Understanding how to assess cyber risk is essential for a lawyer leading or participating in an enterprise-level cyber risk management team. One or more of these eight analytical frameworks should help.
An important caveat: no one methodology is going to map directly onto your organization. Taking the time to review each of these is a great first step to finding the right methodology and framework for your enterprise.
Here are the frameworks:
- National Institute of Standards and Technology (NIST): NIST SP-800-30. NIST seeks develop objective and auditable information security standards and guidelines; its process works to separate assets into distinct and integrated tiers that help to rationalize the risk assessment process and to better focus on most vulnerable assets. Free training/overview resource: here.
- International Standards Organization: ISO/IEC 27001; (managing 27001: ISO/IEC 27002 ). It is a series of standards against which information security processes and procedures can be measured and audited.
- Software Engineering Institute (SEI) at Carnegie Mellon University (CMU): OCTAVE (and Octave Allegro). OCTAVE Allegro “is a methodology to streamline and optimize the process of assessing information security risks so that an organization can obtain sufficient results with a small investment in time, people, and other limited resources. It leads the organization to consider people, technology, and facilities in the context of their relationship to information and the business processes and services they support.”
- Factor Analysis of Information Risk (FAIR): FAIR. FAIR seeks to help users measure risk, especially where quantification is difficult.
- Department of Homeland Security (DHS): Cyber Security Evaluation Tool (CSET®). More for those running an automated, industrial control or business system, CSET is a software base evaluation tool that uses industry standards to analyze your particular situation.
- DHS/CMU/SEI: Cyber Resilience Review (CRR). This is a comprehensive, questionnaire-based assessment of an organization’s cybersecurity management program. It is designed to measure current resilience and providing gap analysis using best practices standards. This tool is derived from the CERT Resilience Management Model (CERT-RMM), which is a process-improvement process improvement approach to building resilience. NIST Crosswalk seeks to map NIST 800 standards onto the RMM model.
- MITRE Corporation: Cyber Resiliency Assessment: Enabling Architectural Improvement. This process is broad-based but uses the ways in which architectural resilience practices contribute to the overall resilience of an organization.
- Symantec: The Cyber Resilience Blueprint: A New Perspective on Security. A senior manager’s guide to approaching cyber-resilience.