The increasing frequency, creativity and variety of cyberattacks all enterprises are bound to grab attention into the cyber security risk management.
The Definition:
The process of Risk Management can better identify, assess, communicate, and manage their cybersecurity risks in the context of their stated mission and business objectives using language and constructs already familiar to senior leaders.
The Approach:
The Risk Management Framework (RMF) offers a methodical and adaptable strategy to handle the risk associated with integrating systems into the organization's mission and business processes. A good risk management framework should comprise of:
- Standards and Guidelines to support implementation of risk management programs
- Meet the requirements of the abiding law and regulatory requirements
- Control Selection to baseline and provide adequate protection
- Control Implementation to make the framework functional
- Control Testing to determine if controls are implemented correctly, operating as intended and producing desired outcomes.
- Risk Assessment to identify, analyse, evaluate and treat the risks
- Continuous Monitoring for early threat detection, faster incident response and continuous compliance with regulatory requirements.
Top Risk Management Frameworks:
- ISO 27001 & ISO 27002.
- Cybersecurity Maturity Model Certification (CMMC)
- NIST 800-53 & NIST CFS.
- AICIPA, SOC 2.
- EBIOS.
An Example - NIST RMF:
For more information on each RMF Step, including Resources for Implementers and Supporting NIST Publications, select the Step below.
| Prepare | Essential activities to prepare the organization to manage security and privacy risks |
| Categorize | Categorize the system and information processed, stored, and transmitted based on an impact analysis |
| Select | Select the set of NIST SP 800-53 controls to protect the system based on risk assessment(s) |
| Implement | Implement the controls and document how controls are deployed |
| Assess | Assess to determine if the controls are in place, operating as intended, and producing the desired results |
| Authorize | Senior official makes a risk-based decision to authorize the system (to operate) |
| Monitor | Continuously monitor control implementation and risks to the system |
This process will be executed with the chain of experts from cybersecurity team like Chief Information Security Officer, Chief Risk Officer, Risk Manager, Risk Advisor, Risk Management Co-Ordinator and so. However, it is ultimately the responsibility of the Business management team including Chief Executive Officer, Chief Technology Officer, Project Manager, Business owner, Application owner, Business Information Security Officer and so on to ensure risk management is completed effectively.
In-house risk management teams will be a standard capability within the information technology sector. In contrast, major industries such as manufacturings, healthcare, finance, energy, transportation, pharmaceuticals, retail, real estates, and others will rely on cyber security risk consulting firms, including prominent entities like the Big 4 and other leading consulting companies.
No comments:
Post a Comment