Mature Your Cyber Program with a Cybersecurity Risk Register
4 minute read
Risk-based cybersecurity risk management is the process of identifying, tracking and mitigating the risks to your organization. By tracking your risks in a cybersecurity risk register, or a central record of the risks facing your organization, you can proactively protect your data, addressing the most critical risks first and ensuring that your actions have the maximum possible impact.
This blog will follow a single risk, “Lack of a Security-Minded Workforce,” through the risk register to demonstrate how you can track and mitigate risk with the right platform.
1. Identify and catalog risks within the risk register
First, you’ll want to identify the risk and catalog it with a description in the risk register. In this case, the description would be: “The workforce lacks user-level understanding about security and privacy principles.” By entering risks into your register, you enable stronger prioritization in your mitigation efforts and more agile decision making.
2. Perform periodic risk assessments
Once you’ve identified the risk, you should schedule periodic assessments to evaluate the likelihood of an event and the impact the event would have if it occurred. In your register, you’ll record both factors, along with the planned review schedule. In this case, it’s appropriate to assess the risk on a quarterly basis. While the impact of this event would be major, such an event is ultimately unlikely. By assessing both likelihood and impact of an event, you can more accurately determine how urgently action is needed and prioritize your efforts on that basis.
3. Map mitigating controls to risks
Each risk in your register should have specific controls in place to mitigate both the likelihood of an event and the impact were it to happen. In this case, the controls would be “SAT-01 – Security & Privacy Minded Workforce,” “SAT-02 – Security and Privacy Awareness,” and “SAT-03 – Role-Based Security & Privacy Training.”
4. Identify and catalog controls in control library
Once you’ve determined which controls correspond to the risk you’re tracking, it’s time to catalog those controls within your risk library along with a description. In this case, the control “SAT-02 – Security & Privacy Awareness” could be described in these terms: “Mechanisms exist to provide all employees and contractors appropriate awareness education and training that is relevant for their job function.”
5. Assess control effectiveness and maturity
Just as it’s necessary to assess the risks facing your organization, you must also assign owners and schedule regular control assessments to determine their maturity and effectiveness. In the case of security and privacy awareness training, an annual assessment schedule would be enough.
6. Automate evidence collection using software
Once you’ve determined your assessment schedule, your control owner should automate the distribution and collection of evidence requests. For this control, you’ll request both “documented evidence of initial user training for cybersecurity and/or privacy topics” and “documented evidence of practical user training exercises for cybersecurity and/or privacy topics.” These requests will be sent to different business units within the organization, who will respond with screenshots of systems or specific documentation to demonstrate that the appropriate controls are in place.
7. Relate policies to controls
At this stage, it’s also worth using a cybersecurity risk management platform to relate the policies you have in place to enforce their appropriate controls. For “SAT-02 – Security & Privacy Training,” the corresponding policy is “Security Awareness Training Policy,” and the listed intent is to help “minimize risk thus preventing the loss of PII, IP, money or brand reputation.” By linking these policies, which are sent to your organization’s end users, to your controls, you demonstrate a commitment to keeping your data safe both internally and externally.
8. Conduct policy reviews
To keep your controls in good shape, policies should be assigned owners who conduct reviews on a regular schedule to determine whether they should be updated, retired or used as they are. In this case, the appropriate review cadence is quarterly. Sometimes, a policy is doing what it’s supposed to, but must be adjusted to meet new regulatory requirements or controls. Sometimes, you will review a policy and find that it is no longer relevant to your organization due to a change in controls, and that it should be retired.
9. Align controls with the relevant standards
Next, you must identify the industry standards relevant to your organization and align your controls with the appropriate provisions. In the case of “SAT-02 – Security & Privacy Awareness,” it is relevant to the ISO 27001 provision “ISO – 6.4: Communication,” which demands that organizations “determine the need for internal and external communications relevant to the information security management system.”
10. Demonstrate regulatory alignment
Additionally, you should also ensure alignment with the relevant regulations. In this case, the Payment Card Industry Data Security Standard (PCI DSS) requires that organizations implement a “formal security awareness program to make personnel aware of the entity’s information security policy and procedures.” This can be related to the control “SAT-01 – Security & Privacy-Minded Workforce” to demonstrate coverage.
Once you’ve identified and tracked your risks, controls and policies within a cybersecurity risk management platform, you can continue to evaluate and enhance your controls, improving program maturity and keeping your organization safe. This process is made easier by software like ProcessUnity for Cybersecurity Risk Management, which enables risk tracking and the prioritization of mitigation efforts with its industry-leading risk register. With the help of a powerful program like ProcessUnity, you can mature your program from compliant to exceptional.
Controls-Based Versus Risk-Based Cybersecurity Programs
In the face of an escalating regulatory burden and increasingly common data breaches, many teams..Learn More
Manage Cybersecurity Risk with the SCF...
The Secure Controls Framework (SCF) Risk Management Model can be a powerful tool for teams..Learn More
3 Takeaways from Retail Cybersecurity Breaches
Retail businesses process large quantities of transactions and customer data, making them common targets for..Learn More
ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit www.processunity.com.