The National Institute of Standards and Technology issued a new report that provides a more in-depth discussion of the concepts introduced in the NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM). It specifically highlights that cybersecurity risk management (CSRM) is an integral part of ERM — both taking its direction from ERM and informing it.
NIST officials said the increasing frequency, creativity, and severity of cybersecurity attacks demands that all enterprises should ensure that cybersecurity risk is receiving due attention within their ERM programs by ensuring the CSRM program is integrated within the context of ERM. The new report is intended to help individual organizations that are already familiar with NISTIR 8286.
The new document supplements NIST Interagency/Internal Report 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM), by providing additional detail regarding risk guidance, identification, and analysis. This report offers examples and information to illustrate risk tolerance, risk appetite, and methods for determining risks in that context.
The report describes documentation of various scenarios based on the potential impact of threats and vulnerabilities on enterprise assets to support development of an enterprise risk register. “Documenting the likelihood and impact of various threat events through cybersecurity risk registers integrated into an enterprise cybersecurity risk profile, helps to later prioritize and communicate enterprise cybersecurity risk response and monitoring,” NIST said.
Date Published: December 2020
Comments Due: February 1, 2021
Email Comments to: firstname.lastname@example.org