In this article we discuss on how to integrate cyber-security risk into the overall enterprise risk management (ERM) program?
The increasing frequency, creativity, and severity of cyber security attacks means that all enterprises should ensure that cybersecurity risk is receiving appropriate attention within their enterprise risk management (ERM) programs.
The following will be “Food for though “ with the aim to help individual organizations within an enterprise improve their cybersecurity risk information, which they provide as inputs to their enterprise’s ERM processes through communications and risk information sharing.
By doing so, enterprises and their component organizations can better identify, assess, and manage their cyber security risks in the context of their broader mission and business objectives.
- What cybersecurity data should be collected?
- What sort of analysis should be performed?
- How should one consolidate cybersecurity risk information into an overall program?
To answer these questions, and to help security professionals communicate the value of preventative security to their management teams, NIST released a document titled “Integrating Cybersecurity and Enterprise Risk Management” (NISTIR 8286).
The focal point of this guidance is centered on the usage of a risk register – described as a “repository of risk information” — to effectively integrate cybersecurity risk management into an overall ERM program.
A risk register is an information repository an organization creates to document the risks they face and the responses they’re taking to address the risks. At a minimum, each risk documented in the risk register should contain-
- a description of a particular risk,
- the likelihood of it happening,
- its potential impact from a cost standpoint,
- how it ranks overall in priority relevant to all other risks, the response,
- who owns the risk.
A risk register can be integrated into any risk management methodology your organization uses. Many resources—such as well-known frameworks from the Committee of Sponsoring Organizations (COSO), Office of Management and Budget (OMB) circulars, and the ISO- document Enterprise Risk Management frameworks and processes.
These different resources outline similar approaches:
- identify context,
- identify risks,
- analyze risk,
- estimate risk importance,
- determine and execute the risk response,
- identify and respond to changes over time.
The risk register is a critical tool organizations should use to track and communicate risk information for all of these steps throughout the enterprise. It serves as a key input for risk management decision-makers to consider.
Read also: Cyber Security in the Life Science & Medical Device Industries
Editors: Kevin Stine, Stephen Quinn, Greg Witte, R. K. Gardner
This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8286