Integrating Cybersecurity and Enterprise Risk Management (ERM)
Transcript Of Integrating Cybersecurity and Enterprise Risk Management (ERM)
NISTIR 8286
Integrating Cybersecurity and Enterprise Risk Management (ERM)
Kevin Stine Stephen Quinn
Greg Witte R. K. Gardner
This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8286
NISTIR 8286
Integrating Cybersecurity and Enterprise Risk Management (ERM)
Kevin Stine
Applied Cybersecurity Division Information Technology Laboratory
Stephen Quinn
Computer Security Division Information Technology Laboratory
Greg Witte
Huntington Ingalls Industries Annapolis Junction, MD
R. K. Gardner
New World Technology Partners Annapolis, MD
This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8286
October 2020
U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary
National Institute of Standards and Technology Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology
National Institute of Standards and Technology Interagency or Internal Report 8286 74 pages (October 2020)
This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8286
Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose.
There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, may be used by federal agencies even before the completion of such companion publications. Thus, until each publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For planning and transition purposes, federal agencies may wish to closely follow the development of these new publications by NIST.
Organizations are encouraged to review all draft publications during public comment periods and provide feedback to NIST. Many NIST cybersecurity publications, other than the ones noted above, are available at https://csrc.nist.gov/publications.
Comments on this publication may be submitted to: National Institute of Standards and Technology
Attn: Applied Cybersecurity Division, Information Technology Laboratory 100 Bureau Drive (Mail Stop 2000) Gaithersburg, MD 20899-8930 Email: [email protected]
All comments are subject to release under the Freedom of Information Act (FOIA).
This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8286
NISTIR 8286
INTEGRATING CYBERSECURITY AND ERM
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL’s responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in federal information systems.
Abstract
The increasing frequency, creativity, and severity of cybersecurity attacks means that all enterprises should ensure that cybersecurity risk is receiving appropriate attention within their enterprise risk management (ERM) programs. This document is intended to help individual organizations within an enterprise improve their cybersecurity risk information, which they provide as inputs to their enterprise’s ERM processes through communications and risk information sharing. By doing so, enterprises and their component organizations can better identify, assess, and manage their cybersecurity risks in the context of their broader mission and business objectives. Focusing on the use of risk registers to set out cybersecurity risk, this document explains the value of rolling up measures of risk usually addressed at lower system and organization levels to the broader enterprise level.
Keywords
cybersecurity risk management (CSRM); cybersecurity risk measurement; cybersecurity risk profile; cybersecurity risk register (CSRR); enterprise risk management (ERM); enterprise risk register (ERR); enterprise risk profile; risk appetite; risk tolerance.
Acknowledgments
The authors wish to thank all individuals, organizations, and enterprises that contributed to the creation of this document. This includes Donna Dodson, Nahla Ivy, Naomi Lefkovitz, Amy Mahn, Rodney Petersen, Victoria Yan Pillitteri, Ron Ross, and Adam Sedgewick of NIST; Larry Feldman, Heather Mills, Matthew Smith, and Daniel Topper of Huntington Ingalls Industries; Mat Heyman of Impresa Management Solutions; and Karen Scarfone of Scarfone Cybersecurity. Organizations and individuals who provided feedback on the public comment drafts include: Aon; the Association of Local Government Auditors; Paul Barham, Pat Nolan, Michael Vallone, and Christopher White of Booz Allen Hamilton; Consortium for Information and Software Quality; P. Bevill, G. Celestin, J. Chua, M. Creary, E. Flaim, K. Francis, C. Gordon, K. Isaac, C. Livingston, M. Merritt, M. Nighswander, K. Pannah, J. Prutow, and N. Rohloff of the CyberERM Community of Interest; FAIR Institute; Forescout Technologies; Adam Bobrow of Foresight Resilience Strategies; the IT Risk Management Team of the Internal Revenue Service, Larry Clinton of the Internet Security Alliance; Gerald Beuchelt and Christine Wachter of LogMeIn; Mosaic 451; Alex Krutov of Navigation Advisors; Ismael Garcia of the Nuclear Regulatory Commission; Kelly Hood and Tom Conkle of Optic Cyber Solutions; John Kimmins of Palindrome; Profitabil-IT; Dick Brooks of Reliable Energy Analytics; Jack Freund of RiskLens; Marshall Toburen of RSA Security; Paul Rohmeyer of Stevens Institute of Technology; The Open Group; Rob Arnold of Threat Sketch; Ashley P. Moore, and Nnake Nweke of the U.S. Agency for Global Media; U.S. Air Force; U.S. Department of Defense; U.S.
ii
This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8286
NISTIR 8286
INTEGRATING CYBERSECURITY AND ERM
Department of Education; U.S. Department of Energy; U.S. Department of Health and Human Services; U.S. Department of Homeland Security - Cybersecurity and Infrastructure Security Agency; U.S. Navy; other individuals include Simon Burson; Norman Marks; Ellen Swanson; and, Douglas Webster.
Audience The primary audience for this publication includes both federal government and non-federal government cybersecurity professionals at all levels who understand cybersecurity but may be unfamiliar with the details of enterprise risk management (ERM).
The secondary audience includes both federal and non-federal government corporate officers, high-level executives, ERM officers and staff members, and others who understand ERM but may be unfamiliar with the details of cybersecurity.
All readers are expected to gain an improved understanding of how cybersecurity risk management (CSRM) and ERM complement and relate to each other as well as the benefits of integrating their use.
Trademark Information All registered trademarks and trademarks belong to their respective organizations.
Document Conventions The term ‘step’ or ‘steps’ is used in multiple frameworks and documents. If the term ‘step’ is referring to anything other than the meaning from the ERM Playbook from Figure 2, it will be preceded by a document or framework to differentiate its context (e.g., ‘NIST Cybersecurity Framework Step 1: Prioritize and Scope’.)
For the purposes of this document, the terms “cybersecurity” and “information security” are used interchangeably. While technically different in that information security generally is generally considered to be all encompassing—including the cybersecurity domain—the term cybersecurity has expanded in conventional usage to be equivalent to information security. Likewise, the terms Cybersecurity Risk Management (CSRM) and Information Security Risk Management (ISRM) are similarly used interchangeably based on the same reasoning.
Patent Disclosure Notice NOTICE: The Information Technology Laboratory (ITL) has requested that holders of patent claims whose use may be required for compliance with the guidance or requirements of this publication disclose such patent claims to ITL. However, holders of patents are not obligated to respond to ITL calls for patents and ITL has not undertaken a patent search in order to identify which, if any, patents may apply to this publication.
As of the date of publication and following call(s) for the identification of patent claims whose use may be required for compliance with the guidance or requirements of this publication, no such patent claims have been identified to ITL.
No representation is made or implied by ITL that licenses are not required to avoid patent infringement in the use of this publication.
iii
This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8286
NISTIR 8286
INTEGRATING CYBERSECURITY AND ERM
Executive Summary
All types of organizations, from corporations to federal agencies, face a broad array of risks. For federal agencies, the Office of Management and Budget (OMB) Circular A-11 defines risk as “the effect of uncertainty on objectives” [1]. The effect of uncertainty on enterprise mission and business objectives may then be considered an “enterprise risk” that must be similarly managed. An enterprise is an organization that exists at the top level of a hierarchy with unique risk management responsibilities. Managing risks at that level is known as enterprise risk management (ERM) and calls for understanding the core risks that an enterprise faces, determining how best to address those risks, and ensuring that the necessary actions are taken. In the Federal Government, ERM is considered “an effective agency-wide approach to addressing the full spectrum of the organization’s significant risks by understanding the combined impact of risks as an interrelated portfolio rather than addressing risks only within silos” [1].
Cybersecurity risk is an important type of risk for any enterprise. Other risks include but are not limited to financial, legal, legislative, operational, privacy, reputational, safety, strategic, and supply chain risks [2]. As part of an ERM program, senior leaders (e.g., corporate officers, government senior executive staff) often have fiduciary and reporting responsibilities that other organizational stakeholders do not, so they have a unique responsibility to holistically manage the combined set of risks, including cybersecurity risk.
The individual organizations that comprise every enterprise are experiencing an increase in the frequency, creativity, and severity of cybersecurity attacks. All organizations and enterprises, regardless of size or type, should ensure that cybersecurity risks receive appropriate attention as they carry out their ERM functions.
Since enterprises are at various degrees of maturity regarding the implementation of risk management, this document offers NIST’s cybersecurity risk management (CSRM) expertise to help organizations improve the cybersecurity risk information they provide as inputs to their enterprise’s ERM programs.
Many resources—such as well-known frameworks from the Committee of Sponsoring Organizations (COSO), Office of Management and Budget (OMB) circulars, and the International Organization for Standardization (ISO)—document ERM frameworks and processes. They generally include similar approaches: identify context, identify risks, analyze risk, estimate risk importance, determine and execute the risk response, and identify and respond to changes over time. A critical risk document used to track and communicate risk information for all of these steps throughout the enterprise is called a risk register [1].1 The risk register provides a formal communication vehicle for sharing and coordinating cybersecurity risk activities as an input to ERM decision makers. For example, cybersecurity risk registers are key aspects of managing and communicating about those particular risks.2
1 OMB Circular A-11 defines a risk register as “a repository of risk information including the data understood about risks over time” [1].
2 Organizations creating a risk management program for the first time should not wait until the risk register is completed before addressing obvious issues; however, over time, it should become the ordinary means of communicating risk information.
iv
This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8286
NISTIR 8286
INTEGRATING CYBERSECURITY AND ERM
At higher levels in the enterprise structure, those cybersecurity and other risk registers are aggregated, normalized, and prioritized into risk profiles. A risk profile is defined by OMB Circular A-123 as “a prioritized inventory of the most significant risks identified and assessed through the risk assessment process versus a complete inventory of risks” [3]. While it is critical that enterprises address potential negative impacts on mission and business objectives, it is equally critical (and required for federal agencies) that enterprises plan for success. OMB states in Circular A-123 that “the [Enterprise Risk] profile must identify sources of uncertainty, both positive (opportunities) and negative (threats).” Enterprise-level decision makers use the risk profile to choose which enterprise risks to address, allocate resources, and delegate responsibilities to appropriate risk owners. ERM programs should define terminology, formats, criteria, and other guidance for risk inputs from lower levels of the enterprise.
Cybersecurity risk inputs to ERM programs should be documented and tracked in written cybersecurity risk registers3 that comply with the ERM program guidance. However, most enterprises do not communicate their cybersecurity risk guidance or risk responses in consistent, repeatable ways. Methods such as quantifying cybersecurity risk in dollars and aggregating cybersecurity risks are largely ad hoc and are sometimes not performed with the same rigor as methods for quantifying other types of risk within the enterprise.
In addition to widely using cybersecurity risk registers, improving the risk measurement and analysis methods used in CSRM would boost the quality of the risk information provided to ERM. In turn, this practice would promote better management of cybersecurity at the enterprise level and support the enterprise’s objectives.
There are proven methods available for performing CSRM and integrating the results. Improving the measurement and communications methods used in CSRM, such as through the use of cybersecurity risk registers, can improve the quality of the risk information provided to ERM. This result promotes enterprise-wide CSRM and supports enterprise-level decision making. Improved communications will also help executives and corporate officers understand the challenges that cybersecurity professionals face when providing those professionals with the information they are accustomed to receiving for other types of risk.
3 Formats include risk register data displayed in dashboards, GRC tools, file formats for communicating risk register data such as the spreadsheets (CSV) and JSON formats located at https://csrc.nist.gov/publications/detail/nistir/8286/final.
v
This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8286
NISTIR 8286
INTEGRATING CYBERSECURITY AND ERM
Table of Contents Executive Summary ..................................................................................................... iv 1 Introduction ............................................................................................................ 1
1.1 Purpose and Scope ........................................................................................ 2 1.2 Document Structure ........................................................................................ 3 2 Gaps in Managing Cybersecurity Risk as an ERM Input .................................... 4 2.1 Overview of ERM ............................................................................................ 4
2.1.1 Common Use of ERM........................................................................... 6 2.1.2 ERM Framework Steps ........................................................................ 6 2.2 Shortcomings of Typical Approaches to Cybersecurity Risk Management ... 10 2.2.1 Lack of Standardized Measures ......................................................... 10 2.2.2 Informal Analysis Methods ................................................................. 10 2.2.3 Focus on the System Level ................................................................ 11 2.2.4 Increasing System and Ecosystem Complexity .................................. 11 2.3 The Gap Between CSRM Output and ERM Input ......................................... 12 2.3.1 Insufficient Asset Information ............................................................. 14 3 Cybersecurity Risk Considerations Throughout the ERM Process ................ 14 3.1 Identify the Context ....................................................................................... 17 3.1.1 Notional Risk Management Roles ...................................................... 18 3.1.2 Risk Management Strategy ................................................................ 20 3.2 Identify the Risks........................................................................................... 21 3.2.1 Inventory and Valuation of Assets ...................................................... 22 3.2.2 Determination of Potential Threats ..................................................... 23 3.2.3 Determination of Exploitable and Susceptible Conditions .................. 25 3.2.4 Evaluation of Potential Consequences ............................................... 25 3.3 Analyze the Risks ......................................................................................... 26 3.3.1 Risk Analysis Types ........................................................................... 26 3.3.2 Techniques for Estimating Likelihood and Impact of Consequences . 27 3.4 Prioritize Risks .............................................................................................. 29 3.5 Plan and Execute Risk Response Strategies................................................ 30 3.5.1 Applying Security Controls to Reduce Risk Exposure ........................ 31 3.5.2 Responding to Residual Risk ............................................................. 32 3.5.3 When a Risk Event Passes Without Triggering the Event .................. 34
vi
This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8286
NISTIR 8286
INTEGRATING CYBERSECURITY AND ERM
3.6 Monitor, Evaluate, and Adjust ....................................................................... 35 3.6.1 Continuous Risk Monitoring................................................................ 35 3.6.2 Key Risk Indicators............................................................................. 37 3.6.3 Continuous Improvement ................................................................... 38
3.7 Considerations of Positive Risks as an Input to ERM ................................... 39 3.8 Creating and Maintaining an Enterprise-Level Cybersecurity Risk Register . 40 3.9 Cybersecurity Risk Data Conditioned for Enterprise Risk Rollup .................. 42 4 Cybersecurity Risk Management as Part of a Portfolio View........................... 48 4.1 Applying the Enterprise Risk Register and Developing the Enterprise Risk Profile .................................................................................................................... 49 4.2 Translating the Risk Profile to Inform Leadership Decisions ......................... 51 4.3 Information and Decision Flows in Support of ERM...................................... 52 4.4 Conclusion .................................................................................................... 55 References ................................................................................................................... 56
Appendix A— Appendix B— Appendix C—
List of Appendices Acronyms and Abbreviations .......................................................... 59 Glossary ............................................................................................ 61 Federal Government Sources for Identifying Risks ...................... 64
List of Figures
Figure 1: Enterprise Hierarchy for Cybersecurity Risk Management............................... 1 Figure 2: Notional Risk Management Life Cycle ............................................................. 9 Figure 3: Risk Register Information Flow Among System, Organization, and Enterprise
Levels..................................................................................................................... 13 Figure 4: Notional Cybersecurity Risk Register Template ............................................. 15 Figure 5: Likelihood and Impact Matrix Derived from NIST SP 800-30 Rev. 1 .............. 29 Figure 6: Example of a Quantitative Risk Matrix ........................................................... 30 Figure 7: Excerpt from a Notional Cybersecurity Risk Register..................................... 33 Figure 8: Integration of CSRRs into Enterprise Risk Profile .......................................... 41 Figure 9: Notional Information and Decision Flows Diagram from NIST Cybersecurity
Framework ............................................................................................................. 49 Figure 10: Illustrative Example of a Risk Profile (from OMB A-123) .............................. 50
vii
NISTIR 8286
INTEGRATING CYBERSECURITY AND ERM
Figure 11: Notional Information and Decision Flows Diagram with Numbered Steps ... 53
List of Tables
Table 1: Similarities Among Selected ERM and Risk Management Documents ............. 7 Table 2: Descriptions of Notional Cybersecurity Risk Register Template Elements...... 15 Table 3: Response Types for Negative Cybersecurity Risks......................................... 31 Table 4: Examples of Proactive Risk Management Activities ........................................ 36 Table 5: Response Types for Positive Cybersecurity Risks .......................................... 40 Table 6: Notional Enterprise Risk Register.................................................................... 44 Table 7: Descriptions of the Notional Enterprise Risk Register Elements ..................... 46 Table 8: Notional Enterprise Risk Portfolio View for a Private Corporation ................... 52
This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8286
viii
Integrating Cybersecurity and Enterprise Risk Management (ERM)
Kevin Stine Stephen Quinn
Greg Witte R. K. Gardner
This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8286
NISTIR 8286
Integrating Cybersecurity and Enterprise Risk Management (ERM)
Kevin Stine
Applied Cybersecurity Division Information Technology Laboratory
Stephen Quinn
Computer Security Division Information Technology Laboratory
Greg Witte
Huntington Ingalls Industries Annapolis Junction, MD
R. K. Gardner
New World Technology Partners Annapolis, MD
This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8286
October 2020
U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary
National Institute of Standards and Technology Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology
National Institute of Standards and Technology Interagency or Internal Report 8286 74 pages (October 2020)
This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8286
Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose.
There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, may be used by federal agencies even before the completion of such companion publications. Thus, until each publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For planning and transition purposes, federal agencies may wish to closely follow the development of these new publications by NIST.
Organizations are encouraged to review all draft publications during public comment periods and provide feedback to NIST. Many NIST cybersecurity publications, other than the ones noted above, are available at https://csrc.nist.gov/publications.
Comments on this publication may be submitted to: National Institute of Standards and Technology
Attn: Applied Cybersecurity Division, Information Technology Laboratory 100 Bureau Drive (Mail Stop 2000) Gaithersburg, MD 20899-8930 Email: [email protected]
All comments are subject to release under the Freedom of Information Act (FOIA).
This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8286
NISTIR 8286
INTEGRATING CYBERSECURITY AND ERM
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL’s responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in federal information systems.
Abstract
The increasing frequency, creativity, and severity of cybersecurity attacks means that all enterprises should ensure that cybersecurity risk is receiving appropriate attention within their enterprise risk management (ERM) programs. This document is intended to help individual organizations within an enterprise improve their cybersecurity risk information, which they provide as inputs to their enterprise’s ERM processes through communications and risk information sharing. By doing so, enterprises and their component organizations can better identify, assess, and manage their cybersecurity risks in the context of their broader mission and business objectives. Focusing on the use of risk registers to set out cybersecurity risk, this document explains the value of rolling up measures of risk usually addressed at lower system and organization levels to the broader enterprise level.
Keywords
cybersecurity risk management (CSRM); cybersecurity risk measurement; cybersecurity risk profile; cybersecurity risk register (CSRR); enterprise risk management (ERM); enterprise risk register (ERR); enterprise risk profile; risk appetite; risk tolerance.
Acknowledgments
The authors wish to thank all individuals, organizations, and enterprises that contributed to the creation of this document. This includes Donna Dodson, Nahla Ivy, Naomi Lefkovitz, Amy Mahn, Rodney Petersen, Victoria Yan Pillitteri, Ron Ross, and Adam Sedgewick of NIST; Larry Feldman, Heather Mills, Matthew Smith, and Daniel Topper of Huntington Ingalls Industries; Mat Heyman of Impresa Management Solutions; and Karen Scarfone of Scarfone Cybersecurity. Organizations and individuals who provided feedback on the public comment drafts include: Aon; the Association of Local Government Auditors; Paul Barham, Pat Nolan, Michael Vallone, and Christopher White of Booz Allen Hamilton; Consortium for Information and Software Quality; P. Bevill, G. Celestin, J. Chua, M. Creary, E. Flaim, K. Francis, C. Gordon, K. Isaac, C. Livingston, M. Merritt, M. Nighswander, K. Pannah, J. Prutow, and N. Rohloff of the CyberERM Community of Interest; FAIR Institute; Forescout Technologies; Adam Bobrow of Foresight Resilience Strategies; the IT Risk Management Team of the Internal Revenue Service, Larry Clinton of the Internet Security Alliance; Gerald Beuchelt and Christine Wachter of LogMeIn; Mosaic 451; Alex Krutov of Navigation Advisors; Ismael Garcia of the Nuclear Regulatory Commission; Kelly Hood and Tom Conkle of Optic Cyber Solutions; John Kimmins of Palindrome; Profitabil-IT; Dick Brooks of Reliable Energy Analytics; Jack Freund of RiskLens; Marshall Toburen of RSA Security; Paul Rohmeyer of Stevens Institute of Technology; The Open Group; Rob Arnold of Threat Sketch; Ashley P. Moore, and Nnake Nweke of the U.S. Agency for Global Media; U.S. Air Force; U.S. Department of Defense; U.S.
ii
This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8286
NISTIR 8286
INTEGRATING CYBERSECURITY AND ERM
Department of Education; U.S. Department of Energy; U.S. Department of Health and Human Services; U.S. Department of Homeland Security - Cybersecurity and Infrastructure Security Agency; U.S. Navy; other individuals include Simon Burson; Norman Marks; Ellen Swanson; and, Douglas Webster.
Audience The primary audience for this publication includes both federal government and non-federal government cybersecurity professionals at all levels who understand cybersecurity but may be unfamiliar with the details of enterprise risk management (ERM).
The secondary audience includes both federal and non-federal government corporate officers, high-level executives, ERM officers and staff members, and others who understand ERM but may be unfamiliar with the details of cybersecurity.
All readers are expected to gain an improved understanding of how cybersecurity risk management (CSRM) and ERM complement and relate to each other as well as the benefits of integrating their use.
Trademark Information All registered trademarks and trademarks belong to their respective organizations.
Document Conventions The term ‘step’ or ‘steps’ is used in multiple frameworks and documents. If the term ‘step’ is referring to anything other than the meaning from the ERM Playbook from Figure 2, it will be preceded by a document or framework to differentiate its context (e.g., ‘NIST Cybersecurity Framework Step 1: Prioritize and Scope’.)
For the purposes of this document, the terms “cybersecurity” and “information security” are used interchangeably. While technically different in that information security generally is generally considered to be all encompassing—including the cybersecurity domain—the term cybersecurity has expanded in conventional usage to be equivalent to information security. Likewise, the terms Cybersecurity Risk Management (CSRM) and Information Security Risk Management (ISRM) are similarly used interchangeably based on the same reasoning.
Patent Disclosure Notice NOTICE: The Information Technology Laboratory (ITL) has requested that holders of patent claims whose use may be required for compliance with the guidance or requirements of this publication disclose such patent claims to ITL. However, holders of patents are not obligated to respond to ITL calls for patents and ITL has not undertaken a patent search in order to identify which, if any, patents may apply to this publication.
As of the date of publication and following call(s) for the identification of patent claims whose use may be required for compliance with the guidance or requirements of this publication, no such patent claims have been identified to ITL.
No representation is made or implied by ITL that licenses are not required to avoid patent infringement in the use of this publication.
iii
This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8286
NISTIR 8286
INTEGRATING CYBERSECURITY AND ERM
Executive Summary
All types of organizations, from corporations to federal agencies, face a broad array of risks. For federal agencies, the Office of Management and Budget (OMB) Circular A-11 defines risk as “the effect of uncertainty on objectives” [1]. The effect of uncertainty on enterprise mission and business objectives may then be considered an “enterprise risk” that must be similarly managed. An enterprise is an organization that exists at the top level of a hierarchy with unique risk management responsibilities. Managing risks at that level is known as enterprise risk management (ERM) and calls for understanding the core risks that an enterprise faces, determining how best to address those risks, and ensuring that the necessary actions are taken. In the Federal Government, ERM is considered “an effective agency-wide approach to addressing the full spectrum of the organization’s significant risks by understanding the combined impact of risks as an interrelated portfolio rather than addressing risks only within silos” [1].
Cybersecurity risk is an important type of risk for any enterprise. Other risks include but are not limited to financial, legal, legislative, operational, privacy, reputational, safety, strategic, and supply chain risks [2]. As part of an ERM program, senior leaders (e.g., corporate officers, government senior executive staff) often have fiduciary and reporting responsibilities that other organizational stakeholders do not, so they have a unique responsibility to holistically manage the combined set of risks, including cybersecurity risk.
The individual organizations that comprise every enterprise are experiencing an increase in the frequency, creativity, and severity of cybersecurity attacks. All organizations and enterprises, regardless of size or type, should ensure that cybersecurity risks receive appropriate attention as they carry out their ERM functions.
Since enterprises are at various degrees of maturity regarding the implementation of risk management, this document offers NIST’s cybersecurity risk management (CSRM) expertise to help organizations improve the cybersecurity risk information they provide as inputs to their enterprise’s ERM programs.
Many resources—such as well-known frameworks from the Committee of Sponsoring Organizations (COSO), Office of Management and Budget (OMB) circulars, and the International Organization for Standardization (ISO)—document ERM frameworks and processes. They generally include similar approaches: identify context, identify risks, analyze risk, estimate risk importance, determine and execute the risk response, and identify and respond to changes over time. A critical risk document used to track and communicate risk information for all of these steps throughout the enterprise is called a risk register [1].1 The risk register provides a formal communication vehicle for sharing and coordinating cybersecurity risk activities as an input to ERM decision makers. For example, cybersecurity risk registers are key aspects of managing and communicating about those particular risks.2
1 OMB Circular A-11 defines a risk register as “a repository of risk information including the data understood about risks over time” [1].
2 Organizations creating a risk management program for the first time should not wait until the risk register is completed before addressing obvious issues; however, over time, it should become the ordinary means of communicating risk information.
iv
This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8286
NISTIR 8286
INTEGRATING CYBERSECURITY AND ERM
At higher levels in the enterprise structure, those cybersecurity and other risk registers are aggregated, normalized, and prioritized into risk profiles. A risk profile is defined by OMB Circular A-123 as “a prioritized inventory of the most significant risks identified and assessed through the risk assessment process versus a complete inventory of risks” [3]. While it is critical that enterprises address potential negative impacts on mission and business objectives, it is equally critical (and required for federal agencies) that enterprises plan for success. OMB states in Circular A-123 that “the [Enterprise Risk] profile must identify sources of uncertainty, both positive (opportunities) and negative (threats).” Enterprise-level decision makers use the risk profile to choose which enterprise risks to address, allocate resources, and delegate responsibilities to appropriate risk owners. ERM programs should define terminology, formats, criteria, and other guidance for risk inputs from lower levels of the enterprise.
Cybersecurity risk inputs to ERM programs should be documented and tracked in written cybersecurity risk registers3 that comply with the ERM program guidance. However, most enterprises do not communicate their cybersecurity risk guidance or risk responses in consistent, repeatable ways. Methods such as quantifying cybersecurity risk in dollars and aggregating cybersecurity risks are largely ad hoc and are sometimes not performed with the same rigor as methods for quantifying other types of risk within the enterprise.
In addition to widely using cybersecurity risk registers, improving the risk measurement and analysis methods used in CSRM would boost the quality of the risk information provided to ERM. In turn, this practice would promote better management of cybersecurity at the enterprise level and support the enterprise’s objectives.
There are proven methods available for performing CSRM and integrating the results. Improving the measurement and communications methods used in CSRM, such as through the use of cybersecurity risk registers, can improve the quality of the risk information provided to ERM. This result promotes enterprise-wide CSRM and supports enterprise-level decision making. Improved communications will also help executives and corporate officers understand the challenges that cybersecurity professionals face when providing those professionals with the information they are accustomed to receiving for other types of risk.
3 Formats include risk register data displayed in dashboards, GRC tools, file formats for communicating risk register data such as the spreadsheets (CSV) and JSON formats located at https://csrc.nist.gov/publications/detail/nistir/8286/final.
v
This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8286
NISTIR 8286
INTEGRATING CYBERSECURITY AND ERM
Table of Contents Executive Summary ..................................................................................................... iv 1 Introduction ............................................................................................................ 1
1.1 Purpose and Scope ........................................................................................ 2 1.2 Document Structure ........................................................................................ 3 2 Gaps in Managing Cybersecurity Risk as an ERM Input .................................... 4 2.1 Overview of ERM ............................................................................................ 4
2.1.1 Common Use of ERM........................................................................... 6 2.1.2 ERM Framework Steps ........................................................................ 6 2.2 Shortcomings of Typical Approaches to Cybersecurity Risk Management ... 10 2.2.1 Lack of Standardized Measures ......................................................... 10 2.2.2 Informal Analysis Methods ................................................................. 10 2.2.3 Focus on the System Level ................................................................ 11 2.2.4 Increasing System and Ecosystem Complexity .................................. 11 2.3 The Gap Between CSRM Output and ERM Input ......................................... 12 2.3.1 Insufficient Asset Information ............................................................. 14 3 Cybersecurity Risk Considerations Throughout the ERM Process ................ 14 3.1 Identify the Context ....................................................................................... 17 3.1.1 Notional Risk Management Roles ...................................................... 18 3.1.2 Risk Management Strategy ................................................................ 20 3.2 Identify the Risks........................................................................................... 21 3.2.1 Inventory and Valuation of Assets ...................................................... 22 3.2.2 Determination of Potential Threats ..................................................... 23 3.2.3 Determination of Exploitable and Susceptible Conditions .................. 25 3.2.4 Evaluation of Potential Consequences ............................................... 25 3.3 Analyze the Risks ......................................................................................... 26 3.3.1 Risk Analysis Types ........................................................................... 26 3.3.2 Techniques for Estimating Likelihood and Impact of Consequences . 27 3.4 Prioritize Risks .............................................................................................. 29 3.5 Plan and Execute Risk Response Strategies................................................ 30 3.5.1 Applying Security Controls to Reduce Risk Exposure ........................ 31 3.5.2 Responding to Residual Risk ............................................................. 32 3.5.3 When a Risk Event Passes Without Triggering the Event .................. 34
vi
This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8286
NISTIR 8286
INTEGRATING CYBERSECURITY AND ERM
3.6 Monitor, Evaluate, and Adjust ....................................................................... 35 3.6.1 Continuous Risk Monitoring................................................................ 35 3.6.2 Key Risk Indicators............................................................................. 37 3.6.3 Continuous Improvement ................................................................... 38
3.7 Considerations of Positive Risks as an Input to ERM ................................... 39 3.8 Creating and Maintaining an Enterprise-Level Cybersecurity Risk Register . 40 3.9 Cybersecurity Risk Data Conditioned for Enterprise Risk Rollup .................. 42 4 Cybersecurity Risk Management as Part of a Portfolio View........................... 48 4.1 Applying the Enterprise Risk Register and Developing the Enterprise Risk Profile .................................................................................................................... 49 4.2 Translating the Risk Profile to Inform Leadership Decisions ......................... 51 4.3 Information and Decision Flows in Support of ERM...................................... 52 4.4 Conclusion .................................................................................................... 55 References ................................................................................................................... 56
Appendix A— Appendix B— Appendix C—
List of Appendices Acronyms and Abbreviations .......................................................... 59 Glossary ............................................................................................ 61 Federal Government Sources for Identifying Risks ...................... 64
List of Figures
Figure 1: Enterprise Hierarchy for Cybersecurity Risk Management............................... 1 Figure 2: Notional Risk Management Life Cycle ............................................................. 9 Figure 3: Risk Register Information Flow Among System, Organization, and Enterprise
Levels..................................................................................................................... 13 Figure 4: Notional Cybersecurity Risk Register Template ............................................. 15 Figure 5: Likelihood and Impact Matrix Derived from NIST SP 800-30 Rev. 1 .............. 29 Figure 6: Example of a Quantitative Risk Matrix ........................................................... 30 Figure 7: Excerpt from a Notional Cybersecurity Risk Register..................................... 33 Figure 8: Integration of CSRRs into Enterprise Risk Profile .......................................... 41 Figure 9: Notional Information and Decision Flows Diagram from NIST Cybersecurity
Framework ............................................................................................................. 49 Figure 10: Illustrative Example of a Risk Profile (from OMB A-123) .............................. 50
vii
NISTIR 8286
INTEGRATING CYBERSECURITY AND ERM
Figure 11: Notional Information and Decision Flows Diagram with Numbered Steps ... 53
List of Tables
Table 1: Similarities Among Selected ERM and Risk Management Documents ............. 7 Table 2: Descriptions of Notional Cybersecurity Risk Register Template Elements...... 15 Table 3: Response Types for Negative Cybersecurity Risks......................................... 31 Table 4: Examples of Proactive Risk Management Activities ........................................ 36 Table 5: Response Types for Positive Cybersecurity Risks .......................................... 40 Table 6: Notional Enterprise Risk Register.................................................................... 44 Table 7: Descriptions of the Notional Enterprise Risk Register Elements ..................... 46 Table 8: Notional Enterprise Risk Portfolio View for a Private Corporation ................... 52
This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8286
viii