Funtap - stock.adobe.com
NIST Shares Cyber Risk Management, Mobile Guides; Impact Analysis Tool
NIST released several updates and draft frameworks around enterprise risk management and cybersecurity, and mobile device security, as well as a supply chain impact analysis tool.
NIST released several draft frameworks for comment over the last week focused around integrating cybersecurity and enterprise risk management and managing enterprise mobile device security, along with a new impact analysis tool for cyber supply chain risks.
To start, the draft Integrating Cybersecurity and Enterprise Risk Management guidance addresses a wide range of risks. It seeks to promote a greater understanding of the relationship between cybersecurity risk management and overall risk, as well as the benefits of integrating the processes. Organizations can leverage the framework to improve cybersecurity risk information, provided as inputs to an overall risk management process.
“By doing so, enterprises and their component organizations can better identify, assess, and manage their cybersecurity risks in the context of their broader mission and business objectives,” researchers wrote. “
“Focusing on the use of risk registers to set out cybersecurity risk, this document explains the value of rolling up measures of risk usually addressed at lower system and organization levels to the broader enterprise level,” they added.
For NIST, the current range of ERM frameworks contain similar approaches, such as identifying context and risk, analysis, estimating risk importance, and the like, which focus on risk registers. These are documents that track and communicate risk throughout the enterprise. The registers are updated, evolved, and matured as risk occurs.
Those with stronger risk management programs will typically aggregate, normalize, and prioritize the risk into profiles: “a prioritized inventory of the most significant risks identified and assessed through the risk assessment process versus a complete inventory of risks.”
The information is used to build risk profiles and delegate responsibilities to risk owners. NIST sought to improve these processes as most organizations fail to communicate cybersecurity risks in consistent, repeatable ways.
The guidance outlines current gaps in managing cybersecurity risk versus overall enterprise risk, including common shortcomings of typical approaches to cybersecurity risk management.
Further, it details cybersecurity risk considerations throughout the ERM process, including identifying context, risks, analysis, prioritization, planning and executing risk response strategies, and monitoring, evaluating, and adjusting risk.
Industry stakeholders have until April 20, 2020 to provide NIST with feedback on the proposed guide.
NIST is also working to update its flagship guidance for Security and Privacy Controls for Information Systems and Organizations for the first time in seven years. The framework sheds light on a range of devices from IoT to general-purpose computers.
The updates include a complete integration of privacy into the controls, as part of the unified catalog, as well as a new family of supply chain controls. The previous versions had just a single supply chain control. The guide also includes state-of-practice controls based on the latest threat intelligence and cyberattack data.
“Our objective is to make the information systems we depend on more resistant to cyberattacks,” said NIST’s Ron Ross, one of the publication’s authors, in a statement. “We want to limit the damage from those attacks when they occur, make the systems cyber-resilient, and at the same time protect the security and privacy of information.”
“An organization can use this catalog together with any approach to risk management,” he added. “We reference other NIST publications for readers’ convenience, but we have designed it to be agnostic.”
Stakeholders can provide comment on the updates by May 2020.
NIST also recently released draft guidance for Managing the Security of Mobile Devices in the Enterprise, designed to help organizations manage mobile device security threats. The publication outlines technologies and strategies for mitigating these threats, as well as recommendations for secure deployment, use, and disposal of mobile devices.
Organizations can leverage the guide to create centralized device management and use of endpoint protection technologies, as well as creating an organization-provided and bring-your-own-device deployments.
“Mobile devices were initially personal consumer communication devices, but they are now permanent fixtures in enterprises and are used to access modern networks and systems to process sensitive data,” researchers wrote.
“This publication assists organizations in managing and securing these devices by describing available technologies and strategies,” they added. “Security concerns inherent to the usage of mobile devices are explored alongside mitigations and countermeasures.”
Stakeholders are being asked to provide NIST with feedback on the guidance by June 26, 2020.
Lastly, NIST released a prototype impact analysis tool for interdependent cyber supply chain risks, designed to fill the gap between an organization’s “risk appetite” and supply chain risk posture. IT provides a basic measurement of the potential impact of a cyber supply chain event.
While it’s not representative of a complete supply chain risk management solution, it’s meant to support other tools like third-party management, enterprise resource planning, and supply chain management efforts.
NIST will use comments on additional functionality provided by April 17, 2020 to develop future versions of the software.
“As awareness of cybersecurity supply chain risks grows among federal agencies, there is a greater need for solutions that evaluate the impacts of a supply chain-related cyber event,” researchers wrote. “This can be a difficult activity, especially for those organizations with complex operational environments and supply chains.”
“A publicly available solution to support supply chain risk analysis that specifically takes into account the potential impact of an event does not currently exist,” they added.
The tool also shows organizations how they can leverage NIST’s cyber supply chain risk management guidance, which includes case studies and standards.