richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
iso27diy-corp/Corpus/🎇 Sparks/Risk management.md

35 lines
4.4 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Risk Management
#security/isms/risk_mgt
https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8286.pdf
https://securityboulevard.com/2020/12/why-you-need-to-have-a-risk-register-to-keep-track-of-cybersecurity-risks/
NIST recommends that organizations take a balanced view when evaluating risks, encouraging cybersecurity and risk professionals to identify “all sources of uncertainty — both positive (opportunities) and negative (threats)” in their risk registers. 
For instance, launching a new online service provides an opportunity for a company to innovate and improve its revenues, thus the leadership team may direct the organization to take a little more risk. This way, senior leaders can set the risk appetite and tolerance with both threats and opportunities in mind.
When cybersecurity opportunities are included in a risk register, NIST recommends updating the risk response column using one of the following response types and describes the meaning of each: 
* Realize: Eliminate uncertainty to make sure the opportunity is actualized 
* Share: Allocate ownership to another party that is better able to capture the opportunity 
* Enhance: Increase the probability and positive impact of an opportunity 
* Accept: Take advantage of an opportunity if it happens to present itself 
## Risk Register
When you maintain detailed cybersecurity risk information in your risk register, youre able to manage your cyber risks in a more strategic way, focus on the right areas given limited resources, and secure additional resources because your leadership team will start to understand the value of preventative security. 
Here are the key benefits of putting cyber security risks into a risk register:  
1. Once information is entered into a risk register, you can start to identify patterns from threats and system failures that result in adverse impacts. 
2. By committing to using a risk register, you have to go through a process of gathering all relevant parties and agreeing on a common scale for measuring risks across various business units (e.g. making sure everyone knows when to use a “high risk exposure” vs. a “moderate risk exposure”). By normalizing the tracking of risk information across different units, you will provide senior leaders with more relevant information that will help them prioritize risk response activities.  
3. Company leaders will have greater confidence in the risk response choices they make because the responses will be informed by the right context, including detailed risk information, enterprise objectives, and budgetary guidance. 
4. A risk register forces risk owners to write down accurate risk responses for risks they “own”. To do so, risk owners will need to verify whether risks are mitigated to the extent they believe theyd done: Check whether certain policies are up-to-date, and whether existing controls intended to mitigate threats are working as designed. Risk owners will talk to their compliance team or internal audit team to understand where risk management activities and compliance activities already intersect. These steps are important because they ultimately help decision-makers understand their potential exposure for achieving strategic, operations, reporting, and compliance objectives.   
5. Maintaining a risk register makes it possible to produce enterprise-level risk disclosures for required filings and hearings or for formal reports as required, should your organization experience a significant incident. 
# The Importance of Continuous Monitoring
#security/isms/kpis
Risks and threat vectors can change in a matter of minutes. Thus, its important to keep an eye on your risks at all times. NISTs latest guidance emphasizes the importance of continuous monitoring and outlines several ways to monitor risks on an ongoing basis, including: 
* Setting up positive KPIs such as the number of critical business systems that include strong authentication protections 
* Setting up negative KPIs, such as the number of severe customer disruptions in the last 90 days 
* Teaching employees about the types of cybersecurity risk issues most likely to occur within the organization
* Showing employees how they can alert key personnel to cybersecurity risk issues before they become significant
* Conduct risk response exercises to train employees in recognizing, reporting, and responding to cybersecurity incidents
Reference in a new issue View git blame Copy permalink