Risk Management Framework

From Glitchdata
Revision as of 23:41, 26 April 2022 by Jasonchen (talk | contribs)
Jump to navigation Jump to search


Establish:

  • Basis for consistent/ repeatable behavior
  • Eliminates the “moving target”
    • Formal, documented evidence of stewardship
    • Demonstrates due diligence to employee / business partners/customers/other stakeholders
  • Should serve as basis for audit criteria and employee evaluations


Risk Frameworks

There are many risk framework avaialbe. This include:

  • FAIR Cyber Risk Framework
    • Provides information risk, cybersecurity and business executives with standards and best practices to measure, manage and report on information risk from the business perspective
  • COSO Internal Controls - Integrated Framework
    • Provides principles-based guidance for designing and implementing effective internal controls.
  • FFIEC Cybersecurity Assessment Tool
    • Helps financial institutions identify their risks and determine their cybersecurity preparedness
  • ISACA Risk IT Framework
    • Offers guidelines and practices that optimise risk, opportunity, security, and business value.
    • Helps practitioners build concensus regarding risk IT decisions at all enterprise levels
  • COBIT
    • Framework from ISACA for information technology management , and IT governance.
  • CMMC - Cybersecurity Maturity Model Certification
    • A framework defining processes and practices associated with the achievement of defined cybersecurity maturity levels.
  • CSA Cloud Controls Matrix
    • Cybersecurity control framework for cloud computing
  • ITIL
    • A set of detailed practices for IT Service management that focuses on aligning IT Services with the needs of the business.
  • ISO27000 Series
  • ISO31000 Series
  • NIST Cybersecurity Framework
  • CIS Critical Security Controls
    • Prioritised set of actions to protect the organisation and data from known cyber attack vectors

Risk Assessment

It should consider:

  • Impact
  • Likelihood
  • Persistence
    • The potential duration of the risk event
  • Velocity
  • The potential speed at which a risk event materialises