What is Cybersecurity Risk Management?

Cybersecurity Risk Management Framework and Standards

A number of standards and frameworks are available to help organizations standardize their approach to cyber risk management. These frameworks and standards contain guidance on best practices and offer standardized language to help teams communicate better across different teams. Adhering to these will generally set an organization up in a more optimal position to meet any statutory or regulatory compliance requirements, avoiding the hefty fines and penalties associated with them.

ISO/IEC 27001:2013

An international standard for information security management systems (ISMS) to provide confidentiality, integrity, and availability of information as well as legal compliance. It includes guidance on how to approach initiating, implementing, operating, and maintaining an organization’s ISMS. ISO 27001:2013 states the following practices for an information security risk assessment:

• Establish and maintain information security risk criteria;
• Ensure repeated risk assessments produce consistent, valid, and comparable results;
• Identify risks associated with the loss of confidentiality, integrity, and availability for information in the ISMS;
• Identify the owners of those risks; and
• Analyze and evaluate information security risks according to the established criteria.

NIST CYBERSECURITY FRAMEWORK (CSF) VERSION 1.1

A widely recognized self-certification mechanism, the NIST CSF provides an extensive set of recommended security actions across five critical functions: identify, protect, detect, respond, and recover. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications among both internal and external organizational stakeholders. NIST updates the CSF every three years, the latest version made in 2020 is version 1.1, which recommends the following steps:

• Identify and document asset vulnerabilities
• Tune into the latest cyber threat intelligence from information-sharing forums
• Identify and document threats, both internal and external
• Identify potential business impacts and likelihood of risk events
• Utilize threats, vulnerabilities, likelihood, and impacts to determine risk
• Identify and prioritize risk responses

NIST also provides a Risk Management Framework, which specifically looks at integrating security, privacy, and cybersecurity supply-chain risk management efforts. The CyCognito platform helps organizations follow this standard by mapping closely to the Identify and Protect functions of the NIST Framework, and contributing to Detect, Respond and Recover functions.

MITRE ATT&CK FRAMEWORK

Tactics in the MITRE ATT&CK Framework are based on real-world observations of cyberattacks. It’s a free and open knowledge base of adversary tactics and techniques. While the majority of the ATT&CK Framework is geared towards detecting attackers in real-time during an attack, its Reconnaissance and Resource Development tactics are focused on attacker preparation. The CyCognito platform preempts attacks by addressing these two tactics. The platform also offers some support for the later ATT&CK tactics such as Initial Access, Execution, Persistence, Privilege Elevation, Defense Evasion, Credential Access, Discovery, Lateral Movement, and Collection. Take a look at the MITRE ATT&CK matrix to learn more.

CIS CRITICAL SECURITY CONTROLS (CIS CSC)

The CIS CSC give pragmatic and actionable cyber defense recommendations with 20 key actions for organizations to implement. The controls are designed so that primarily automated methods can be used to implement, enforce, and monitor them. SANS supports the CIS Controls with training, research, and certification. The CyCognito platform maps to 14 of the CIS controls at least partially and provides extensive coverage around inventory of assets, vulnerability and penetration testing, and security of ports and services.