CyberSecurity Frameworks (A Gist): Risk Management

by Nicole Shadowen

Sometimes the alphabet soup becomes gobbledy gook and even experts need a little refreshing on the latest and greatest in the world of CyberSecurity Frameworks. In my Cyber Risk Management course at John Jay, we’ve been studying just that (to my relief), and it’s so helpful to see the big picture goals of org risk mitigation and get the run down of current frameworks and where they came from. 

In general, the two main buckets into which CyberSecurity frameworks fall are, Risk Management and Internal Controls. I find that the goal of either is often more or less the same, but the route can be different (there is often overlap).  In general, Risk Management Frameworks are focused on the risks that may happen and the big picture, top-down policies and objectives to work towards in managing risk.  Internal Control Frameworks, by contrast, are driven by compliance requirements and actionable processes to be taken in the organization.  The more experience and knowledge we have as an industry, the more we can really nail down what both mean and create actionable items to accomplish our CyberSecurity goals successfully.

Below is a (non-comprehensive) list describing some of the most influential Risk Management Frameworks I’ve been learning about, in the industry today.  Check back in the coming weeks for the list of Internal Controls Frameworks!

Risk Management Frameworks:

1. COSO ERM

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) published their Enterprise Risk Management-Integrated Framework in 2004.  The framework is intended to help enterprises identify and manage organization-specific risk by focusing on 4 main objectives: Strategy, Operations, Financial Reporting, and Compliance.

2. ISO/IEC 31000

This standards series relates to Risk Management principles and guidelines as jointly published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).ISO 31000 can be used for internal and external audit programs, and defines what it means to be accountable and responsible as an organization when it comes to risk.

3. SEI RMF/OCTAVE

As our CEO Terry Roberts can attest, the Software Engineering Institute (SEI) at Carnegie Mellon does incredible work in producing standards and tools in the field.In 2010, SEI came out with their own RMF emphasizing phases of: prepare, perform, sustain, and improve. The Operationally Critical Threat, Asset and Vulnerability Evaluation (or OCTAVE), is a suite of tools that support the risk based information security assessment and is driven primarily by operational risk and security practices

4. NIST RMF

The National Institute of Standards and Technology is a government entity that has developed an RMF running at a tactical/operational level. The NIST framework lays out 6 main steps to managing org risk: Categorization, Selection, Implementation, Assessment, Authorization, and Monitoring.

Tune in in the coming weeks to read about the other type of CyberSecurity Framework, Internal Controls!