5. The Approach to Cybersecurity: Cyber Risk Management 95 in on the details of putting controls in place to manage cyber risks. A control is a measure taken to reduce risk (explained in more detail later in the chapter). Table 5.2 NIST Risk Management Framework (RMF)2 Both the CSF and the RMF are general in form so that they can apply to any organization. It is up to organizations to determine how to apply the guidance to their unique circumstances. A cybersecurity audit may be necessary to demonstrate that an organization is in compliance with standards. A cybersecurity audit is an accounting of how an organization’s cybersecurity complies with a standard. Standards may need to be met in order for an organization to reduce their liability in the case of an incident. An outside consultancy is typically hired to perform the audit, catalog their findings, and make recommendations. Auditors come onsite and go through a checklist of items. They conduct interviews with key personnel, make observations, and examine evidence. Each item is rated on a scale such as 1 (no awareness) to 5 (fully implemented). This documentation acts as an official record that the organization can use to prove they are in compliance. Table 5.3 shows an example of a small portion of a CSF audit checklist that examines the Asset Management category under the Identify function. 2 Source: NIST Risk Management Framework for Information Systems and Organizations
RkJQdWJsaXNoZXIy MTM4ODY=