Date Published: July 2020
Comments Due:
Email Questions to:
Planning Note (08/06/2020):
See Supplemental Material for JSON files representing the Cybersecurity Risk Register and Enterprise Risk Register that are detailed in the Draft NISTIR. For each risk register, there is a short form and long form file, and an example file.
Author(s)
Kevin Stine (NIST), Stephen Quinn (NIST), Gregory Witte (Huntington Ingalls Industries), Robert Gardner (New World Technology Partners)
Announcement
All enterprises should ensure cybersecurity risk gets the appropriate attention within their enterprise risk management (ERM) programs, which address all types of risk. Individual organizations within an enterprise can improve the cybersecurity risk information they provide as inputs to their enterprise's ERM processes. By doing so, enterprises and their component organizations can better identify, assess, and manage their cybersecurity risks in the context of their broader mission and business objectives.
Draft (2nd) NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM) promotes greater understanding of the relationship between cybersecurity risk management and ERM, and the benefits of integrating those approaches. This second public draft of NISTIR 8286 contains the same main concepts as the initial public draft, but their presentation has been revised to clarify the concepts and address other comments from the public.
NOTE: A call for patent claims is included on page v of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.
The increasing frequency, creativity, and variety of cybersecurity attacks means that all enterprises should ensure cybersecurity risk is getting the appropriate attention within their enterprise risk management (ERM) programs. This document is intended to help individual organizations within an enterprise improve their cybersecurity risk information, which they provide as inputs to their enterprise’s ERM processes through communications and risk information sharing. By doing so, enterprises and their component organizations can better identify, assess, and manage their cybersecurity risks in the context of their broader mission and business objectives. Focusing on the use of risk registers to set out cybersecurity risk, this document explains the value of rolling up measures of risk usually addressed at lower system and organization levels to the broader enterprise level.
The increasing frequency, creativity, and variety of cybersecurity attacks means that all enterprises should ensure cybersecurity risk is getting the appropriate attention within their enterprise risk management (ERM) programs. This document is intended to help individual organizations within an...
See full abstract
The increasing frequency, creativity, and variety of cybersecurity attacks means that all enterprises should ensure cybersecurity risk is getting the appropriate attention within their enterprise risk management (ERM) programs. This document is intended to help individual organizations within an enterprise improve their cybersecurity risk information, which they provide as inputs to their enterprise’s ERM processes through communications and risk information sharing. By doing so, enterprises and their component organizations can better identify, assess, and manage their cybersecurity risks in the context of their broader mission and business objectives. Focusing on the use of risk registers to set out cybersecurity risk, this document explains the value of rolling up measures of risk usually addressed at lower system and organization levels to the broader enterprise level.
Hide full abstract
Keywords
cybersecurity risk management; cybersecurity risk measurement; cybersecurity risk profile; cybersecurity risk register; enterprise risk management (ERM); enterprise risk profile
Control Families
None selected
