Back

Establish, implement, and maintain a cybersecurity risk management strategy.


CONTROL ID
11991
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a risk management program., CC ID: 12051

This Control has the following implementation support Control(s):
  • Include a risk prioritization approach in the Cybersecurity Risk Management Strategy., CC ID: 12276
  • Include defense in depth strategies in the cybersecurity risk management strategy., CC ID: 15582
  • Evaluate the cyber insurance market., CC ID: 12695
  • Evaluate the usefulness of cyber insurance to the organization., CC ID: 12694


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Reviewing and approving cybersecurity risk management policies and procedures; (3.1. ¶ 1 (a), Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading)
  • The responsible officer(s) or executive officer(s) responsible for the overall management and supervision of the internet trading system should define a cybersecurity risk management framework (including but not limited to policies and procedures), and set out key roles and responsibilities. These r… (3.1. ¶ 1, Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading)
  • A cyber security strategy is developed and implemented for the organisation. (Security Control: 0039; Revision: 4, Australian Government Information Security Manual)
  • As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment ins… (4.5 32, Final Report on EBA Guidelines on outsourcing arrangements)
  • The technical solutions aimed at ensuring the cybersecurity of high-risk AI systems shall be appropriate to the relevant circumstances and the risks. (Article 15 4. ¶ 2, Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • The role of cybersecurity risk management standards in the entity's overall approach to identifying vulnerabilities in its information systems and addressing data security risks and vulnerabilities (TC-IM-230a.2. 3.3.3, Internet Media & Services Sustainability Accounting Standard, Version 2018-10, Version 2018-10)
  • The role of cybersecurity risk management standards in the entity's overall approach to identifying vulnerabilities in its information systems and addressing data security risks and vulnerabilities (TC-SI-230a.2. 3.3.3, Software & IT Services Sustainability Accounting Standard, Version 2018-10)
  • The role of cybersecurity risk management standards in the entity's overall approach to identifying vulnerabilities in its information systems and addressing data security risks and vulnerabilities (TC-TL-230a.2. 3.3.3, Telecommunication Services Sustainability Accounting Standard, Version 2018-10)
  • Establish, document, and publish organizationally-tailored control baselines and/or Cybersecurity Framework Profiles. (TASK P-4, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • The cyber risk management strategy and framework is appropriately informed by applicable international, national, and financial services industry standards and guidelines. (GV.SF-2.1, CRI Profile, v1.2)
  • The cyber risk management strategy articulates how the organization intends to address its inherent cyber risk (before mitigating controls or other factors are taken into consideration). (GV.RM-2.2, CRI Profile, v1.2)
  • The cybersecurity policy is supported by the organization's risk management program. (GV.PL-2.1, CRI Profile, v1.2)
  • Cybersecurity processes and procedures are established based on the cybersecurity policy. (GV.PL-2.2, CRI Profile, v1.2)
  • The independent risk management function has appropriate understanding of the organization's structure, cybersecurity program, and relevant risks and threats. (GV.IR-1.3, CRI Profile, v1.2)
  • Operationally and technically plausible future cyber attacks; and (RS.IM-2.1(4), CRI Profile, v1.2)
  • The cyber resilience strategy and program are based on the organization's enterprise-wide cyber risk management strategy that addresses the risks that the organization may present to other critical infrastructure sectors and the risk that the organization may present to other firms in the financial … (DM.RS-1.2, CRI Profile, v1.2)
  • The organization has an enterprise-wide cyber resilience (including business continuity, and incident response) strategy and program. (DM.RS-1.1, CRI Profile, v1.2)
  • Organization has a cybersecurity program that implements, monitors and updates its policies, procedures, processes, and controls to continually manage cybersecurity risks to the organization. (GV.SP-1, CRI Profile, v1.2)
  • Cyber risk management strategy and framework is appropriately informed by international, national, and industry standards and guidelines. (GV.SF-2, CRI Profile, v1.2)
  • Cyber risk management processes are established, managed, and agreed to by organizational stakeholders. (GV.RM-1, CRI Profile, v1.2)
  • The organization has established and implemented plans to identify and mitigate the cyber risks it poses through interconnectedness to sector partners and external stakeholders. (DM.BE-2.1, CRI Profile, v1.2)
  • The organization has a cyber risk management framework that is reviewed and approved by the Board and is informed by the organization's risk tolerances and its role in critical infrastructure. (Strategy and Framework (GV.SF), CRI Profile, v1.2)
  • Minimum cybersecurity practices for critical external dependencies designed to meet the objectives of the Cyber Risk Management Program or Cyber Supply Chain Risk Management Plan are identified and documented. (DM.ED-6, CRI Profile, v1.2)
  • The cybersecurity policy is supported by the organization's risk management program. (GV.PL-2.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Cybersecurity processes and procedures are established based on the cybersecurity policy. (GV.PL-2.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The cyber risk management strategy and framework is appropriately informed by applicable international, national, and financial services industry standards and guidelines. (GV.SF-2.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The cyber risk management strategy articulates how the organization intends to address its inherent cyber risk (before mitigating controls or other factors are taken into consideration). (GV.RM-2.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The cyber resilience strategy and program are based on the organization's enterprise-wide cyber risk management strategy that addresses the risks that the organization may present to other critical infrastructure sectors and the risk that the organization may present to other firms in the financial … (DM.RS-1.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The independent risk management function has appropriate understanding of the organization's structure, cybersecurity program, and relevant risks and threats. (GV.IR-1.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Principle: Firms should establish and implement a cybersecurity governance framework that supports informed decision making and escalation within the organization to identify and manage cybersecurity risks. The framework should include defined risk management policies, processes and structures coupl… (Governance and Risk Management for Cybersecurity, Report on Cybersecurity Practices)
  • Create, maintain, and leverage a security strategy and roadmap for organizational cybersecurity improvement. (CA.4.163, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Create, maintain, and leverage a security strategy and roadmap for organizational cybersecurity improvement. (CA.4.163, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Financial institution management should develop an effective ITRM process that supports the broader risk management process. As part of the ITRM process, management should perform the following: - Identify risks to information and technology assets within the financial institution or controlled by t… (III IT Risk Management, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Financial institution management should implement effective control and risk transfer practices as part of its overall IT risk mitigation strategy. These practices should include the following: - Establishing, implementing, and enforcing IT policies, standards, and procedures. - Documenting policies… (III.C Risk Mitigation, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Appropriate policies for information security, including cybersecurity risk management processes, and other relevant IT policies. (App A Objective 2:7 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Define Enterprise C-SCRM strategy. (Level 1 Enterprise Activities Bullet 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Develop mission and business process-specific strategy. (Level 2 Mission and Business Process Activities Bullet 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • During the planning phase, the enterprise should develop and define requirements to address cybersecurity risks throughout the supply chain in addition to specifying performance, schedule, and cost objectives. This process is typically initiated by the acquirer mission and business process owner or … (3.1.2. ¶ 5, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • CIOs and/or CISOs may form a C-SCRM oriented-body to provide in-depth analysis to inform the executive board's ERM council. The C-SCRM council serves as a forum for setting priorities and managing cybersecurity risk in the supply chain for the enterprise. The C-SCRM council or other C-SCRM-oriented … (2.3.2. ¶ 5, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • The organization's priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. (ID.RM Risk Management Strategy, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Participate in the development or modification of the computer environment cybersecurity program plans and requirements. (T0159, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide cybersecurity guidance to leadership. (T0202, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Monitor and evaluate integrated cyber operations to identify opportunities to meet organization objectives. (T0747, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Implement Risk Management Framework (RMF)/Security Assessment and Authorization (SA&A) requirements for dedicated cyber defense systems within the enterprise, and document and maintain records for them. (T0486, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Collaborate with key stakeholders to establish a cybersecurity risk management program. (T0928, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization's priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. (Risk Management Strategy (GV.RM-P), NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • An organization's cyber risk management strategy (i.e., its strategy for managing risks stemming from dependencies on systems that include cyber resources) is part of its risk management strategy and includes its risk framing for cyber risks. The organization's risk frame identifies which risks or r… (3.1.2 ¶ 1, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)
  • Participate in the development or modification of the computer environment cybersecurity program plans and requirements. (T0159, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Manage threat or target analysis of cyber defense information and production of threat information within the enterprise. (T0149, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop mitigation strategies to address cost, schedule, performance, and security risks. (T0466, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Implement Risk Management Framework (RMF)/Security Assessment and Authorization (SA&A) requirements for dedicated cyber defense systems within the enterprise, and document and maintain records for them. (T0486, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Collaborate with key stakeholders to establish a cybersecurity risk management program. (T0928, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Monitor and evaluate integrated cyber operations to identify opportunities to meet organization objectives. (T0747, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The staff believes that funds and advisers will be better prepared if they consider the measures discussed herein based on their particular circumstances when planning to address cybersecurity and a rapid response capability. The staff also recognizes that it is not possible for a fund or adviser to… (CYBERSECURITY GUIDANCE ¶ 5, IM Guidance Update: Cybersecurity Guidance, No. 2015-02)
  • Review and assess all cybersecurity policies, plans, processes, and supporting procedures regularly, not to exceed 12 months, or when there is a significant organizational change. Update as necessary. (Table 2: Governance Enhanced Security Measures Cell 2, Pipeline Security Guidelines)