Article

Cybersecurity risk management frameworks and best practices

Access ManagementSecurity
Time to read: 12 minutes

What is cybersecurity risk management?

Cybersecurity risk management is the process of identifying, analyzing, prioritizing, and mitigating potential risks to an organization’s information systems and data. An important part of cybersecurity risk management is continuously monitoring the status of known risks and identifying and categorizing new risks.

Cybersecurity risk management covers a wide range of threats, including:

  1. Cybercriminal syndicates
  2. Business continuity disruption
  3. Data leaks
  4. Human error
  5. Loss of data
  6. Malicious insiders
  7. Malware
  8. Nation-state sponsored attacks
  9. Natural disasters
  10. Privileged insiders
  11. Ransomware
  12. Storage misconfiguration
  13. Third-party vendor vulnerabilities
  14. Users who accidentally download malware or fall for a social engineering scheme (e.g., phishing)
  15. Earthquakes
  16. Fire
  17. Floods
  18. Hurricanes

Cybersecurity risk management is primarily conducted through risk assessments that consider variables and assign risk scores, ranking them from high to low. Organizations have varying tolerance for risk; decisions about how to handle different levels of risk are based on the organization’s risk appetite.

Often simply considered a compliance requirement, cybersecurity risk management improves overall security and enables cyber resilience. It also facilitates the monitoring and measurement of an organization’s security posture, helping to identify vulnerabilities. Ultimately, a cybersecurity risk management strategy helps organizations cost-effectively and efficiently manage uncertainty.

The cybersecurity risk management process

Organizations typically follow five steps in the cybersecurity risk management process. Although specifics vary, these five cybersecurity risk management steps are applicable to most organizations.

  1. Create an asset inventory
    An effective cybersecurity risk management program requires that organizations have a complete inventory of cyber assets that must be protected. This includes all the applications, services, and devices that are business-critical and that support mission-critical processes.

  2. Identify threats and vulnerabilities
    After identifying digital assets, the next step is to understand the threats and vulnerabilities related to them. Once the asset inventory has been completed, the risks facing each asset need to be cataloged. This can include everything from viruses and hacks to lax policies and unpatched solutions. The objective is to understand security vulnerabilities and the threats that might exploit them.
  3. Conduct a risk analysis
    As part of this step, every asset (e.g., software, laptop, server, point-of-sale machine, mobile device) is evaluated and assigned a risk level. This risk score is based on its exposure to risk, the likelihood of being targeted, and the impact of an incident that targets a particular asset. This is a key part of cybersecurity risk management, as this risk score will direct how the asset is handled.
  4. Control risks
    Identifying solutions to support the cybersecurity risk management program includes defining processes and technologies to eliminate or mitigate the risks. Steps that can help assess solutions include:
  5. Review controls
    A successful cybersecurity risk management program depends on the effective implementation of solutions to monitor progress and efficacy continuously.
  6. Treatment
    Find security tools and best practices to address the root causes of risks.
  7. Tolerance
    Determine what unavoidable risks can be tolerated if they fall into established risk acceptance criteria.
  8. Termination
    Avoid risk completely by eliminating or changing the activities and systems and updating affected processes to perform without them.
  9. Transferal
    Minimize risks by spreading them across other parties, such as purchasing insurance policies or outsourcing high-risk functions or systems.

Developing a plan for cybersecurity risk management

Effectively executing cybersecurity risk management requires all functions to operate with clearly defined roles and specific responsibilities that are well-documented. Key components of a cybersecurity risk management plan include the following.

Identify cybersecurity risks

To identify risk, the enterprise begins by understanding the threats, vulnerabilities, and adverse results that occur if they are exploited. Finding signs of threats and vulnerabilities helps identify specific risks and allows security teams to take proactive action.

Many organizations use security assessments to identify risks and guide their cybersecurity risk management activities.

Create a repeatable risk assessment process

Cybersecurity risk management requires understanding, managing, controlling, and mitigating potential threats. A repeatable process is absolutely necessary. Questions to consider when creating a process for cybersecurity risk management include:

  1. Are there any priorities or constraints that could impact the cybersecurity risk management program?
  2. How and where is data stored?
  3. How is data accessed internally and externally by people and machines?
  4. How long is data stored?
  5. What data is collected?
  6. What is the scope of the cybersecurity risk management program?
  7. What risk model will be used for risk analysis?
  8. What systems are used for data protection?
  9. Who is ultimately responsible for the cybersecurity risk management program?

Define the cybersecurity risk management strategy

Elements to include when defining a cybersecurity risk management strategy are:

  1. Mapping should be used to discover all assets and understand the scale and scope of the attack surface. This map is also used to direct monitoring activities.
  2. Monitoring tracks all activity across assets to detect usual behavior that could be an indicator of a potential threat. Data collected as part of monitoring should be used to translate identified threats into targeted responses.
  3. Mitigation should include automated actions to neutralize and eliminate identified threats. Mitigation efforts related to cybersecurity risk management should be integrated with other security initiatives.
  4. Management processes should be in place to ensure smooth and efficient operations as well as direct the collection and analysis of cybersecurity risk management data.

Cybersecurity risk management frameworks

These cybersecurity risk management frameworks were developed by standards bodies and government agencies. They provide guidance on how to identify and follow up on risks.

ISO/IEC 27001:2013

The ISO/IEC 27001:2013 was created by the International Organization for Standardization (ISO) in partnership with the International Electrotechnical Commission (IEC). It provides guidance for cybersecurity risk management related to information systems.

Highlights of the ISO/IEC 27001:2013 framework include:

  • Establishing and maintaining information security risk criteria
  • Ensuring that repeated risk assessments produce “consistent, valid, and comparable results”
  • Identifying risks associated with the loss of confidentiality, integrity, and availability of information within the scope of the information security management system
  • Identifying the owners of identified risks
  • Analyzing and evaluating information security risks according to the established criteria

NIST Cybersecurity Framework Version 2.0

The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) provides a comprehensive set of best practices that can be used to standardize cybersecurity risk management. It includes recommended security actions across five critical security functions. The five foundational elements are:

  1. Identify—Find and assess cybersecurity risks to systems, assets, data, and resources.
  2. Protect—Evaluate existing cybersecurity procedures and processes to ensure adequate protection for the organization’s assets.
  3. Detect—The Detect element defines, develops, and implements the appropriate cybersecurity activities to identify threats and vulnerabilities quickly.
  4. Respond—This element guides an organization’s assessment of its plan to respond to a cyberattack or identify a threat.
  5. Recover—The Recover element helps organizations evaluate their cybersecurity policies to ensure they have plans to recover and repair the damage caused by a cyberattack.

Center for Internet Security (CIS) Version 8 Controls

CIS Controls are actions that facilitate cybersecurity risk management. The CIS provides specific, actionable tactics for cybersecurity risk management, such as:

  • Inventory and control of enterprise assets and software
  • Data protection
  • Secure configuration of enterprise assets and software
  • Account management
  • Access control management
  • Continuous vulnerability management
  • Audit log management
  • Email and web browser protections
  • Malware defenses
  • Data backup and recovery
  • Network infrastructure management
  • Network monitoring and defense
  • Security awareness and skills training
  • Service provider management
  • Application software security
  • Response management
  • Penetration testing

National Cyber Security Centre (NCSC)

The NCSC includes ten steps that support cybersecurity risk management initiatives:

  1. Risk management
  2. Engagement and training
  3. Asset management
  4. Architecture and configuration
  5. Vulnerability management
  6. Identity and access management
  7. Data security
  8. Logging and monitoring
  9. Incident management
  10. Supply chain security

PCI DSS (Payment Card Industry Data Security Standard)

PCI DSS is used by organizations that accept card payments; it provides guidelines that can be applied to cybersecurity risk management. PCI DSS is comprised of 12 requirements:

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update anti-virus software or programs.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need-to-know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security for all personnel.

Department of Defense (DoD) Risk Management Framework (DoD RMF)

The DoD RMF provides guidelines that DoD agencies use for cybersecurity risk management. DoD RMF identifies five key categories:

  1. Risk assessment and measurement
  2. Risk governance
  3. Risk identification
  4. Risk mitigation
  5. Risk monitoring and reporting

The DoD RMF also provides six steps for cybersecurity risk management:

  1. Categorize information systems.
  2. Select security controls.
  3. Implement security controls.
  4. Assess security controls.
  5. Authorize information systems.
  6. Monitor security controls.

Factor Analysis of Information Risk (FAIR) Framework

The FAIR framework helps organizations measure, analyze, and understand information risks. This supports cybersecurity risk management by detailing steps that are broken into four groups:

  1. Stage 1—identify the scope of the cybersecurity risk management program (i.e., what assets are potentially at risk)
  2. Stage 2—assess the frequency of potential losses and threats
  3. Stage 3—estimate the probable loss
  4. Stage 4—identify and articulate the risks

Cybersecurity risk management best practices

  1. Build a cybersecurity risk management culture.
  2. Emphasize speed when risk is identified to minimize the potential impact of vulnerabilities.
  3. Employ the 3-2-1 rule for backups (i.e., have at least three copies of data stored; store two of them on different media, and store one of them offsite).
  4. Ensure every employee is aware of potential risks, particularly social engineering attacks, by conducting regular training.
  5. Facilitate remediation using cybersecurity risk information, such as trends over time, potential impact, the likelihood of an incident, and when the risk may materialize (i.e., short-term, medium-term, long-term).
  6. Implement a cybersecurity framework, such as the NIST Cybersecurity Framework or ISO/IEC 27001:2013.
  7. Incorporate cybersecurity into the enterprise risk management program.
  8. Keep systems and software updated and install patches regularly.
  9. Meet compliance requirements by including third parties, fourth parties, and vendors in cybersecurity risk management.
  10. Perform continuous, adaptive, and actionable risk assessments.
  11. Reduce attack surfaces (e.g., physical attack surface, digital attack surfaces, social engineering attack surface).
  12. Require strong passwords, following these established guidelines:
  13. Share information about cybersecurity risks about which the organization is worried.
  14. Use encryption to protect data and backups.
  15. Passwords should contain at least 8 characters and include alphanumeric characters.
  16. Passwords should not contain any personal information.
  17. Passwords should be unique and never used before.
  18. Passwords should not have any correctly spelled words.

Benefits of cybersecurity risk management

Many benefits accompany the implementation of a cybersecurity risk management program, including:

  1. Enhancing IT support
  2. Improving visibility
  3. Increasing employees’ awareness about the importance of security
  4. Making more informed decisions that take cybersecurity into account
  5. Meet compliance requirements
  6. Prevent revenue loss due to downtime and operational disruptions
  7. Proactively protect systems and data
  8. Protect and maintain business reputation
  9. Provide ongoing monitoring, identification, and mitigation of pervasive threats
  10. Reduce vulnerabilities

Effective cybersecurity risk management

In the digital age, there is no time to rest when it comes to risk. Threats abound and are perpetually changing to elude security systems.

An effective cybersecurity risk management program must run continuously. Even when changes are required, systems and processes must continue running while the program is updated to address evolving threats.

Cybersecurity risk management is challenging, but worth the effort. It keeps organizations at least one step ahead of adversaries and accidents and provides many other benefits; beyond security improvements, organizations that invest in cybersecurity risk management see operational and financial benefits.

Take control of your cloud platform.

Learn more about SailPoint Identity Security.

Mark and Sumit

S1 : E2

Identity Matters with Sumit Dhawan, Proofpoint CEO

Join Mark McClain and Sumit Dhawan to understand the future of cybersecurity and how security teams can support CISO customers in the midst of uncertainty.

Play podcast
Mark and Ron

S1 : E1

Identity Matters with Ron Green, cybersecurity fellow at Mastercard

Join Mark McClain and Ron Green to understand the future of cybersecurity and the critical role identity security plays in safeguarding our digital world.

Play podcast
Dynamic Access Roles

Dynamic Access Roles

Build the next generation role and access model with dramatically fewer role and flexibility

View the solution brief