CYBER SECURITY RISK MANAGEMENT
The Risk Management Framework, Cybersecurity Framework Profiles and U.S, EU Cyber Regulatory Compliance
To comply with U.S and EU cybersecurity risk management regulations organizations will be required to provide assurance that they have implemented a cybersecurity Risk Management Framework(RMF), with cybersecurity practices in line with the organizations risk profile. Boards are required to demonstrate appropriate oversight, assurance and attestation of cybersecurity risks through the organization’s governance processes. Boards may also be required to inform regulators of their cybersecurity risk management experience and knowledge, along with employing external cybersecurity expertise.
The risk management process and risk management framework rely upon a cybersecurity standard to mitigate cyber risks. Reducing the organizations inherent risk down to an acceptable residual level using a cybersecurity standard. The CSF profile acts as a ‘bucket’ into which a cyber security standard can be input and be tailored to meet specific organizational risks that are identified through the risk assessment process and defined through the Risk Management Framework.
Various U.S Federal Agencies have adopted the use of the CSF profile and it has been adopted by various sectors as the means by which cybersecurity practices are baselined based upon risk. These include profiles for the Maritime sector, energy and nuclear energy, chemical production, manufacturing, transportation, dam infrastructure, water and waste water, small business and health and human services. An indication that cybersecurity standards have been set and could be adopted by industry.
In the enclosed paper we discuss the use of the CSF profile as a suitable framework for the mitigation of cybersecuirty risks in line with cybersecuirty risk management regulation including EU NIS 2, DORA and SEC cybersecurity risk proposal.