Date Published: November 2023
Author(s)
Stephen Quinn (NIST), Nahla Ivy (NIST), Julie Chua (U.S. Department of Health and Human Services), Karen Scarfone (Scarfone Cybersecurity), Matthew Barrett (CyberESI Consulting Group), Larry Feldman (Huntington Ingalls Industries), Daniel Topper (Huntington Ingalls Industries), Gregory Witte (Huntington Ingalls Industries), Robert Gardner (New World Technology Partners)
The increasing frequency, creativity, and severity of technology attacks means that all enterprises should ensure that information and communications technology (ICT) risk is receiving appropriate attention within their enterprise risk management (ERM) programs. Specific types of ICT risk include, but are not limited to, cybersecurity, privacy, and supply chain. This document provides a framework of outcomes that applies to all types of ICT risk. It complements NIST Special Publication (SP) 800-221, Enterprise Impact of Information and Communications Technology Risk, which focuses on the use of risk registers to communicate and manage ICT risk.
The increasing frequency, creativity, and severity of technology attacks means that all enterprises should ensure that information and communications technology (ICT) risk is receiving appropriate attention within their enterprise risk management (ERM) programs. Specific types of ICT risk include,...
See full abstract
The increasing frequency, creativity, and severity of technology attacks means that all enterprises should ensure that information and communications technology (ICT) risk is receiving appropriate attention within their enterprise risk management (ERM) programs. Specific types of ICT risk include, but are not limited to, cybersecurity, privacy, and supply chain. This document provides a framework of outcomes that applies to all types of ICT risk. It complements NIST Special Publication (SP) 800-221, Enterprise Impact of Information and Communications Technology Risk, which focuses on the use of risk registers to communicate and manage ICT risk.
Hide full abstract
Keywords
enterprise risk management (ERM); enterprise risk profile (ERP); enterprise risk register (ERR); information and communications technology (ICT); ICT risk; ICT risk management (ICTRM); ICT risk measurement; ICT Risk Outcomes Framework (ICT ROF); risk appetite; risk register; risk tolerance
Control Families
None selected
