Risk Response Standards, Policies, and Procedures
Blog #9 of ~15 in ECRM Framework & Strategy Series
Risk Response Standards, Policies, and Procedures
If you are starting this ECRM Framework & Strategy Series here, with Blog #9, you may wish to review some previous posts:
(For the complete list of all posts in this ECRM Framework & Strategy Series, please see Introduction – Overseeing the Development of Your ECRM Framework and Strategy .)
In each post in the series, I cover one or more aspects of developing your Enterprise Cyber Risk Management (ECRM) Framework and Strategy and associated sections of the Table of Contents of an ECRM Framework and Strategy document.
This series aims to explain what content is needed in each area and provide a good head start on developing and documenting your ECRM Framework and Strategy.?More specifically, this information may help you meet one of the new SEC requirements in Disclosure of a Registrant’s Risk Management, Strategy, and Governance Regarding Cybersecurity Risks .
Introduction
The topic of the ECRM Framework and Strategy and related documentation covered in this post is:
17.?Risk Response Standards, Policies, and Procedures
(For the complete Table of Contents, please see Introduction – Overseeing the Development of Your ECRM Framework and Strategy .)
In Selecting and Adopting an ECRM Framework, Process, and Maturity Model , I discussed the cyber risk management process based on Managing Information Security Risk (NIST Special Publication 800-39)[1] and the four basic steps, each of which informs the other steps in the process. To summarize, they are:
In the four posts—framing, assessing, responding, and monitoring—including this post, I discuss the importance of documenting respective standards, policies, and procedures for each of these four process steps.?Completing the recommendations in these posts will create the core of your cyber risk management strategy.
Basis of this Post
This post and the other three draw heavily on Managing Information Security Risk (NIST Special Publication 800-39)[2] but avoid repeating that which is already well documented and readily accessible.
As a reminder, I recommend leveraging all the standards and guidance from NIST applicable to your environment and requirements. In Chapter 10 of Stop the Cyber Bleeding[3] , I explain why a NIST-based ECRM program may be a terrific choice for your organization.?Also, you may wish to view my short video "Why You Should Base Your Program on NIST | Putting ECRM Into Action" for more information.
Risk Response
As I discussed in Risk Assessment Standards, Policies, and Procedures , once your organization has identified all the possible ways in which there can be a compromise to the confidentiality, integrity, or availability of your assets, you need to rate each risk by considering the likelihood and impact of each risk scenario.
The rating of each risk scenario ultimately produces your risk register.?Risks rated below your risk appetite are risks that you will typically accept. ?For risks at or above your risk appetite, you must determine whether you will avoid, mitigate, or transfer that risk.
Content of Risk Response Standards, Policies, and Procedures
Your Risk Response Standards, Policies, and Procedures should spell out how to conduct risk response, when risk response work is conducted, by whom it will be conducted, and what methodology will be used.
For example, decide and document that your organization will use NIST or ISO as its standard for risk response, referencing relevant documents as resources.
Your risk response policy should indicate what you plan to do, why you plan to do so, and what is expected of members of your workforce regarding treating or responding to risk.?If, for example, you operate in an industry subject to a specific regulatory requirement, you should mention that your organization complies with all applicable mandates, laws, and regulations related to privacy, security, and cyber risk management.?
The HIPAA Security Rule has an explicit risk management (a.k.a. risk response) requirement for healthcare covered entities and business associates.
Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).[4]
Your risk response procedures must detail the steps to conduct risk response.?For example, the risk response process documented in NIST Special Publication 800-39 Managing Information Security Risk NIST Special Publication 800-39[5] is:
You should expand and elaborate on these elements and steps such that a workforce member will successfully conduct risk monitoring if they follow all your process steps in your documented procedures.?Appendix H, RISK RESPONSE STRATEGIES FROM BOUNDARY PROTECTION TO AGILE DEFENSES, in NIST Special Publication 800-39[6] , provides greater detail about risk response strategies and steps that may be included in your procedures.
Your Risk Response Decision-Making
In another recent post, Getting Started with Enterprise Cyber Risk Management (ECRM) | Overseeing the Development of Your ECRM Framework and Strategy , I discussed the importance of establishing strong governance over ECRM. At the risk of grossly oversimplifying it, in practice, I’ve come to define governance as a set of interrelated questions: Who makes what decisions? How and when do they make those decisions? And what data and facts do they use to make those decisions?
Clarifying risk response decision-making is vital to your risk response policies and procedures. The four risk response choices—accept, avoid, mitigate, or transfer—are standard in treating risk and are discussed further here.
Risk Acceptance
Risk acceptance is the appropriate risk response when the identified risk is within the organizational risk appetite. ?For example, an organization may accept the risk of bring-your-own-devices (BYOD) if they require owners of these devices to install and use the organization’s mobile device management solution.
领英推荐
Risk Avoidance
Risk avoidance involves taking specific actions to eliminate the activities or technologies that are the basis for the risk … to avoid the potential for unacceptable risk. Continuing to use BYOD as an example, some organizations do not allow access to their organization's information assets by any non-organization-deployed device, thereby avoiding any risks associated with BYOD.
Risk Mitigation
Risk mitigation, or risk reduction, is the appropriate risk response for that portion of risk that cannot be accepted, avoided, shared, or transferred. Implementing a technical control such as encryption on all mobile devices would be considered risk mitigation.
Risk Transfer
Risk transfer shifts the risk liability from one organization to another organization. Using cyber liability insurance transfers risk from particular organizations to insurance companies.?
Ultimately, a risk response decision aims to reduce the likelihood of a threat exploiting a vulnerability or reduce the impact were that exploitation to occur.?Each identified risk requires a response; each risk does not require mitigation. Typically, your organization will accept risks rated below your risk appetite. Risks rated at or above the risk appetite will normally be treated by either avoiding, mitigating, or transferring them.
In the pro forma risk register below, if an organization had set its risk appetite at 20, you would typically accept the three risks at the bottom of the risk register and make avoid, accept, and transfer decisions related to the three risks at the top of the risk register.
Pro Forma Risk Register with Accepted Risks Indicated
(see Table at original post at?Risk Response Standards, Policies, and Procedures )
Source: Bob Chaput, Executive Chairman, Clearwater.
A key point throughout the NIST guidance is that it is flexible and not one-size-fits-all.
Outputs from the risk response step are inputs to the other three steps in the overall process—risk assessment, framing, and monitoring and are discussed in Managing Information Security Risk (NIST Special Publication 800-39)[7] .?However, the most critical output of the risk response step is a plan of action and milestones (POAM) or risk response plan.
Just as most organizations would not consider developing their enterprise resource planning (ERP) software, ECRM is an instance where using specialized software can make the NIST 4-step process easier to implement, easier to execute, easier to document, and easier to maintain In Stop the Cyber Bleeding[8] , I provide more detail about the value of using specialized software in Appendix B: Enterprise Cyber Risk Management Software [ECRMS]).
As you develop and document your Risk Response Standards, Policies, and Procedures, the following are several risk response fundamentals to consider:
Summary
It is essential to include a section in your ECRM Framework and Strategy document that covers the risk response elements above and how you will conduct your risk response.
The chief output of the risk response step is a plan of action and milestones (POAM), along with implementing various courses of action to bring risks outside the organization’s risk appetite under that threshold.
In Disclosure of a Registrant’s Risk Management, Strategy, and Governance Regarding Cybersecurity Risks , I discuss the SEC proposed rulemaking requiring registrants to provide more consistent and informative disclosure regarding their cybersecurity risk management and strategy.?The content produced in this section of your ECRM Framework and Strategy will help meet this disclosure requirement.
You can visit my Stop the Cyber Bleeding | Putting ECRM Into Action YouTube channel, which includes brief video clips covering many of the topics in this series. It may help guide the development of your ECRM Framework and Strategy and can be accessed and subscribed to at https://www.youtube.com/@stopthecyberbleeding/videos .
In the next post in this ECRM Framework & Strategy Series, I will discuss Risk Monitoring Standards, Policies, and Procedures <<future hotlink>>, an essential input into making informed risk treatment decisions.
Questions Management and Board Should Ask and Discuss
Endnotes
[1] Managing Information Security Risk. NIST Special Publication 800-39. National Institute of Standards and Technology (NIST). March 2011. Available at https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf
[2] Managing Information Security Risk. NIST Special Publication 800-39. National Institute of Standards and Technology (NIST). March 2011. Available at https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf
[3] Chaput, Bob. “Stop The Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM).” 2021. Clearwater. Available at https://amzn.to/33qr17n
[4] Risk Management Implementation Specification. 45 CFR §164.308(a)(1)(ii)(B). (Security Standards for the Protection of Electronic Protected Health Information, Administrative Safeguards), available at https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308
[5] Managing Information Security Risk. NIST Special Publication 800-39. National Institute of Standards and Technology (NIST). March 2011. Available at https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf
[6] Managing Information Security Risk. NIST Special Publication 800-39. National Institute of Standards and Technology (NIST). March 2011. Available at https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf
[7] Managing Information Security Risk. NIST Special Publication 800-39. National Institute of Standards and Technology (NIST). March 2011. Available at https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf
[8] Chaput, Bob. “Stop The Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM).” 2021. Clearwater. Available at https://amzn.to/33qr17n