How NIST & FISMA Improve ERM
Damon Levine, CFA, ARM, MA
Experienced Risk, ERM, and Operational Risk leader Specialized experience in Open FAIR, TPRM, model risk, BC/DR, and strategic risk management
Enterprise Risk Management (ERM), in its true form, manages all risk types including cyber or information security. Information security professionals are almost universally familiar with the National Institute of Standards and Technology (NIST) and its framework for cyber security, the NIST-CSF.
The Federal Information Security Management Act of 2002 (FISMA) act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems for the agency and its vendors. FISMA makes significant use of practices from the NIST framework.
These frameworks taken together represent a voluminous amount of asset identification, risk assessment, and risk response methods and techniques. For this short piece I’m focusing on the below process flow which has been adapted from one in FISMA and the Risk Management Framework*. It may be used to embed a recurring process (e.g. quarterly) which links risk ID, risk assessment/quantification to risk tolerance and remediation planning for breach.
*FISMA and the Risk Management Framework, Gantz, Philpott, 2013, Fig, 12-5, p. 318.