NIST has published NISTIR 8286B, Prioritizing Cybersecurity Risk for Enterprise Risk Management. This report builds on the risk strategy and risk identification activities described in NISTIR 8286A and illustrates the need to ensure that enterprise context, priorities, and strategies are considered when making decisions about how best to respond to cybersecurity risks. The report encourages collaboration among cybersecurity and ERM managers to help enterprises apply, improve, and monitor the quality of cooperation and communication.
NISTIR 8286B provides specifics about integrating cybersecurity risk management (CSRM) with enterprise risk management (ERM), as well as a detailed approach to the high-level processes described in NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM). This report also describes methods for applying enterprise objectives to prioritize identified risks and to subsequently select and apply the appropriate responses. It explains how the cybersecurity risk register – possibly accompanied by a more comprehensive risk detail report – enables the tracking, reporting, and monitoring of various risks at all hierarchical levels.
This final version incorporates feedback received on the public draft and provides updated graphics, including an example Risk Detail Report (RDR) template for communicating extensive details about each risk (e.g., risk ownership and planned activities).
Additionally, a draft companion document – NISTIR 8286C, Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight – is currently open for public comment through March 11, 2022. That report describes activities to help complete the CSRM/ERM integration cycle throughout the enterprise to understand the comprehensive set of activities across the enterprise risk portfolio. Additional publications will be released to describe activities that further support CSRM/ERM integration.
The NISTIR 8286 series enables risk practitioners to more fully integrate CSRM activities into the broader enterprise risk processes. Because information and technology comprise some of the enterprise’s most valuable resources, it is vital that directors and senior leaders have a clear understanding of cybersecurity risk posture at all times. It is similarly vital that those identifying, assessing, and treating cybersecurity risk understand enterprise strategic objectives when making risk decisions.
The authors of the NISTIR 8286 series hope that these publications will spark further industry discussion. As NIST continues to develop frameworks and guidance to support the application and integration of information and technology, many of the series’ concepts will be considered for inclusion.