nist -網(wǎng)絡(luò)安全框架 2.0:企業(yè)風(fēng)險(xiǎn)管理快速入門指南 NIST Cybersecurity Framework 2.0 - Enterprise Risk Management Quick-Start Guide_第1頁
nist -網(wǎng)絡(luò)安全框架 2.0:企業(yè)風(fēng)險(xiǎn)管理快速入門指南 NIST Cybersecurity Framework 2.0 - Enterprise Risk Management Quick-Start Guide_第2頁
nist -網(wǎng)絡(luò)安全框架 2.0:企業(yè)風(fēng)險(xiǎn)管理快速入門指南 NIST Cybersecurity Framework 2.0 - Enterprise Risk Management Quick-Start Guide_第3頁
nist -網(wǎng)絡(luò)安全框架 2.0:企業(yè)風(fēng)險(xiǎn)管理快速入門指南 NIST Cybersecurity Framework 2.0 - Enterprise Risk Management Quick-Start Guide_第4頁
nist -網(wǎng)絡(luò)安全框架 2.0:企業(yè)風(fēng)險(xiǎn)管理快速入門指南 NIST Cybersecurity Framework 2.0 - Enterprise Risk Management Quick-Start Guide_第5頁
已閱讀5頁,還剩7頁未讀, 繼續(xù)免費(fèi)閱讀

下載本文檔

版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請(qǐng)進(jìn)行舉報(bào)或認(rèn)領(lǐng)

文檔簡介

NIST

Enterprise

CybersecurityFramework2.0:

RiskManagement

Quick-StartGuide

U.S.DepartmentofCommerce

GinaM.Raimondo,Secretary

NationalInstituteofStandardsandTechnology

LaurieE.Locascio,NISTDirectorandUnderSecretaryofCommerceforStandardsandTechnology

NISTSpecialPublicationNISTSP1303

/10.6028/NIST.SP.1303

Pleasesendyourcommentsto

cyberframework@.

October2024

NISTCybersecurityFramework2.0:EnterpriseRiskManagementQuick-StartGuide

ThisguideprovidesanintroductiontousingtheNISTCybersecurityFramework(CSF)2.0forplanningandintegratinganenterprise-wideprocessforcybersecurityriskmanagementinformation,asasubsetofinformationandcommunicationstechnologyriskmanagement,intoenterpriseriskmanagement.TheuseofCSF

commonlanguageandoutcomessupportstheintegrationofriskmonitoring,evaluation,andadjustmentacrossvariousorganizationalunitsandprograms.

EnterpriseRiskManagement(ERM)

Whenweusethewordenterpriseinanorganizationalcontext,wemeanallaspectsofthatorganization,spanningtheentirebreadthanddepthofthatorgchart.ERMexistsatthetopleveloftheorganizationalhierarchyandspansriskconsiderationssuchasmission,financial,reputation,andtechnicalrisksthereof.ERMcallsforunderstandingthecorerisksthatanenterprisefaces,determininghowbesttoaddressthoserisks,andensuringthatthenecessaryactionsaretaken.AnERMprogramallowsenterprisestoaggregate,prioritize,andanalyzerisksfrom

acrosstheenterpriseinacommonriskregisterformat.RiskappetiteexpressedbytheERMprogramhelpsinformriskidentification.

InformationandCommunicationsTechnology(ICT)RiskManagement

ERM

Theinformationandcommunicationstechnology(ICT)onwhichanenterprisereliesismanagedthroughabroadsetofriskdisciplinesthatincludeprivacy,supplychain,andcybersecurity.ICTextendsbeyondtraditionalinformationtechnology(IT)considerations.Manyentities

ICTRM

relyonoperationaltechnology(OT)andInternetofThings(IoT)devices’sensorsoractuatorsforbridgingphysicalanddigitalenvironments.Increasingly,artificialintelligence(AI)factorsintoenterpriserisk.NISTSPs800-221and800-221Aprovidemoreinformation.

CSRM

CybersecurityRiskManagement(CSRM)

Cybersecurityrisksareafundamentaltypeofriskforallorganizationstomanage.Potentialnegativeimpactstoorganizationsfrom

cybersecurityrisksincludehighercosts,lowerrevenue,reputationaldamage,andtheimpairmentofinnovation.Cybersecurityrisks

alsothreatenindividuals’privacyandaccesstoessentialservicesandcanresultinlife-or-deathconsequences.Riskappetiteexpressed

atotherlevelsofriskmanagementgetstranslatedintomorespecificCSRMrisktolerance,suchthatcyberriskscanbemoreeasilyidentified.

CSF2.0providesguidanceforreducingcybersecurityrisksbyhelpingorganizationsdiscuss,organize,andaddressgapsintheircybersecurityprograminastandardway.ThecybersecurityoutcomesdescribedinCSFaffectcybersecurity,ICT,andenterpriserisks.UnderstandingthesedependenciesisanessentialactivityinCSRM,ICTRM,andERM.TheCybersecurityRisk

Register(CSRR)describedintheNISTIR8286seriesofpublicationsenablesorganizationstoidentify,manage,andmonitortherelationshipsbetweendiscreterisksandaspectsofaCSF-

basedcybersecurityprogramthataddressthoserisks.TheCSRRallowsorganizationstoidentify,organize,analyze,andreportoncybersecurityrisksatthesystemlevel.CSFOrganizationalProfilesareanaturalbyproductofacomprehensiveCSRR,becausetherelativepriorityofCSFoutcomesbecomesapparentbasedonhowsignificanttheimpactsofidentifiedcybersecurityrisksmightbetotheorganization’spriorities,suchasitsstrategicobjectives,productsandservices,orcustomers.

NISTCybersecurityFramework2.0:EnterpriseRiskManagementQuick-StartGuide

CSF2.0SupportsSixActivityPointsForInforming,

Implementing,andMonitoringERM

CSF2.0isavaluableguideforhelpingtoreviewandimprovesecurityandprivacyconsiderationsaspartofaholisticenterpriseriskapproach.CSFismosthelpfulwhenitispairedwithotherERM

elements.Forexample,asagencyofficialsandcorporateboardsprovideoversightofallrelevant

risks,theCSFprocesshelpsensurethatcybersecuritystrategyiswell-executed.Managersplanandimplementrisktreatmentbasedonthatstrategy,recordandreportprogress,andprovideagency/businessleaderswithinformationneededforeffectiveoperationsandmissionsuccess.

TheActivityPoints,whicharefurtherdescribedinsubsequentpages,include:

?1–Leadersdefineandrecordenterprisemission,priorities,andriskappetite.Accountabilityisassignedformanagingbothpositiveandnegativetypesofrisk.(GV.OC,GV.RM,GV.SC)

?2–Organization-levelmanagersinterpretriskappetiteintospecificguidanceregardingsecurityandprivacyrequirements,andassociatedrisktolerance.(GV.RR,GV.PO,ID.RA)

?3–Riskstrategyandrequirementsaidimplementationofsharedsecuritysolutionsandsystem-levelcontrolstoachieveanacceptablelevelofrisk.(PROTECT,DETECT,RESPOND,andRECOVER)

Illustrationofenterpriseriskmanagementintegrationandcoordinationfrom

NISTSP800-221

?4–Riskresponseoutcomesarereflectedasresidualriskinsystem-levelriskregistersaspartofongoingassessmentandcontinuousmonitoringactivities.(ID.RA,ID.IM,GV.OV)

?5–Riskregistersarenormalizedandaggregatedattheorganizationalunitlevel,supportingreporting,analysis,andorganization-leveladjustment.(ID.IM,GV.OV)

CSF2.0,aspartofaholisticERMapproach,

helpsensurethatleaderscontinuallyhavethe

informationtheyneedformakinginformed

business/agencydecisions.

?6–Combinedriskresultsfromtheenterpriseareusedtomaintainanenterprise-levelrisk

registerandriskprofile,supportingenterprisebusinessdecisionsandanyadjustmentsneededfortheriskstrategy.(GV.PO,GV.OV)

SupportingResources:

SP800-221

,EnterpriseImpactofInformationandCommunicationsTechnologyRisk:GoverningandManagingICTRiskProgramsWithinanEnterpriseRiskPortfolio

?SP800-221A

,InformationandCommunicationsTechnology(ICT)RiskOutcomes:IntegratingICTRiskManagementProgramswiththeEnterpriseRiskPortfolio

?

NISTCybersecurityFramework2.0:EnterpriseRiskManagementQuick-StartGuide

Basedoninternalandexternalorganizationalcontext,leadersusegovernancesystemstosetriskpriorities,riskappetite,

andriskstrategy.Thisunderstandingsetsthetoneforhowthe

enterpriseconducts,measures,andreportsriskmanagementactivitiesand

performance.Actionsincludeprocessesforaligningprioritiesandriskdirectionfor

businesspartnersandothermembersoftheorganization’scybersecuritysupplychain.

Understandingofobjectivesandriskappetiteenablesmanagerstointerprethowtoapplythosefortheirorganizationalunits(OUs).Managerscreaterisktolerance

statementsandmetrics,defininga“targetstate”thatwillachievestakeholder

objectivessuchasthroughsecuresharedinfrastructure(e.g.,organizationally-tailoredcontrolbaselines,commoncontrols,andmonitoringstrategy).

ThedirectionfromleadershipandOUmanagementisappliedinanoperational

context,supportingsystem-levelriskassessment,requirementsdefinition,and

allocation.Theseenableeffectivecategorization,controlselection/implementation,andongoingsystem-levelauthorization/monitoring.

QuestionstoConsider

ActivityPoint1:Wheredoyoudrawthemissionandstrategicprioritiesoftheorganizationfrom?Doyouhaveaprocessfordefiningandexpressingriskappetite?

ActivityPoint2:Howisriskappetitetranslatedintorisktolerance?

Arecybersecurityriskmanagementstrategyoutcomesreviewedtoinformandadjuststrategyanddirection?

ActivityPoint3:Howareorganizationalpriorities,definitionofacceptablerisk,andperformancerequirementsembeddedinyoursystem-levelriskactivities?

Arethesetranslatedintocontrolselection,systemconstraints,reportingrequirements,andanomalydetection?

RelatedResources

?NISTRiskManagementFramework(RMF)forInformationSystemandOrganizations

-acomprehensive,flexible,repeatable,andmeasurableprocesstomanageinformationsecurityandprivacyrisk

?NISTIR8286series

–specifically

NISTIR8286A-IdentifyingandEstimatingCybersecurityRiskforERM

?NISTSP800-30Rev.1

–GuideforConductingRiskAssessments

Aligningenterpriseprioritieswithstrategicactivity

Asseniorleadersandorganizationalmanagersobserveanddiscussriskmanagementstrategy(totakeadvantageof

opportunitiesandtoavoidknownthreats),theydevelopaplanformanagingrisktotheoptimallevel.

TheoutcomesintheCSFGovernFunction(GV)specificallydriveactionableplanningabouthowtobestmanage

variousenterpriseriskstoICT,includingprivacy,supplychain,AI,IoT,andOTonwhichtheentitydepends.

Beginningwithanunderstandingofwhatinformationandtechnologyaremostimportanttotheenterprisemission,leadersdefineacceptablelevelsofriskforthoseassetsanddescribehowpersonnelinvariousworkroleswillbe

accountableforriskmanagementsuccess.(ID.AM,ID.RA)

Thisactionableandproactivestrategizingalsomakescleartocustomersandotherstakeholdersthateffectiverisk

managementisapriority,thatclearandaccountableplansareinplacetoachievethatmanagement,andthat

monitoringprocessesarecontinuallyidentifying

opportunitiesforimprovement.Theseplansspecificallyapplytheoutcomesdescribedinthe

CSFOrganizational

Profile(s)

,inparticularthePROTECT,DETECT,RESPOND,andRECOVERfunctions.

NISTCybersecurityFramework2.0:EnterpriseRiskManagementQuick-StartGuide

RiskAssessment,RiskTreatment,andInformationSharingEnsureValueandRiskOptimization

SelectRiskResponse

Afterselectingandimplementingcontrolsandothermethodsofrisktreatment,system-levelpersonnelassesstheeffectivenessandefficiencyof

thattreatment(e.g.,throughtheAssessstepoftheNISTRiskManagementFramework).Riskmanagersevaluatethreatsandopportunities,inalignmentwithriskstrategyanddirectionfromenterprise-andorganization-levelguidance.Theydeterminethebenefitsofthefollowing

responses:Mitigate,Accept,Avoid,andTransferfornegativerisks;Realize,Share,Enhance,andAcceptforpositiverisks.

AnalyzeandPrioritizeRisks

Therearebenefitstobothqualitativeandquantitativeriskanalysismethodologiesandeventheuseofmultiplemethodologies,basedon

enterprisestrategy,organizationpreference,anddataavailability(ID.RA).Therelativepriorityofvarioustypesofriskmustbedecideduponbythosewithappropriateauthority,usuallythroughguidanceprovidedthroughtheriskmanagementstrategy(GV.RM).

CommunicateRiskFindingsandDecisions

Thecybersecurityriskregister(CSRR)providesalocationtorecordandcommunicatetheknownsystem-levelthreatsandvulnerabilities,theirimpactonbusinessobjectives,andtheresponsestakenorplanned.Riskmanagersshareinformationaboutresidualrisk,includingmetricsthat

supportongoingassessmentandauthorization,andplansofactions&milestonesformaintainingtheappropriatelevelofriskbasedonstakeholders’expectations(asexpressedinthetargetstateoftheOrganizationalProfiles,especiallytheGOVERNandIDENTIFYfunctions).

QuestionstoConsider

HowdoCSFTargetProfileoutcomes(organizationalagreementonhowtobestprotect,detect,respond,andrecover)informsystem-specificriskassessmentandtreatment?

Howcanweestimatelikelihoodandimpactofthoserisksgiventheplannedoutcomesandknowledgefrompreviousresults?

Isourriskresponseproportionatetotheexposure?

RelatedResources

?SP800-221

,EnterpriseImpactofInformationandCommunicationsTechnologyRisk:GoverningandManagingICTRiskProgramsWithinanEnterpriseRiskPortfolio

?NISTIR8286A

,IdentifyingandEstimatingCybersecurityRiskforEnterpriseRiskManagement

?RiskDetailSchema

RiskDetail

CSRRSchema

NISTCybersecurityFramework2.0:EnterpriseRiskManagementQuick-StartGuide

Monitor-Evaluate-AdjustCycle

(fromNISTSP800-221)

Riskregistersareaggregated,normalized,andsharedbasedonenterprise-

definedriskcategoriesandmeasurementcriteria.Risktolerancestatements

arerefined,ifneeded,toensurebalanceamongICTvalue,organizational

resources,andoptimalrisk.

SupportingResources

?NISTIR8286C,

StagingCybersecurityRisksforERMandGovernanceOversight

CSFoutcomes(e.g.,plannedandcurrent)supporta

Monitor-Evaluate-Adjust(MEA)cycleforachievingERMobjectives.

Asriskmanagementisappliedthroughvariouscontrols(asdescribedabove),theresultsarecontinuallyevaluatedforeffectiveness.CSFprovidesexamplesofhowtodothisthroughCSFInformativeReferences,describedatthe

OnlineInformativeReferences(OLIR)website

.

Attheorganizationlevel,theresultsofvarioussystem-levelactivitiesandresults(asreflectedin

CSRRs)areaggregatedandnormalized.Managersmonitorhowwellthecyberriskstrategyisbeingimplemented,evaluateindicatorstoconfirmperformancegoalsandhighlightpotentialchangesintherisklandscape,andthenmakeanyadjustmentsnecessarytoaccentuate

achievementofopportunities(positiverisk)andreduceimpactfulthreatconditionstoanacceptablelevel.

Thiscycleenablescreationandmaintenanceofanorganization-levelCSRR,andupdatestotheOrganizationalProfilestoreflectrefinedcurrentstateandadjustedTargetState.

MONITOR

?Measurewhethercontrolsarestillimplementedandeffective

?Measuretheextenttowhichcontrolsareimplementedwithoutimpairingorganizationaloperationsandefficiency

EVALUATE

?Assessiforganizationalcontrolsareachievingthedesiredriskresults

?Assessifriskmanagementactivitiesarekeepingriskwithintolerance(e.g.,evaluatingkeyrisksandkeyperformanceindicators)

?ComparecurrentoutcomestothetargetstatedescribedinOrganizationalProfiles

ADJUST

?Implementadditionalcontrolsandenhancementasneeded

?Implementalternativecontrolstoenhanceopportunity

NISTCybersecurityFramework2.0:EnterpriseRiskManagementQuick-StartGuide

QuestionstoConsider

Howaretopcybersecurityrisksidentifiedforleadershipandrecordedintheenterpriseriskregister?

Areescalationcriteriadefinedtoensureaccountabilityandinformationsharing?(

NISTIR

8286C

)

Areprocessesinplacetomarrysystem/organization-levelrisktoenterprise-levelconsiderations?

Howareenterprisesecurityandprivacyrisks(includingopportunities)alignedwithotherrisktypes?

FeedbackfromCSFInformativeReferencesandtheMEAcyclehelpmonitorandadjustriskresponse,appetite/tolerance,andpolicy.

Asriskmanagementcontrolsareoperated,performanceisevaluatedandadjustedtoimproveeffectivenessandefficiency.FeedbackfromtheMEAcyclesometimes

?RiskTolerance

?RiskAppetite

?Policy

?Strategy

resultsinmorethanjustadjustmentstocontrolsandotherInformativeReferences.Feedbackmayleadtoadjustmentsin:

?CSFProfile

?RiskDetailRecord

?RiskResponseDescription

?RiskResponse

Thishelpsreportresultsbacktomanagementandenterpriseleadership.Resultsthatparticularlyreflectoperationalachievement(keyperformanceindicators,orKPIs)

confirmconformancewiththestrategy(GV.RM,GV.SC).Thisalsosupportspersonnelperformancemonitoringandreporting(GV.RR,GV.PO).

Managersintegratedatafromnormalizedandharmonizedriskregistersandfrom

organization-levelreports,complianceandauditreports.Theseareconsideredin

lightofnon-technologyriskmanagementactivities(e.g.,creditrisk,marketrisk,laborrisk).Consideringcompositeoutcomesofpositiveandnegativeriskmanagement

enableseffectivebalanceamonginvestmentsinandresultsofriskmanagement

activity.Resultsarereflectedinanenterpriseriskregister(ERR)andanenterpriseriskprofile(ERP)thatprovidesaprioritizedERR.

Inthisway,CSFhelpstoguidetheselection,implementation,andmonitoringof

specificcontrols(suchasthoseintheinformativereferences),andtheresultsensureaneffectiveandongoingholisticERMsolutionforalltypesofrisk.

NISTCybersecurityFramework2.0:EnterpriseRiskManagementQuick-StartGuide

EXPLOREMORECSF

2.0RESOURCES

?CSF2.0website

?CSF2.0Organizational

Profiles

?InformativeReferences

?SP800-53

–securityandprivacycontrols

?SP800-221

–IntegratingICTriskmanagementandERM

?SP800

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請(qǐng)下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請(qǐng)聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會(huì)有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫網(wǎng)僅提供信息存儲(chǔ)空間,僅對(duì)用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對(duì)用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對(duì)任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請(qǐng)與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時(shí)也不承擔(dān)用戶因使用這些下載資源對(duì)自己和他人造成任何形式的傷害或損失。

評(píng)論

0/150

提交評(píng)論