NISTIR 8286 and Best Practices for Enterprise Risk Management
In an increasingly digital world, cybersecurity has never been more critical for organizations of all sizes and industries. As cyber threats become more sophisticated, the potential impact of a security breach on an organization’s operations, reputation, and financial well-being can be devastating. As a result, integrating cybersecurity risk management into more comprehensive Enterprise Risk Management (ERM) practices (as opposed to localized technical or business processes) has become essential for building a resilient and secure business.
This article explores the key considerations for incorporating CSRM into the ERM process, highlighting how organizations can protect their valuable assets and maintain a strong risk posture in the face of an ever-changing cyber threat landscape.
What Is Enterprise Risk Management (ERM)?
ERM is a proactive, comprehensive, and systematic approach to identifying, assessing, prioritizing, and managing risks that an organization faces. It aims to improve an organization’s decision-making, risk management capabilities, and overall performance by considering both opportunities and threats across all aspects of the business. These aspects include cybersecurity, finance, operations, supply chain logistics, and others.
Key components of ERM include:
- Identification: This involves recognizing and documenting potential risks that could impact the organization. Risks can be internal or external and can arise from factors such as changes in the market, regulatory environment, or technology.
- Assessment: After identifying risks, the organization evaluates their potential impact and likelihood of occurrence. This process helps prioritize risks and determine the necessary actions to mitigate or accept them.
- Treatment: The organization develops strategies to address prioritized risks. These strategies may involve risk avoidance, reduction, transfer (e.g., through insurance), or acceptance.
- Monitoring: The organization continuously monitors identified risks and the effectiveness of risk treatment strategies. This process involves tracking changes in risk profiles and communicating relevant information to decision-makers.
- Governance: A robust risk management culture and appropriate governance structures are crucial for ERM success. This includes establishing clear roles and responsibilities, providing proper resources and training, and fostering open communication about risks.
Implementing ERM effectively helps organizations better understand their risk exposures, develop more informed strategies, and create a more resilient organization capable of navigating uncertainties and challenges.
What Is NISTIR 8286?
NISTIR 8286, titled “Integrating Cybersecurity and Enterprise Risk Management (ERM),” was published in October 2020 to help define security and risk practices for ERMs. NISTIR 8286 guides integrating cybersecurity risk management processes with an organization’s broader Enterprise Risk Management processes.
This publication emphasizes the importance of considering cybersecurity risks in the overall risk management strategy. It provides a framework for aligning and coordinating cybersecurity risk management efforts with ERM.
The report highlights the following fundamental principles:
- Establish Risk Standards: Effective risk management requires a shared understanding of risks and risk appetite among all stakeholders, including senior leadership, business units, and IT/cybersecurity teams.
- Integrate Risk Management: This principle emphasizes incorporating cybersecurity risks into the organization’s risk management process, ensuring that these risks are identified, assessed, and managed alongside other enterprise risks.
- Communicate Risk: Clear, concise, and timely communication of cybersecurity risks to relevant stakeholders is essential for informed decision-making.
- Align Risk Responses with Enterprise Objectives: Risk management strategies should support the organization’s strategic objectives and ensure that cybersecurity risk management efforts contribute to the business’s overall success.
- Monitor Security and Threats: The dynamic nature of cybersecurity risks requires organizations to continuously monitor and adapt their risk management strategies in response to changing threats, vulnerabilities, and business priorities.
These principles are in response to perceived shortcomings in the application of CSRM in ERM contexts, including:
- Lack of Standardized Measures: While risk assessment techniques have evolved, so has the complexity of IT systems and associated threats. Unfortunately, there needs to be a general standard for how organizations can implement risk management and measurement.
- Informal Analysis: While assessment standards are articulated in various places (most notably NIST SP 800-30), the outputs generated by organizations are generally idiosyncratic, and the calculations and perceptions of foundational data may change from organization to organization.
- System-Level Emphasis: Most risk assessment frameworks focus on systems–i.e., technologies, users, locations, etc. This approach is insufficient for an ERM where risks from a different context (e.g., cybersecurity and financial risk) may overlap.
- Complexity: Systems are becoming complex and more relationships between systems, including cloud infrastructure or managed service providers. Risks in these complex ecosystems may cascade without understanding how different components and infrastructures interact.
By following the principles and guidance outlined in NISTIR 8286, organizations can better understand their cybersecurity risk exposure, make informed decisions, and create a more resilient enterprise in the face of evolving cyber threats.
Following these defined limitations, NISTIR 8286 provides a basic framework of risk considerations that organizations should consider when applying risk management to their ERM:
- Context: That is, establishing the context (internal and external) in which an organization operates. This can include customers, legislation, partnerships and stakeholders, objectives, governance, risk tolerance and appetite, and other regulations.
- Roles: Organizations should have specific roles to handle ERM risk, including a Cybersecurity Risk Officer, an Enterprise Risk Officer, an Auditor, an Enterprise Risk Steering Committee, and other stakeholders.
- Strategies: These organizational leaders should provide clear, actionable strategies based on the risks associated with the ERM, business objectives, and the overall risk landscape (i.e., the context).
- Identification: The organization should have an inventory of risks maintained in a “risk register” that includes security risks and those involved with overlapping risk categories. So, for example, this may include risk from lack of action as much as the risk that will come from external forces.
- Valuation: Organizations must, to field accurate risk assessments, possess the ability to rank assets based on their value to the organization, the enterprise’s mission, the organization’s reputation, and any other enterprise operations.
- Threat Determination: A baseline understanding of threats to an enterprise is foundational to any risk assessment. A methodology specifically cited in NISTIR 8286 is Strength, Weakness, Opportunity, and Threat (SWOT) analysis.
- Consequences: Risk management strategies should include an inventory of consequences linked to each risk item included in the risk register. It’s critical to notice repercussions that emerge from direct and indirect risks and consequences that may or may not cause a complete system failure.
It’s important to note that these considerations apply to businesses that are currently implementing an ERM within their organization, and as such they may have limited application in other, generalized risk management processes.
Bolster Your Risk Management with Continuum GRC
Cybersecurity risk management is a foundational consideration for any data-driven business, with far-reaching implications for all aspects of your operation. Don’t settle for manual risk assessment tools that rely on stone-age tools like email, spreadsheets, and data entry. Continuum GRC is a comprehensive and risk-focused cybersecurity management platform hosted entirely on the cloud, managed entirely by top experts in the field of cybersecurity.
Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- NIST 800-53
- FARS NIST 800-171
- SOC 1, SOC 2
- PCI DSS 4.0
- IRS 1075
- COSO SOX
- ISO 27000 Series
- ISO 9000 Series
And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.
Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.