Risk Management Framework
Jump to navigation
Jump to search
Establish:
- Basis for consistent/ repeatable behavior
- Eliminates the “moving target”
- Formal, documented evidence of stewardship
- Demonstrates due diligence to employee / business partners/customers/other stakeholders
- Should serve as basis for audit criteria and employee evaluations
Risk Frameworks
There are many risk framework available. This include:
- FAIR Cyber Risk Framework
- Provides information risk, cybersecurity and business executives with standards and best practices to measure, manage and report on information risk from the business perspective
- COSO Internal Controls - Integrated Framework
- Provides principles-based guidance for designing and implementing effective internal controls.
- FFIEC Cybersecurity Assessment Tool
- Helps financial institutions identify their risks and determine their cybersecurity preparedness
- ISACA Risk IT Framework
- Offers guidelines and practices that optimise risk, opportunity, security, and business value.
- Helps practitioners build concensus regarding risk IT decisions at all enterprise levels
- COBIT
- Framework from ISACA for information technology management , and IT governance.
- CMMC - Cybersecurity Maturity Model Certification
- A framework defining processes and practices associated with the achievement of defined cybersecurity maturity levels.
- CSA Cloud Controls Matrix
- Cybersecurity control framework for cloud computing
- ITIL
- A set of detailed practices for IT Service management that focuses on aligning IT Services with the needs of the business.
- ISO27000 Series
- ISO31000 Series
- NIST Cybersecurity Framework
- CIS Critical Security Controls
- Prioritised set of actions to protect the organisation and data from known cyber attack vectors
Risk Assessment
It should consider:
- Impact
- Likelihood
- Persistence
- The potential duration of the risk event
- Velocity
- The potential speed at which a risk event materialises