Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management (ERM) [report]

Kevin Stine, Stephen Quinn, Nahla Ivy, Larry Feldman, Greg Witte, R. K. Gardner
2021 unpublished
There may be references in this publication to other publications currently under development by NIST in accordance 61 with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, 62 may be used by federal agencies even before the completion of such companion publications. Thus, until each 63 publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For 64 planning and transition
more » ... poses, federal agencies may wish to closely follow the development of these new 65 publications by NIST. 66 Organizations are encouraged to review all draft publications during public comment periods and provide feedback to 67 NIST. Many NIST cybersecurity publications, other than the ones noted above, are available at 68 ii Reports on Computer Systems Technology 76 The Information Technology Laboratory (ITL) at the National Institute of Standards and 77 Technology (NIST) promotes the U.S. economy and public welfare by providing technical 78 leadership for the Nation's measurement and standards infrastructure. ITL develops tests, test 79 methods, reference data, proof of concept implementations, and technical analyses to advance the 80 development and productive use of information technology. ITL's responsibilities include the 81 development of management, administrative, technical, and physical standards and guidelines for 82 the cost-effective security and privacy of other than national security-related information in federal 83 information systems. 84 Abstract 85 This document supplements NIST Interagency or Internal Report 8286, Integrating 86 Cybersecurity and Enterprise Risk Management (ERM), by providing additional detail regarding 87 risk guidance, identification, and analysis. This report offers examples and information to 88 illustrate risk tolerance, risk appetite, and methods for determining risks in that context. To 89 support the development of an Enterprise Risk Register, this report describes documentation of 90 various scenarios based on the potential impact of threats and vulnerabilities on enterprise assets. 91 Documenting the likelihood and impact of various threat events through cybersecurity risk 92 registers integrated into an enterprise risk profile helps to later prioritize and communicate 93 enterprise cybersecurity risk response and monitoring. 94 Keywords 95 cybersecurity risk management; cybersecurity risk measurement; cybersecurity risk register; 96 enterprise risk management (ERM); enterprise risk profile. 97 Note to Reviewers 98 In the development of this second public draft, it has become clear that there is some variance in 99 how common terms are applied across government, commercial, and other types of enterprises. 100 Keeping in mind that all comments are publicly available and should contain no confidential or 101 proprietary information, it will be helpful for commenters to include information about how risk 102 direction (i.e., risk appetite, risk tolerance, risk boundaries) are used within their organizations. 103
doi:10.6028/ fatcat:nnf663tx6fei5pbiyuithz6zvi