Back

Establish, implement, and maintain a cybersecurity risk management strategy.


CONTROL ID
11991
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a risk management program., CC ID: 12051

This Control has the following implementation support Control(s):
  • Include a risk prioritization approach in the Cybersecurity Risk Management Strategy., CC ID: 12276
  • Include defense in depth strategies in the cybersecurity risk management strategy., CC ID: 15582
  • Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties., CC ID: 16825
  • Evaluate the cyber insurance market., CC ID: 12695
  • Evaluate the usefulness of cyber insurance to the organization., CC ID: 12694


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Reviewing and approving cybersecurity risk management policies and procedures; (3.1. ¶ 1 (a), Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading)
  • The responsible officer(s) or executive officer(s) responsible for the overall management and supervision of the internet trading system should define a cybersecurity risk management framework (including but not limited to policies and procedures), and set out key roles and responsibilities. These r… (3.1. ¶ 1, Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading)
  • A cyber security strategy is developed and implemented for the organisation. (Security Control: 0039; Revision: 4, Australian Government Information Security Manual, March 2021)
  • A cyber security strategy is developed, implemented and maintained. (Control: ISM-0039; Revision: 6, Australian Government Information Security Manual, June 2023)
  • A cyber security strategy is developed, implemented and maintained. (Control: ISM-0039; Revision: 6, Australian Government Information Security Manual, September 2023)
  • As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment ins… (4.5 32, Final Report on EBA Guidelines on outsourcing arrangements)
  • The technical solutions aimed at ensuring the cybersecurity of high-risk AI systems shall be appropriate to the relevant circumstances and the risks. (Article 15 4. ¶ 2, Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • objectives and priorities of the Member State's cybersecurity strategy covering in particular the sectors referred to in Annexes I and II; (Article 7 1(a), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • Each Member State shall adopt a national cybersecurity strategy that provides for the strategic objectives, the resources required to achieve those objectives, and appropriate policy and regulatory measures, with a view to achieving and maintaining a high level of cybersecurity. The national cyberse… (Article 7 1., DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • promoting the development and integration of relevant advanced technologies aiming to implement state-of-the-art cybersecurity risk-management measures; (Article 7 2(e), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • Member States shall assess their national cybersecurity strategies on a regular basis and at least every five years on the basis of key performance indicators and, where necessary, update them. ENISA shall assist Member States, upon their request, in the development or the update of a national cyber… (Article 7 4., DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • basic cyber hygiene practices and cybersecurity training; (Article 21 2(g), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • The ICT risk management framework shall include a digital operational resilience strategy setting out how the framework shall be implemented. To that end, the digital operational resilience strategy shall include methods to address ICT risk and attain specific ICT objectives, by: (Art. 6.8., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • The management level must record and justify the selected security strategy. Furthermore, decisions affecting aspects relevant to security that are taken on all the other levels must also be recorded to ensure they can be comprehended and repeated at any time. (§ 4.2 Bullet 4(3) ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • The creation of information security is not an end in itself, but information security contributes to the objectives of an organisation being achieved and being able to reliably execute business processes and tasks. For this, it is required that the organisation identifies and analyses all framework… (§ 7.1 Subsection 1 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Ultimately, the review of the security process is intended to improve the process. The results should therefore be used to assess the effectiveness and efficiency of the selected security strategy and, if necessary, to adapt it. The security strategy must also be reviewed in the case of changes to t… (§ 7.5 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • The management level must define the security objectives knowing all of the relevant framework conditions, the environmental analysis, and based on the business objectives of the company or the role of the government agency and must create the prerequisites for their implementation. The approach is … (§ 7 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Establishing information security is not a project with a limited time span, but a continuous process. The appropriateness and effectiveness of all elements of the information security management system must be checked at regular intervals. This means that not only individual security safeguards mus… (§ 7.4 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • It is necessary to establish a continuous information security process and to define an appropriate strategy for information security (IS strategy) to be able to achieve and maintain an appropriate level of security. This is useful for planning of further procedure to achieve the security objectives… (§ 3.2 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • You have developed and continue to improve a set of cyber security and resilience policies and processes that manage and mitigate the risk of adverse impact on the essential function. (B1.a ¶ 1, NCSC CAF guidance, 3.1)
  • The role of cybersecurity risk management standards in the entity's overall approach to identifying vulnerabilities in its information systems and addressing data security risks and vulnerabilities (TC-IM-230a.2. 3.3.3, Internet Media & Services Sustainability Accounting Standard, Version 2018-10, Version 2018-10)
  • The role of cybersecurity risk management standards in the entity's overall approach to identifying vulnerabilities in its information systems and addressing data security risks and vulnerabilities (TC-SI-230a.2. 3.3.3, Software & IT Services Sustainability Accounting Standard, Version 2018-10)
  • The role of cybersecurity risk management standards in the entity's overall approach to identifying vulnerabilities in its information systems and addressing data security risks and vulnerabilities (TC-TL-230a.2. 3.3.3, Telecommunication Services Sustainability Accounting Standard, Version 2018-10)
  • Establish, document, and publish organizationally-tailored control baselines and/or Cybersecurity Framework Profiles. (TASK P-4, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • The cyber risk management strategy and framework is appropriately informed by applicable international, national, and financial services industry standards and guidelines. (GV.SF-2.1, CRI Profile, v1.2)
  • The cyber risk management strategy articulates how the organization intends to address its inherent cyber risk (before mitigating controls or other factors are taken into consideration). (GV.RM-2.2, CRI Profile, v1.2)
  • The cybersecurity policy is supported by the organization's risk management program. (GV.PL-2.1, CRI Profile, v1.2)
  • Cybersecurity processes and procedures are established based on the cybersecurity policy. (GV.PL-2.2, CRI Profile, v1.2)
  • The independent risk management function has appropriate understanding of the organization's structure, cybersecurity program, and relevant risks and threats. (GV.IR-1.3, CRI Profile, v1.2)
  • Operationally and technically plausible future cyber attacks; and (RS.IM-2.1(4), CRI Profile, v1.2)
  • The cyber resilience strategy and program are based on the organization's enterprise-wide cyber risk management strategy that addresses the risks that the organization may present to other critical infrastructure sectors and the risk that the organization may present to other firms in the financial … (DM.RS-1.2, CRI Profile, v1.2)
  • The organization has an enterprise-wide cyber resilience (including business continuity, and incident response) strategy and program. (DM.RS-1.1, CRI Profile, v1.2)
  • Organization has a cybersecurity program that implements, monitors and updates its policies, procedures, processes, and controls to continually manage cybersecurity risks to the organization. (GV.SP-1, CRI Profile, v1.2)
  • Cyber risk management strategy and framework is appropriately informed by international, national, and industry standards and guidelines. (GV.SF-2, CRI Profile, v1.2)
  • Cyber risk management processes are established, managed, and agreed to by organizational stakeholders. (GV.RM-1, CRI Profile, v1.2)
  • The organization has established and implemented plans to identify and mitigate the cyber risks it poses through interconnectedness to sector partners and external stakeholders. (DM.BE-2.1, CRI Profile, v1.2)
  • The organization has a cyber risk management framework that is reviewed and approved by the Board and is informed by the organization's risk tolerances and its role in critical infrastructure. (Strategy and Framework (GV.SF), CRI Profile, v1.2)
  • Minimum cybersecurity practices for critical external dependencies designed to meet the objectives of the Cyber Risk Management Program or Cyber Supply Chain Risk Management Plan are identified and documented. (DM.ED-6, CRI Profile, v1.2)
  • The cybersecurity policy is supported by the organization's risk management program. (GV.PL-2.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Cybersecurity processes and procedures are established based on the cybersecurity policy. (GV.PL-2.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The cyber risk management strategy and framework is appropriately informed by applicable international, national, and financial services industry standards and guidelines. (GV.SF-2.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The cyber risk management strategy articulates how the organization intends to address its inherent cyber risk (before mitigating controls or other factors are taken into consideration). (GV.RM-2.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The cyber resilience strategy and program are based on the organization's enterprise-wide cyber risk management strategy that addresses the risks that the organization may present to other critical infrastructure sectors and the risk that the organization may present to other firms in the financial … (DM.RS-1.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The independent risk management function has appropriate understanding of the organization's structure, cybersecurity program, and relevant risks and threats. (GV.IR-1.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Principle: Firms should establish and implement a cybersecurity governance framework that supports informed decision making and escalation within the organization to identify and manage cybersecurity risks. The framework should include defined risk management policies, processes and structures coupl… (Governance and Risk Management for Cybersecurity, Report on Cybersecurity Practices)
  • Create, maintain, and leverage a security strategy and roadmap for organizational cybersecurity improvement. (CA.4.163, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Create, maintain, and leverage a security strategy and roadmap for organizational cybersecurity improvement. (CA.4.163, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Financial institution management should develop an effective ITRM process that supports the broader risk management process. As part of the ITRM process, management should perform the following: - Identify risks to information and technology assets within the financial institution or controlled by t… (III IT Risk Management, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Financial institution management should implement effective control and risk transfer practices as part of its overall IT risk mitigation strategy. These practices should include the following: - Establishing, implementing, and enforcing IT policies, standards, and procedures. - Documenting policies… (III.C Risk Mitigation, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Appropriate policies for information security, including cybersecurity risk management processes, and other relevant IT policies. (App A Objective 2:7 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Define Enterprise C-SCRM strategy. (Level 1 Enterprise Activities Bullet 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Develop mission and business process-specific strategy. (Level 2 Mission and Business Process Activities Bullet 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • During the planning phase, the enterprise should develop and define requirements to address cybersecurity risks throughout the supply chain in addition to specifying performance, schedule, and cost objectives. This process is typically initiated by the acquirer mission and business process owner or … (3.1.2. ¶ 5, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • CIOs and/or CISOs may form a C-SCRM oriented-body to provide in-depth analysis to inform the executive board's ERM council. The C-SCRM council serves as a forum for setting priorities and managing cybersecurity risk in the supply chain for the enterprise. The C-SCRM council or other C-SCRM-oriented … (2.3.2. ¶ 5, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • The organization's priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. (ID.RM Risk Management Strategy, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • The organization's priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. (ID.RM Risk Management Strategy, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • Participate in the development or modification of the computer environment cybersecurity program plans and requirements. (T0159, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide cybersecurity guidance to leadership. (T0202, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Monitor and evaluate integrated cyber operations to identify opportunities to meet organization objectives. (T0747, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Implement Risk Management Framework (RMF)/Security Assessment and Authorization (SA&A) requirements for dedicated cyber defense systems within the enterprise, and document and maintain records for them. (T0486, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Collaborate with key stakeholders to establish a cybersecurity risk management program. (T0928, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization's priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. (Risk Management Strategy (GV.RM-P), NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • An organization's cyber risk management strategy (i.e., its strategy for managing risks stemming from dependencies on systems that include cyber resources) is part of its risk management strategy and includes its risk framing for cyber risks. The organization's risk frame identifies which risks or r… (3.1.2 ¶ 1, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)
  • Participate in the development or modification of the computer environment cybersecurity program plans and requirements. (T0159, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Manage threat or target analysis of cyber defense information and production of threat information within the enterprise. (T0149, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop mitigation strategies to address cost, schedule, performance, and security risks. (T0466, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Implement Risk Management Framework (RMF)/Security Assessment and Authorization (SA&A) requirements for dedicated cyber defense systems within the enterprise, and document and maintain records for them. (T0486, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Collaborate with key stakeholders to establish a cybersecurity risk management program. (T0928, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Monitor and evaluate integrated cyber operations to identify opportunities to meet organization objectives. (T0747, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Strategic direction that describes appropriate risk response options is established and communicated (GV.RM-04, The NIST Cybersecurity Framework, v2.0)
  • Results of organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy (Oversight (GV.OV), The NIST Cybersecurity Framework, v2.0)
  • Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction (GV.OV-01, The NIST Cybersecurity Framework, v2.0)
  • The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks (GV.OV-02, The NIST Cybersecurity Framework, v2.0)
  • Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed (GV.OV-03, The NIST Cybersecurity Framework, v2.0)
  • Cybersecurity risk management activities and outcomes are included in enterprise risk management processes (GV.RM-03, The NIST Cybersecurity Framework, v2.0)
  • Safeguards to manage the organization's cybersecurity risks are used (PROTECT (PR), The NIST Cybersecurity Framework, v2.0)
  • The staff believes that funds and advisers will be better prepared if they consider the measures discussed herein based on their particular circumstances when planning to address cybersecurity and a rapid response capability. The staff also recognizes that it is not possible for a fund or adviser to… (CYBERSECURITY GUIDANCE ¶ 5, IM Guidance Update: Cybersecurity Guidance, No. 2015-02)
  • Review and assess all cybersecurity policies, plans, processes, and supporting procedures regularly, not to exceed 12 months, or when there is a significant organizational change. Update as necessary. (Table 2: Governance Enhanced Security Measures Cell 2, Pipeline Security Guidelines)
  • Regulations should be performance-based, leverage existing cybersecurity frameworks, voluntary consensus standards, and guidance—including the Cybersecurity and Infrastructure Security Agency (CISA)'s Cybersecurity Performance Goals and the National Institute of Standards and Technology (NIST) Fra… (STRATEGIC OBJECTIVE 1.1 Subsection 1 ¶ 2, National Cybersecurity Strategy)
  • Incident response plan. Incident response plans shall be reasonably designed to enable prompt response to, and recovery from, any cybersecurity event materially affecting the confidentiality, integrity or availability of the covered entity's information systems or the continuing functionality of any… (§ 500.16 Incident Response and Business Continuity Management (a)(1), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)