The National Institute of Standards and Technology is releasing Draft NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM), for public comment. This report promotes greater understanding of the relationship between cybersecurity risk management and ERM, and the benefits of integrating those approaches.
The increasing persistence, frequency, creativity, and variety of cybersecurity attacks shows that all enterprises should ensure cybersecurity risk is getting the appropriate attention within their enterprise risk management (ERM) programs.
Draft NISTIR 8286 aims to help individual organizations within an enterprise improve their cybersecurity risk data, which they provide as inputs to their enterprise’s ERM processes through communications and risk information e, NIST said. In doing so, enterprises and their component organizations can better identify, assess, and manage their cybersecurity risks in the context of their broader mission and business objectives.
Draft NISTIR 8286 focuses on the use of risk registers to set out cybersecurity risk, and explain the value of rolling up measures of risk usually addressed at lower system and organization levels to the broader enterprise level.
NIST advised all enterprises should ensure cybersecurity risk gets the appropriate attention within their enterprise risk management programs, which address all types of risk.
Comments for Draft NISTIR 8286 are due April 20, 2020. Please email comments to: nistir8286@nist.gov
Publication
NISTIR 8286 (Draft) (DOI)
NIST Download