Identify: Governance: ID. GV-4: Governance and risk management processes address cybersecurity risks
Addressing cybersecurity risks begins with defining enterprise governance, risk management strategy, and related processes.
Governance and risk management processes address cybersecurity risks: Defined
Nobody wants to “own” cybersecurity risks because they are scary. And believe it or not, that can manifest in weird ways. Namely, there were enough companies that had governance and risk management processes that didn’t mention cybersecurity risks, NIST had to tell everybody to include them. Crazy, huh? So let’s pour everybody a nice cup of chamomile tea and check to see if cybersecurity themes are in your risk management processes.
Our first step is to stumble around and see if there even is a risk management process, because there often isn’t, and in those cases, we at least get a quick win because we don’t have to check for cybersecurity risks if the risk management process is already AWOL. Ask around a bit. You might find something by referring to this whole thing as “ERM”, which is a common enterprise function in regulated industries like financial services, but is becoming increasingly common outside of those sectors.
Look for a “risk framework” that defines how your organization will assess risk, respond to risk, and monitor risk. Sustaining a risk management process requires a series of routine behaviors as a part of decision-making for investments and operations. The process should leave evidence behind, but it might not always be clearly documented, or articulated.
Still can’t find it? Well, that can be a big deal because when your company’s current (and temporary!) leadership decides that they want to get into some shenanigans to goose share prices on a short-term basis, there isn’t anything to stop them. So mature companies think about the risks that they are willing to take. They’ll build frameworks and strategies for risk that are specific to their own industries and situations. At a minimum, they’ll include (via ID.RM and ID.SC):
- Organizational risk appetite and risk tolerance;
- Acceptable risk assessment methodologies;
- Risk response strategies to stay within levels of tolerance;
- Process for consistently evaluating security and privacy risks organization-wide; and
- Approaches for monitoring risk over time.
COBIT boils down good risk management concisely, it must be: consistent, repeatable, and defensible. So don’t let somebody talk you into the idea that ad hoc risk response is “risk management”. It isn’t. If you can see consistent, repeatable, and defensible risk management, then congratulations. You’re through the first step and your organization is enjoying “Enterprise Risk Management” or “ERM” for short.
Your second step is to check to see whether your newly-discovered ERM program is collecting cybersecurity risks. Look for the usual suspects here: (1) unauthorized access; (2) vulnerabilities and malware; (3) unauthorized changes, etc.
ID. GV-4: In the news
Increasingly organizations are expected to demonstrate responsible management of cybersecurity risks. On the heels of cyber events impacting publicly traded companies and companies providing public services there is increasing pressure for organizations to regularly report.
SEC Release Nos 33-1103, 34-94382, IC-34529: The SEC is planning to increase periodic reporting requirements related to cybersecurity, specifically regarding policies and procedures to identify and manage cybersecurity risks; the board of directors’ oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures is becoming increasingly required by various regulatory bodies.
Form 10-K will require Consistent and informative disclosures regarding policies and procedures around cybersecurity risk management and strategy. Cybersecurity-related risks and incidents that have affected, or are reasonably likely to affect, the registrant’s results of operations or financial condition.
The aim of these proposed new SEC requirements related to cyber risk management is to equip investors with information related to the cyber risk profile of an organization that would allow informed decision-making when investing. The NIST publication, Integrating Cybersecurity and Enterprise Risk Management, recommends that organizations, “Maintain a risk profile for use in disclosures, including the exposure determination process and result, recent trends of enterprise improvement, peer trends, and contingency strategies to inform periodic and incident-driven disclosures.” This approach would help meet the forthcoming SEC requirements.
NYDFS Cybersecurity Regulation (23 NYCRR 500): Covered institutions include entities operating within the financial services industry. The reporting procedures require that CISOs prepare an annual report including the organization’s security risks among other requirements including policies that cover information security, access controls, disaster recovery planning, systems and network security, customer data privacy, and regular risk assessments.
My Governance and Risk Process: Failed…what am I going to see?
Risk management failures are notoriously difficult to detect. Very often, the focus draws to the immediate cause of a problem rather than the thematic issue. The culture that you’re operating in will often distort risk management issues by improperly minimizing their importance.
Writing things down is considered quaint and unnecessary.
The governance and risk management framework begins with documentation of policies, standards, and procedures. At the policy level management intent is documented and approved. Standards outline minimum requirements that will enable the organization to achieve management intent. Procedures detail how the minimum requirements will be met within the organization.
Our leaders are really busy golfing “focusing on customers”.
Executive leadership is not informed of cybersecurity program objectives nor in agreement on alignment with strategic objectives of the organization. The cybersecurity program design should align with business risks in the areas of culture, policy and governance, availability and performance, market trust, compliance, data assurance, and cost of controls.
We value risk-taking and improvisation…a lot.
Unacceptable risks are failures of risk management and would also include material cybersecurity incidents. Stifling controls are also outside of the risk tolerance and can lead to missed opportunities and increased costs that do not provide a valuable return. The focus should not be on eliminating all cybersecurity risks but rather on mitigating the risks that most directly have the potential to impact the organization’s success or ability to achieve strategic objectives.
My Governance and Risk Process: Is stellar. . .what does it look like?
Competent cybersecurity risk management will be easy to spot. The organization’s culture will include room for risk and risk management. You should also see artifacts of risk management activities.
Risk appetite and tolerance level defined
Models are established for discussing risk tolerance. This may be defined in several ways such as financial thresholds, zones based on likelihood-impact, or a set of representative scenarios. The appetite and tolerance levels are defined in a way that makes explicit and transparent the risk perceptions routinely used by leadership within the organization in making investment and operational decisions.
Cybersecurity risks are consistently and adequately funded.
As part of a risk-based approach to decision-making, risk information is used to support investment in cybersecurity and guide prioritization of cybersecurity programs. The risk management process is used to support the business case for investment in cybersecurity program implementations or enhancements.
Board level reporting on cybersecurity keeps everybody on the same page.
Regular reporting to the board of directors regarding cybersecurity risk management. Risk dashboard, top 10 risks, and other reporting methods are used to regularly communicate cybersecurity risks to the board of directors. The board of directors has some involvement in the definition or approval of risk appetite statements which are clearly defined and documented.
We’re serious about remediation.
Plan of Action and Milestones, also known as the POAM, is the first step in remediation and the PAOM should be a defined element within the governance and risk management process. According to NIST a POAM is defined as, “a document for a system that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.”
We all speak the same risk language.
In larger organizations it is not possible or desirable to achieve the same level of risk management for systems. Prioritizing organizational systems into categories such as low, moderate, and high impact, enables the organization to differentiate the requirements for systems based on their impact or criticality to the organization mission and business operations. This can include consideration of complexity and system interconnections enabling multiple baselines for the implementation of the most appropriate controls by category.
We stay current on the risks in our environment and our progress toward remediation.
Progress towards completion of the POAM should be monitored and reported at the appropriate level based on the prioritization category of the systems. System owners are held accountable for providing status updates on the tasks defined in the POAM and updates on any resource constraints or roadblocks that will affect scheduled milestones.
Cybersecurity Risk Management: Other sources of authority.
Integrating Cybersecurity and Enterprise Risk Management. NIST.IR.8286 Integrating Cybersecurity and Enterprise Risk Management (ERM) (nist.gov)
Managing Information Security Risk: Organization, Mission, and Information System View. NIST SP 800-53. NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View
Guide for Conducting Risk Assessments. NIST SP 800-30. NIST Special Publication 800-30 Revision 1, Guide for Conducting Risk Assessments
Security and Privacy Controls for Information Systems and Organizations. NIST SP 800-53 Rev. 5. Security and Privacy Controls for Information Systems and Organizations (nist.gov)
Information security, cybersecurity and privacy protection: Information security management systems – Requirements. ISO/IEC 27001:2022. ISO – ISO/IEC 27001:2022 – Information security, cybersecurity and privacy protection — Information security management systems — Requirements
A Business Framework for Governance and Management of Enterprise IT. COBIT 5. Store – COBIT 5 | Digital | English – ISACA Portal
Chatting about Governance and Risk Management Processes.
Jamie talks to Vendor A: [Link1]
Resources for the journey.
The Fundamentals of Risk Management by Thompson.
Managing Cybersecurity Risk as Enterprise Risk by Schneider
Top 10 Risk Management Software by Capterra.
Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11038, 34-94382, IC-34529 (Mar 23, 2022)
Comments are closed