网络安全是企业的一项重要任务. But how can firms assess and understand their cyber risk on a holistic basis? 会让库马尔, 存网络/技术风险主管, explains how 存 assesses its risk landscape from a business line level and extends that information across the organization in a holistic risk management approach.
Given the critical nature of cyber security to the overall functioning of an organization, Financial 服务 Organizations (FSOs) are starting to measure and manage cyber risk as one of the critical risks in their overall risk portfolio. While FSOs are starting to gain an understanding of their cyber risk across the entire business franchise, understanding the cyber risk landscape at an individual Line of Business (LOB) level has not advanced at the same rate.
在存, our Enterprise Cyber Risk Assessment (ECRA) enables each 存 LOB to better understand its unique cyber security risk portfolio. The ECRA is done to satisfy the regulatory requirements from CFTC and IOSCO among the larger ask of understanding potential cyber risks through empirical data and mitigating processes that help lower the risk.
相关:金融管理机构的网络威胁和数据恢复
Identifying LOB cyber risks includes analyzing prior cyber risk assessments, 事件, 问题, 风险控制自我评估(RCSA), 漏洞数据和, threats across the enterprise and deriving the LOB-specific view based on the business context, 威胁形势和技术足迹.
This approach includes a bottoms-up analysis of data and a top-down validation of the risks within the LOB. 一旦将网络风险包含在业务风险组合中, LOBs are able to extend their existing business and operational risk management practices to cyber risk management and take a holistic risk management approach across the entire risk portfolio.
网络风险评估的价值
虽然公司可以执行一些安全和风险评估, they can have difficulty bringing together disparate results into a single report to inform the business of their top cyber risks.
The ECRA informs each LOBs potential cyber risks and enables a better understanding of these risks, 采用定量和定性方法, and ultimately providing information that will allow each LOB to set cyber risk priorities.
The bottom-up analysis of data and a top-down evaluation of a firm’s risk levels are done in parallel, 全面了解风险和控制环境, 制定风险情景并提出优先建议.
The bottom-up analysis involves collecting risk data from several empirical sources, 然后进行标准化处理. Based on the understanding of this data, overall risks are categorized. The result is a risk catalog that form the building blocks for informed decisions and next steps. 风险目录每年修订一次, adding risks where necessary and improving clarity to keep up with emerging threats.
监管 agencies have honed in on the threats of cyber risk to the overall securities industry. 遵守规则和命令, 根据监管要求映射风险, 包括隐私和第三方风险, 进行有根据的分类.
相关:网络弹性和操作风险
这就是自上而下的评估开始的地方. 关键利益相关者, 包括业务运营和vnsr威尼斯城官网登入负责人, prioritize the cyber risk categories that have been identified and refine language as needed. 然后进行知情的讨论,并评估相关风险. 然后根据LOB输入最终确定风险排序. LOBs can always override the stack ranking of risks based on their knowledge of their enterprise. This also serves as a useful exercise for the organization to be involved with the risk assessment and efforts to mitigate risk.
在自上而下的评估中, lob可以检查威胁库, 其中包含有关威胁行为者的重要信息, 复杂程度, 潜在动机及其对LOB的影响. This exercise visualizes how different operational and cyber risks come together and how to best manage these risks. For example, Covid-19 created an opportunity for cyber risk to be manifested in many companies. Malicious actors could have been hired as lower controls were present in the onboarding process due to the sudden switch to a virtual environment. Having a threat library and an exercise on scenario planning is critical for conducting ECRA planning and allows firms to pivot as necessary.
Following the top-down and bottom-up analysis, there is a discussion about inherent risk. Viewing the risks without any controls is a lengthy exercise the first time, 并且应该经常这样做, 因为风险不是一成不变的. For instance, Covid-19 altered the status of the workforce from onsite, to at home, to hybrid. 固有风险发生了变化, adding to risk was need for additional device capacity and monitoring on company devices and networks and illustrates the benefits of evaluating inherent risks frequently. The residual risk is then calculated from the inherent risk and understanding the control environment. Understanding of control environment helps with evaluating how investments have helped lower the risk to environment.
最后, trend analysis is a critical tool for senior management to see individual risks, and each exercise helps stakeholders with future planning and spending prioritization efforts. 总之, ECRA helps FSOs make more informed decisions about cyber risk management and take a holistic risk management approach across their entire risk portfolio.
Kumar recently spoke at the Global Resilience Federation 2021 Virtual Summit on Security & 第三方风险.