Cyber Security Risk Management Capabilities
With our guidance we will lay out nine categories and create an organization’s cybersecurity framework. These include:
- Nature of the business and operations
- Nature of information at risk
- Cybersecurity risk management program objectives
- Factors that have a significant effect on inherent risks related to the use of technology
- Cybersecurity risk governance structure
- Cybersecurity risk assessment process
- Cybersecurity communications and quality of cybersecurity information
- Monitoring of the cybersecurity risk management program
- Cybersecurity control processes
- Security Strategy Risk Management
A Strategic Security Tool
Frameworks are becoming the strategic tools of choice to assess risk, prioritize threats, secure investment and communicate progress for the most pressing security initiatives. They provide assessment mechanisms that enable organizations to determine their current cybersecurity capabilities, set individual goals for a target state, and establish a cybersecurity strategy for improving and maintaining security programs. Frameworks help you understand the maturity of your security activities and can adapt over time to meet the maturity level of the threats you face and the security capabilities you employ.
NIST Cybersecurity Framework
There are various security frameworks that look at different types of needs, but one of the most popular is the National Institute of Science and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity, nominally referred to as the NIST Cybersecurity Framework (NIST CSF). This document was initially released in 2014 and is in the process of being updated.
The NIST CSF provides policy guidance to encourage organizations to develop a process-focused approach to digital security. It aims to provide direction on how to assess and improve an organization’s ability to prevent, detect and respond to cyberattacks.
The NIST CSF is organized with five core functions: Identify, Protect, Detect, Respond and Recover. Those categories are subdivided into 22 categories. The framework offers suggestions to build your list of things to do and establish a baseline against which you can measure the maturity of your control mechanisms. However, it doesn’t specifically tell you how to achieve these goals within individual security controls. With this guidance, you can make risk-based decisions about security investments to reduce actual cyber risks.