Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018

Similar documents
Improving Cybersecurity through the use of the Cybersecurity Framework

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

TEL2813/IS2621 Security Management

The NIST Cybersecurity Framework

Why you should adopt the NIST Cybersecurity Framework

Rethinking Information Security Risk Management CRM002

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

RISK INTELLIGENCE Assurance and efficiency improvement through a robust Enterprise Risk Management approach

Federal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011

THE POWER OF TECH-SAVVY BOARDS:

Assessing Medical Device. Cyber Risks in a Healthcare. Environment

Cybersecurity & Privacy Enhancements

Introduction to Securing Critical Infrastructure

Turning Risk into Advantage

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Inspector General. Report on the Peace Corps Information Security Program. Peace Corps Office of. Background FISCAL YEAR 2017

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Program Review for Information Security Management Assistance. Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

Cybersecurity Risk Management:

Framework for Improving Critical Infrastructure Cybersecurity

TSC Business Continuity & Disaster Recovery Session

White Paper. View cyber and mission-critical data in one dashboard

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

FISMAand the Risk Management Framework

Solutions Technology, Inc. (STI) Corporate Capability Brief

3/13/2015. COSO Revised: Implications for Compliance and Ethics Programs. Session Agenda. The COSO Framework

Security and Privacy Governance Program Guidelines

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

CISM Certified Information Security Manager

Evolving Cybersecurity Strategies

Section One of the Order: The Cybersecurity of Federal Networks.

COSO ERM. To improve organizational performance & Governance COSO ERM. COSO Internal Control. COSO ERM_prepared by Nattapan T. 2

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

Framework for Improving Critical Infrastructure Cybersecurity

Risk-Based Cyber Security for the 21 st Century

Information Security Continuous Monitoring (ISCM) Program Evaluation

The University of Queensland

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Address C-level Cybersecurity issues to enable and secure Digital transformation

Overview of the Cybersecurity Framework

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

NIST Cloud Security Architecture Tool (CSAT) Leveraging Cyber Security Framework to Architect a FISMA-compliant Cloud Solution

Frameworks and Standards

Exploring the Maturity of Risk Management Process in Government: An Integrated ERM Model at the U.S. Department of Education

Managing IT Risk: The ISACA Risk IT Framework. 1 st ISACA Day, Sofia 15 October Charalampos (Haris)Brilakis, CISA

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Defense Security Service. Strategic Plan Addendum, April Our Agency, Our Mission, Our Responsibility

State of South Carolina Interim Security Assessment

Framework for Improving Critical Infrastructure Cybersecurity. and Risk Approach

Implementing Executive Order and Presidential Policy Directive 21

ACR 2 Solutions Compliance Tools

David Missouri VP- Governance ISACA

Framework for Improving Critical Infrastructure Cybersecurity

Evolving the Security Strategy for Growth. Eric Schlesinger Global Director and CISO Polaris Alpha

NERC Staff Organization Chart Budget 2019

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

FISMA Cybersecurity Performance Metrics and Scoring

In 2017, the Auditor General initiated an audit of the City s information technology infrastructure and assets.

Cybersecurity: Trust, Visibility, Resilience. Tom Albert Senior Advisor, Cybersecurity NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Exploring Emerging Cyber Attest Requirements

Cybersecurity and Examinations

Cybersecurity Assessment Tool

Singapore Quick Guide to the COSO. Enterprise Risk Management and Internal Control Frameworks Edition

TACIT Security Institutionalizing Cyber Protection for Critical Assets

Changing the Game: An HPR Approach to Cyber CRM007

New Guidance on Privacy Controls for the Federal Government

Department of Defense. Installation Energy Resilience

NERC Staff Organization Chart Budget 2019

MNsure Privacy Program Strategic Plan FY

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

2014 Sector-Specific Plan Guidance. Guide for Developing a Sector-Specific Plan under NIPP 2013 August 2014

Agency Guide for FedRAMP Authorizations

NERC Staff Organization Chart Budget 2018

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

The Business Value of including Cybersecurity and Vendor Risk in ERM

Information Security Risk Strategies. By

NCSF Foundation Certification

CISO as Change Agent: Getting to Yes

NCCoE TRUSTED CLOUD: A SECURE SOLUTION

External Supplier Control Obligations. Cyber Security

HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.

Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant

IT Service Quality amidst a World Gone Cloud. June 2012 V: 2.0

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

Critical Infrastructure Resilience

Presenter: Ian Musweu FCCA, FZICA, CRA. Head of Risk and Assurance Professional Insurance

Top Five Secrets to Successfully Jumpstarting Your Cyber-Risk Program

U.S. FLEET CYBER COMMAND U.S. TENTH FLEET Managing Cybersecurity Risk

What is IT Governance and Why is it Important?

Les joies et les peines de la transformation numérique

Cyber Resilience. Think18. Felicity March IBM Corporation

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Transcription:

Enterprise Risk Management (ERM) and Cybersecurity Na9onal Science Founda9on March 14, 2018

Agenda Guiding Principles for Implementing ERM at NSF (Based on COSO) NSF s ERM Framework ERM Cybersecurity Risk Profile Cybersecurity Risk Management Philosophy Governance, Risk Management and Communication Risk Tolerance NIST Risk Frameworks IT Risk Management Documents 2

Guiding Principles for Implementing ERM at NSF (Based on COSO) 1. Support from the Top is a Necessity 2. Build ERM using Incremental Steps 3. Focus initially on a Small Number of Top Risks 4. Leverage Existing Resources 5. Build on Existing Risk Management Activities 6. Embed ERM into the Decision Making Practices of the Organization 7. Provide Ongoing ERM Updates and Continuing Education for Leadership and Senior Management

NSF s ERM Framework NSF s Strategic Plan embraces enterprise risk management Encourages use of methodical risk analysis for resilience Maintain a risk profile of significant risks and opportunities NSF established an Enterprise Risk Management approach Developed a maturity based ERM strategy and process Developed an initial" risk profile Cybersecurity is a profile About 12 agency level risks identified Monitor Risks Act on Risks Iden9fy Risks Iden9fied risks collec9vely form a Risk Profile Evaluate Risks Assess Risks 4

ERM Cybersecurity Risk Profile Risk appetite is the type and amount of risk an organization is prepared to accept (on a broad level); statement reflects the culture Qualitative statement low, high appetite, e.g. low appetite for major cybersecurity breaches Quantitative measures, e.g. 10% of the budget is allocated to innovation Risk tolerance - Once the risk appetite has been defined, risk tolerance defines boundaries of acceptable variation Risk profile allows management to determine resource allocation NSF aligned cybersecurity with the NSF Strategic Plan, goal and objec9ve NSF Strategic Plan Mission, Vision Statement Strategy Review Mee9ngs Align strategy with risk appe9te Strategic Plan Goal and Objec9ve Business Objec9ve Major Business Applica9ons Tools & Technology Cybersecurity Risk Profile Risk of a Major Breach Cybersecurity Risk Mgmt. IT Risk Mgmt. Strategy (NIST RMF & Cyber Framework) NSF Strategic Plan sets forth long term goals and objec9ve per the Government Performance and Results Act (GPRA). 5

Cybersecurity Risk Management Philosophy Risk-Based - Risks are assessed, analyzed, understood and appropriately mitigated Balance of operational and economic costs of protective measures with the gains in mission capability Considers cost/benefit, risk analysis, assessment, oversight Defense in Depth - Layered approach to cybersecurity Layers of security controls assure major systems and assets are protected with the most extensive controls Implement management, operational, technical controls Risk management philosophy documented in the NSF Information Security (InfoSec) Handbook 6

Governance, Risk Management and Communication Risk management is a coordinated activity to communicate, direct and control challenges to agency goals and objectives ERM risk profiles capture A-123 risk and control objective assessments FISMA and Financial Statement audit evaluations IG management challenges Cybersecurity risk management documented in: Framework Implementation Summary IT Risk Management Strategy InfoSec Handbook 7

Risk Tolerance NSF s risk tolerance, e.g., levels of risk, types of risk, and degree of risk uncertainty that are acceptable depend on the type of event and its impact on the organization Priorities and trade-offs, e.g., the relative importance of missions/business functions, trade-offs among different types of risk, time frames to address risk, and any factors of uncertainty to consider in risk responses form NSF s tolerance for risk NSF considers reputational risk, business disruption, financial loss, and loss of privacy as a few of the factors that affect risk tolerance Risk tolerance is articulated in NSF policies, procedures and InfoSec Handbook and IT Security Risk Management Strategy 8

NIST Risk Frameworks NIST Frameworks are linked through the NIST controls Risk Mgmt. Framework Supports an informed risk-based decision to authorize a system to operate Risk Management Framework 6 Step Process Categorize Select Implement Assess Authorize Monitor Security Assessment Report NIST 800-137 Guide for Applying the Risk Management Framework to Federal Informa9on Systems NIST 800-53 Moderate Baseline Controls Cybersecurity Framework 5 Func9ons Iden9fy Protect Detect Respond Recover Risk Profile and Risk Tier* E.O. Strengthening the Cybersecurity of Federal Networks and Cri9cal Infrastructure, May 11, 2017 Cybersecurity Framework Risk 9ers provide context on an organiza9on s view of cybersecurity risk and the processes to manage risk *Risk Tiers Tier 1 Par9al Tier 2 Risk Informed Tier 3 Repeatable Tier 4 Adap9ve 9

IT Risk Management Documents NSF Strategic Plan Describes NSF s long-term goals and objectives and performance goals Cybersecurity Profile for Enterprise Risk Management Compliance objective for cybersecurity NSF Information Security Handbook Supports moderate baseline NIST controls IT Security Risk Management Strategy Addresses NIST Risk Management Framework and Cybersecurity Framework NSF Cybersecurity Framework Implementation Summary Describes how NSF s IT security program aligns with the Cybersecurity Framework Information Security Continuous Monitoring Describes the program and operational monitoring activities Ongoing Authorization Plan Describes NSF s ongoing authorization approach 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback