NIST has published a report that illustrates the need to ensure that enterprise context, priorities, and strategies are considered when making decisions about how best to respond to cybersecurity risks. The report encourages collaboration among cybersecurity and Enterprise Risk Management (ERM) managers to help enterprises apply, improve, and monitor the quality of cooperation and communication.
The report provides specifics about integrating cybersecurity risk management (CSRM) with ERM, as well as a detailed approach to high-level processes, and describes methods for applying enterprise objectives to prioritize identified risks and to subsequently select and apply the appropriate responses.
It explains how the cybersecurity risk register – possibly accompanied by a more comprehensive risk detail report – enables the tracking, reporting, and monitoring of various risks at all hierarchical levels.
This final version incorporates feedback received on the public draft and provides updated graphics, including an example Risk Detail Report (RDR) template for communicating extensive details about each risk (e.g., risk ownership and planned activities).
Additionally, a draft companion document – NISTIR 8286C, Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight – describes activities to help complete the CSRM/ERM integration cycle throughout the enterprise and is currently available for public comment.