The National Institute of Standards and Technology releases report on Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight: NIST IR 8286C

September 20, 2022 |

The National Institute of Standards and Technology (“NIST”) has released NIST has released NIST Internal Report (IR) 8286C, Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight.  It is a particularly useful and practical report.  In short compass it describes ways to combine risk information across an enterprise.  In this way there is integration of risk information issues which permits proper decision making and monitoring.

The report creates an enterprise risk profile (ERP) that supports the comparison and management of cyber risks.

The Abstract provides:

This document is the third in a series that supplements NIST Interagency/Internal Report (NISTIR) 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM). This series provides additional details regarding the enterprise application of cybersecurity risk information; the previous documents, NISTIRs 8286A and 8286B, provided details regarding stakeholder risk direction and methods for assessing and managing cybersecurity risk in light of enterprise objectives. NISTIR 8286C describes how information, as recorded in cybersecurity risk registers (CSRRs), may be integrated as part of a holistic approach to ensuring that risks to information and technology are properly considered for the enterprise risk portfolio. This cohesive understanding supports an enterprise risk register (ERR) and enterprise risk profile (ERP) that, in turn, support the achievement of enterprise objectives.

This guide is of particular use for privacy practitioners.  It discusses how risk governance elements such as:

  • enterprise risk strategy,
  • appetite,
  • tolerance, and
  • capacity

direct risk performance.

By monitoring the results of CSRM activities at each hierarchical level, senior leaders can adjust various governance components to achieve risk objectives.

There are four key ERM activities:
1. Aggregation of CSRM data from throughout the enterprise to create a composite CSRM understanding;
2. Integration of data regarding key cyber risks that should be included in overarching enterprise-level risk artifacts, such as the ERR and ERP;
3. Adjustments to risk direction (including risk limits and risk treatment options) within governance system components to optimize enterprise CSRM results; and
4. Monitoring and reporting at various hierarchical levels to maintain situational awareness regarding changes to the risk landscape and CSRM outcomes.

Risk criteria includes:

  • definitions for how negative (and positive) consequences and likelihood are to be measured to allow comparability across assessment results.
  • how time factors, such as risk velocity, should be considered in determining the risk severity.
  • the organization’s objectives and internal/external context.
  • part of the equation for whether specific cybersecurity risks meet the minimum threshold for enterprise-level discussion.

A key element of normalization is the identification and resolution of cases where a similar risk scenario is treated differently by different enterprise participants. There may be no issue with such a difference since context and circumstances might be different, but the underlying cause should be understood, and the disparity should be recognized.

Cyber risk is only one of many risks in the risk universe, but, considering the extensive dependency of the modern enterprise on information and technology, cybersecurity represents an important subset of the overall risk picture.

While technology has long been a risk consideration, the increasing complexity and reliance on cyber-connected systems introduce new exposures such as highly-connected systems and sensors, as part of the Internet of Things, being affected by latency and duration. Life cycle, asset valuation drives an understanding of exposures which enables improved risk assessment, response, and monitoring results throughout the enterprise based on stakeholder governance and direction.

The cybersecurity risk consequences to finance, mission, and reputation inform deliberations of enterprise operational risk (OpRisk) alongside other enterprise risks (e.g., market risk, credit risk, geopolitical risk). OpRisk response activities directly protect mission operations.

There is a need for a dynamic and iterative process of connecting the entity’s understanding of cybersecurity risk with its strategy. A common set of risk criteria should be utilized. To ensure the relevance and effective translation of cybersecurity risks at the enterprise level, the chief information security officer needs to coordinate with existing ERM functions.

The risks are:

  • Financial: Practices that represent exposure to net income, capital, cash flow, and solvency factors, including appropriations and investments.
  • Reputation: Considerations that might be measurable through key stakeholder surveys or sentiment analysis
  • Mission: Risk conditions that affect the enterprise’s ability to achieve objectives.
  • Secondary Impacts: Risk considerations that relate to secondary (or even tertiary) impacts from cascading consequences. For example, a risk that impedes mission objectives may have a subsidiary reputational impact that may subsequently cause a financial impact. Negative sentiment from a regulator or legislator may impede funding or authorities, restricting operations and, ultimately, mission achievement.

By monitoring the results of CSRM activities at each hierarchical level, senior leaders can adjust various governance components to achieve risk objectives

The report creates an enterprise risk profile (ERP) that supports the comparison and management of cyber risks.

By monitoring the results of CSRM activities at each hierarchical level, senior leaders can adjust various governance components to achieve risk objectives.

A key element of normalization is the identification and resolution of cases where a similar risk scenario is treated differently by different enterprise participants. There may be no issue with such a difference since context and circumstances might be different, but the underlying cause should be understood, and the disparity should be recognized.

While technology has long been a risk consideration, the increasing complexity and reliance on cyber-connected systems introduce new exposures such as highly-connected systems and sensors, as part of the Internet of Things, being affected by latency and duration. Life cycle, asset valuation drives an understanding of exposures which enables improved risk assessment, response, and monitoring results throughout the enterprise based on stakeholder governance and direction.

An ERP that accurately weighs cybersecurity risks is dependent on:

  • Accurate and ongoing understanding of the key business and mission-essential functions of the organization;
  • Accurate understanding of the relationship and dependencies among enterprise functions and supporting technology systems;
  • Adequate consideration and factoring of cybersecurity risks in the ERR, including the mission, financial, and reputational impacts of cybersecurity risks; and
  • Accurate and comprehensive understanding and timely reporting of key cybersecurity risks and related information.

Tying  risks to these objectives will help align and normalize results:

  • Strategic: Risks that impact the core mission or objectives of the enterprise, includingthose related to the implementation of a new service or product offering; cybersecurityconcerns that might impact an upcoming federal agency reorganization or a private-sectoracquisition
  • Operations: Cybersecurity risks regarding existing operational systems, such as aransomware attack that disables a manufacturing line; business continuity/disasterrecovery issues
  • Reporting: Cybersecurity risks regarding the availability, integrity, and confidentiality offinancial or information management systems, including those that might impact theaccuracy or timeliness of reporting functions
  • Compliance: Cybersecurity risks where a negative event might result in a failure to meet a contractual service agreement or in a regulatory penalty or fine

Prioritization is largely based on the intersection of each risk type (within each risk category) and the mission objectives

Risk management adjustments and ongoing assessment/reporting – depend directly on effective enterprise risk governance.  Governance is the process of determining enterprise objectives, setting direction to achieve those objectives, and monitoring performance to adjust strategy as necessary.  Risk governance is not intended to take the place of risk management activities. Risk governance seeks to set the criteria and expectations by which risk management, including CSRM, will be conducted.  It provides the transparency, responsibility, and accountability that enables managers to acceptably manage risk.

For the activities to be meaningful, risk managers throughout the enterprise must be informed about objectives, results, priorities, and opportunities. A key purpose of the various risk registers is to enable ongoing monitoring of enterprise risk activities. Based on those activities, senior leaders evaluate available options and adjust guidance and operations to help realize opportunities and minimize harmful impact.

Risk tolerance interpreted based on risk appetite direction is achieved through the application of various risk responses, including the application of security controls. The measurement of the performance of those controls through key performance indicators (KPIs), especially those metrics that represent key risk indicators (KRIs), enables oversight and management of the achievement of the risk tolerance.

Risk evaluation is a vital element of the continuous risk monitoring process. The purpose of the evaluation is to assess changes to any of the four components of a cybersecurity risk.

Monitoring protects the value provided by enterprise information, and technology requires the continual balancing of benefits, resources, and risk considerations. Frequent and transparent communication regarding risk options, decisions, changes, and adjustments improves the quality of information used in making enterprise-level decisions. The evolving cybersecurity risk registers and profiles provide a formal method for communicating institutional knowledge and decisions regarding cybersecurity risks and their contributions to ERM. Using automated risk management tools for reporting and dashboarding can help provide ongoing insight to various levels of stakeholders, including operations managers and senior leaders.  Risk evaluation also involves the ongoing determination of a target state. An ongoing process of considering the gaps between the current state and the desired state enables risk managers to quickly identify opportunities for improvement and to document those observations.

Leave a Reply





Verified by MonsterInsights