 |
Appendix A— Acronyms and Abbreviations | 付録 A- 略語と略語 |
Appendix B— Glossary | 付録 B- 用語集 |
Appendix C— Federal Government Sources for Identifying Risks | 付録 C- リスクを特定するための連邦政府の情報源 |
■ 参考
まるちゃんの情報セキュリティ気まぐれ日記
・2020.07.12 NISTIR 8286 (Draft) Integrating Cybersecurity and Enterprise Risk Management (ERM) (2nd Draft)
・2020.06.23 GAO GreenbookとOMB Circular No. A-123
・2020.03.20 NISTIR 8286(Draft) Integrating Cybersecurity and Enterprise Risk Management (ERM)
Executive Summary
All types of organizations, from corporations to federal agencies, face a broad array of risks. For federal agencies, the Office of Management and Budget (OMB) Circular A-11 defines risk as “the effect of uncertainty on objectives” [1]. The effect of uncertainty on enterprise mission and business objectives may then be considered an “enterprise risk” that must be similarly managed.
An enterprise is an organization that exists at the top level of a hierarchy with unique risk management responsibilities. Managing risks at that level is known as enterprise risk management (ERM) and calls for understanding the core risks that an enterprise faces, determining how best to address those risks, and ensuring that the necessary actions are taken. In the Federal Government, ERM is considered “an effective agency-wide approach to addressing the full spectrum of the organization’s significant risks by understanding the combined impact of risks as an interrelated portfolio rather than addressing risks only within silos” [1].
Cybersecurity risk is an important type of risk for any enterprise. Other risks include but are not limited to financial, legal, legislative, operational, privacy, reputational, safety, strategic, and supply chain risks [2]. As part of an ERM program, senior leaders (e.g., corporate officers, government senior executive staff) often have fiduciary and reporting responsibilities that other organizational stakeholders do not, so they have a unique responsibility to holistically manage the combined set of risks, including cybersecurity risk.
The individual organizations that comprise every enterprise are experiencing an increase in the frequency, creativity, and severity of cybersecurity attacks. All organizations and enterprises, regardless of size or type, should ensure that cybersecurity risks receive appropriate attention as they carry out their ERM functions.
Since enterprises are at various degrees of maturity regarding the implementation of risk management, this document offers NIST’s cybersecurity risk management (CSRM) expertise to help organizations improve the cybersecurity risk information they provide as inputs to their enterprise’s ERM programs.
Many resources—such as well-known frameworks from the Committee of Sponsoring Organizations (COSO), Office of Management and Budget (OMB) circulars, and the International Organization for Standardization (ISO)—document ERM frameworks and processes. They generally include similar approaches: identify context, identify risks, analyze risk, estimate risk importance, determine and execute the risk response, and identify and respond to changes over time. A critical risk document used to track and communicate risk information for all of these steps throughout the enterprise is called a risk register [1].1
The risk register provides a formal communication vehicle for sharing and coordinating cybersecurity risk activities as an input to ERM decision makers. For example, cybersecurity risk registers are key aspects of managing and communicating about those particular risks.2 At higher levels in the enterprise structure, those cybersecurity and other risk registers are aggregated, normalized, and prioritized into risk profiles. A risk profile is defined by OMB Circular A-123 as “a prioritized inventory of the most significant risks identified and assessed through the risk assessment process versus a complete inventory of risks” [3]. While it is critical that enterprises address potential negative impacts on mission and business objectives, it is equally critical (and required for federal agencies) that enterprises plan for success. OMB states in Circular A-123 that “the [Enterprise Risk] profile must identify sources of uncertainty, both positive (opportunities) and negative (threats).” Enterprise-level decision makers use the risk profile to choose which enterprise risks to address, allocate resources, and delegate responsibilities to appropriate risk owners. ERM programs should define terminology, formats, criteria, and other guidance for risk inputs from lower levels of the enterprise.
Cybersecurity risk inputs to ERM programs should be documented and tracked in written cybersecurity risk registers3 that comply with the ERM program guidance. However, most enterprises do not communicate their cybersecurity risk guidance or risk responses in consistent, repeatable ways. Methods such as quantifying cybersecurity risk in dollars and aggregating cybersecurity risks are largely ad hoc and are sometimes not performed with the same rigor as methods for quantifying other types of risk within the enterprise.
In addition to widely using cybersecurity risk registers, improving the risk measurement and analysis methods used in CSRM would boost the quality of the risk information provided to ERM. In turn, this practice would promote better management of cybersecurity at the enterprise level and support the enterprise’s objectives.
There are proven methods available for performing CSRM and integrating the results. Improving the measurement and communications methods used in CSRM, such as through the use of cybersecurity risk registers, can improve the quality of the risk information provided to ERM.
This result promotes enterprise-wide CSRM and supports enterprise-level decision making.
Improved communications will also help executives and corporate officers understand the challenges that cybersecurity professionals face when providing those professionals with the information they are accustomed to receiving for other types of risk.
1 OMB Circular A-11 defines a risk register as “a repository of risk information including the data understood about risks over time” [1].
2 Organizations creating a risk management program for the first time should not wait until the risk register is completed before addressing obvious issues; however, over time, it should become the ordinary means of communicating risk information.
3 Formats include risk register data displayed in dashboards, GRC tools, file formats for communicating risk register data such as the spreadsheets (CSV) and JSON formats located at https://csrc.nist.gov/publications/detail/nistir/8286/final.
[1] Office of Management and Budget (2019) Preparation, Submission, and Execution of the Budget. (The White House, Washington, DC), OMB Circular No. A-11, December 18, 2019. Available at https://www.whitehouse.gov/wpcontent/uploads/2018/06/a11.pdf
[2] Chief Financial Officers Council (CFOC) and Performance Improvement Council (PIC) (2016) Playbook: Enterprise Risk Management for the U.S. Federal Government. Available at https://cfo.gov/wp-content/uploads/2016/07/FINAL-ERM-Playbook.pdf
[3] Office of Management and Budget (2016) OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control. (The White House, Washington, DC), OMB Memorandum M-16-17, July 15, 2016. Available at https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2016/m-16-17.pdf
Table of Contents
Executive Summary
1 Introduction
1.1 Purpose and Scope
1.2 Document Structure
2 Gaps in Managing Cybersecurity Risk as an ERM Input
2.1 Overview of ERM
2.1.1 Common Use of ERM
2.1.2 ERM Framework Steps
2.2 Shortcomings of Typical Approaches to Cybersecurity Risk Management
2.2.1 Lack of Standardized Measures
2.2.2 Informal Analysis Methods
2.2.3 Focus on the System Level
2.2.4 Increasing System and Ecosystem Complexity
2.3 The Gap Between CSRM Output and ERM Input
2.3.1 Insufficient Asset Information
3 Cybersecurity Risk Considerations Throughout the ERM Process
3.1 Identify the Context
3.1.1 Notional Risk Management Roles
3.1.2 Risk Management Strategy
3.2 Identify the Risks
3.2.1 Inventory and Valuation of Assets
3.2.2 Determination of Potential Threats
3.2.3 Determination of Exploitable and Susceptible Conditions
3.2.4 Evaluation of Potential Consequences
3.3 Analyze the Risks
3.3.1 Risk Analysis Types
3.3.2 Techniques for Estimating Likelihood and Impact of Consequences
3.4 Prioritize Risks
3.5 Plan and Execute Risk Response Strategies
3.5.1 Applying Security Controls to Reduce Risk Exposure
3.5.2 Responding to Residual Risk
3.5.3 When a Risk Event Passes Without Triggering the Event
3.6 Monitor, Evaluate, and Adjust
3.6.1 Continuous Risk Monitoring
3.6.2 Key Risk Indicators
3.6.3 Continuous Improvement
3.7 Considerations of Positive Risks as an Input to ERM
3.8 Creating and Maintaining an Enterprise-Level Cybersecurity Risk Register
3.9 Cybersecurity Risk Data Conditioned for Enterprise Risk Rollup
4 Cybersecurity Risk Management as Part of a Portfolio View
4.1 Applying the Enterprise Risk Register and Developing the Enterprise Risk Profile
4.2 Translating the Risk Profile to Inform Leadership Decisions
4.3 Information and Decision Flows in Support of ERM
4.4 Conclusion
References
List of Appendices
Appendix A— Acronyms and Abbreviations
Appendix B— Glossary
Appendix C— Federal Government Sources for Identifying Risks
List of Figures
Figure 1: Enterprise Hierarchy for Cybersecurity Risk Management
Figure 2: Notional Risk Management Life Cycle
Figure 3: Risk Register Information Flow Among System, Organization, and Enterprise Levels
Figure 4: Notional Cybersecurity Risk Register Template
Figure 5: Likelihood and Impact Matrix Derived from NIST SP 800-30 Rev. 1
Figure 6: Example of a Quantitative Risk Matrix
Figure 7: Excerpt from a Notional Cybersecurity Risk Register
Figure 8: Integration of CSRRs into Enterprise Risk Profile
Figure 9: Notional Information and Decision Flows Diagram from NIST Cybersecurity Framework
Figure 10: Illustrative Example of a Risk Profile (from OMB A-123)
Figure 11: Notional Information and Decision Flows Diagram with Numbered Steps
List of Tables
Table 1: Similarities Among Selected ERM and Risk Management Documents
Table 2: Descriptions of Notional Cybersecurity Risk Register Template Elements
Table 3: Response Types for Negative Cybersecurity Risks
Table 4: Examples of Proactive Risk Management Activities
Table 5: Response Types for Positive Cybersecurity Risks
Table 6: Notional Enterprise Risk Register
Table 7: Descriptions of the Notional Enterprise Risk Register Elements
Table 8: Notional Enterprise Risk Portfolio View for a Private Corporation
各章の最初だけをまとめたもの
[docx] NISTIR 8286 SUM
References
- Office of Management and Budget (2019) Preparation, Submission, and Execution of the Budget. (The White House, Washington, DC), OMB Circular No. A-11, December 18, 2019. Available at https://www.whitehouse.gov/wp-content/uploads/2018/06/a11.pdf
- Chief Financial Officers Council (CFOC) and Performance Improvement Council (PIC) (2016) Playbook: Enterprise Risk Management for the U.S. Federal Government. Available at https://cfo.gov/wp-content/uploads/2016/07/FINAL-ERM-Playbook.pdf
- Office of Management and Budget (2016) OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control. (The White House, Washington, DC), OMB Memorandum M-16-17, July 15, 2016. Available at https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2016/m-16-pdf
- Marron J, Pillitteri V, Boyens J, Quinn S, Witte G, Feldman L (2020) Approaches for Federal Agencies to Use the Cybersecurity Framework. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8170. https://doi.org/10.6028/NIST.IR.8170
- Joint Task Force Transformation Initiative (2013) Security and Privacy Controls for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53, Rev. 4, Includes updates as of January 22, 2015. https://doi.org/10.6028/NIST.SP.800-53r4
- International Organization for Standardization (ISO) (2009) Risk management – Vocabulary. ISO Guide 73:2009. https://www.iso.org/standard/44651.html
- Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1. https://doi.org/10.6028/NIST.SP.800-60v1r1
- Committee of Sponsoring Organizations (COSO) of the Treadway Commission (2017) Enterprise Risk Management—Integrating with Strategy and Performance, Executive Summary. Available at https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf
- Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39. https://doi.org/10.6028/NIST.SP.800-39
- International Organization for Standardization (ISO) (2018) Risk management— Guidelines. ISO 31000:2018. https://www.iso.org/standard/65694.html
- S. Government Accountability Office (GAO) (2014) Standards for Internal Control in the Federal Government. https://www.gao.gov/assets/670/665712.pdf
- Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1. https://doi.org/10.6028/NIST.SP.800-30r1
- Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2. https://doi.org/10.6028/NIST.SP.800-37r2
- Forum of Incident Response and Security Teams (FIRST) (2019) Common Vulnerability Scoring System version 3.1 Specification Document, Revision 1. https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf
- National Institute of Standards and Technology (2018) Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1. (National Institute of Standards and Technology, Gaithersburg, MD). https://doi.org/10.6028/NIST.CSWP.04162018
- National Institute of Standards and Technology (2020) NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management, Version 1.0. (National Institute of Standards and Technology, Gaithersburg, MD). https://www.nist.gov/privacy-framework/privacy-framework
- Committee of Sponsoring Organizations (COSO) of the Treadway Commission (2017) Internal Control—Integrated Framework, Executive Summary. Available at https://www.coso.org/Documents/990025P-Executive-Summary-final-may20.pdf
- Software Engineering Institute (2007) Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process. (Software Engineering Institute, Pittsburgh, PA), Technical Report CMU/SEI-2007-TR-012. https://resources.sei.cmu.edu/asset_files/TechnicalReport/2007_005_001_14885.pdf
- The MITRE Corporation (2019) ATT&CK. Available at https://attack.mitre.org
- S. Securities and Exchange Commission (SEC) (2018) Commission Statement and Guidance on Public Company Cybersecurity Disclosures. https://www.sec.gov/rules/interp/2018/33-10459.pdf
- International Electrotechnical Commission (IEC) (2019) Risk management – Risk assessment techniques. IEC 31010:2019. https://www.iso.org/standard/72140.html
- Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014. https://doi.org/10.6028/NIST.SP.800-53Ar4
- The Open Factor Analysis of Information Risk (FAIR) Body of Knowledge is comprised of the Open Group Risk Analysis standard (https://www2.opengroup.org/ogsys/catalog/C13G) and the Open Group Risk Taxonomy (https://www2.opengroup.org/ogsys/catalog/C13K).
- Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137. https://doi.org/10.6028/NIST.SP.800-137
« ENISA Threat Landscape 2020 : サイバー脅威トップ15 サイバー攻撃はより高度化し、標的化が進み、対象も広範囲になり、検知もされにくくなる。。。 | Main | NISTのZero Trust Architecture実装プロジェクトに関する文書 »
Comments