Part 2

Good Practices for Cyber Risk Management

To manage cyber risk and assess cybersecurity preparedness of its critical operations, core business lines and other operations, services, and functions organisations may choose to use standardised tools that are aligned with common industry standards and best practices. Our preference is the National Institute of Standards and Technology Cybersecurity Framework (NIST). There are others including; the Center for Internet Security Critical Security Controls.

The table below of Good Practices for Cyber Risk Management, aligned to NIST and augmented to emphasise governance and third-party risk management.

Governance The organisation’s risk appetite and tolerance for disruption reflect the scope and level of cyber risk the organisation is willing to accept or avoid for its critical operations and core business lines.
  The organisation establishes, implements, and manages cyber risk management processes for its critical operations and core business lines and integrates them into operational risk management processes.
  The organisation has established cybersecurity processes to support operating within its risk appetite and tolerance for disruption.
  The organisation has designated roles and responsibilities for cyber risk management, including an individual responsible for cybersecurity for the organisation.
  The organisation’s independent risk management and independent internal (or external) audit function provides for appropriate oversight of the cybersecurity program.
  The organisation has a cybersecurity program that implements, monitors, and updates existing processes. The cybersecurity program is continually monitored and improved.
Identfication The organisation identifies and manages data, personnel, devices, systems, third parties and facilities that enable its critical operations and core business lines.
  The organisation understands the cybersecurity risks to its critical operations and core business lines, and their underlying data, personnel, devices, systems, third parties, and facilities associated with them.
  The organisation’s operational risk appetite statements are discussed in the governance section of the operational resilience good practices.
Protection The organisation limits access to physical and logical assets and related facilities for its critical operations and core business lines to authorised users, processes, and devices, and manages access consistent with the assessed risk of unauthorised access to activities and transactions that require authorisation.
  The organisation provides cybersecurity awareness education especially to personnel engaged in the operations of critical operations and core business lines, including those from third parties and adequately trains them to perform their information security-related duties and responsibilities consistent with related processes and agreements.
  The organisation manages information and data consistent with its risk appetite and tolerance for disruption to protect the confidentiality, integrity, and availability of data and systems.
  The organisation maintains security processes that address purpose, scope, roles, responsibilities, management commitment, and coordination among organisational entities; and processes and uses them to manage protection of information systems and assets.
  The organisation encrypts data used in the delivery of critical operations and core business lines. The organisation protects data at “rest” and “in transit” commensurate with the criticality and sensitivity of the information.
  The organisation creates backups of critical data and regularly tests those backups for completeness and reliability.
  The organisation disposes critical assets in a secure manner in order to prevent unauthorised recovery of sensitive information.
  The organisation manages configuration baselines that incorporate its information systems resilience requirements. The management of configuration changes causes minimal disruption to the delivery of critical operations and core business lines.
  The organisation maintains and repairs industrial control and information system components consistent with policies and procedures.
  The organisation’s information systems architecture for critical operations and core business lines incorporates the organisation’s cyber resilience requirements and is secure by design. The organisation also accounts for interdependency, interconnectivity, scale, and complexity risks.
  The organisation has and enforces defined processes for technology acquisition, development, testing, and integration that incorporate the organisation’s resilience requirements throughout the processes’ lifecycles.
  The organisation upgrades or replaces information system components before technical support is no longer available from the developer, vendor, or manufacturer.
  Technical security solutions are used to manage the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.
Detection Anomalous activity is detected in a timely manner and the potential impact (including financial impact) of anomalous events is analysed and understood.
  Information systems and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.
  Detection processes and procedures are maintained and tested to ensure timely action is taken in response to anomalous events.
Response Response processes and procedures are executed and maintained for timely response to detected cybersecurity incidents.
  The organisation coordinates response activities with internal and external stakeholders, as appropriate, including external support from regulatory and law enforcement agencies.
  The organisation conducts analysis to ensure effective response and to support recovery activities.
  The organisation performs activities to prevent expansion of a disruption, mitigate its effects, and resolve the incident.
  The organisation improves response activities by incorporating lessons learned from current and previous detection/response activities.
Recovery The organisation executes and maintains business continuity and disaster recovery plans, processes, and procedures to support timely restoration of systems or assets affected by cybersecurity incidents.
  The organisation improves recovery plans and processes by incorporating lessons learned into future activities.
  The organisation coordinates restoration activities with internal and external parties such as internet service providers, owners of compromised systems, other incident response teams, and vendors.
Third-party
risk
management
The organisation manages the risks to its critical operations and core business lines, and monitors the effectiveness of controls associated with them, regardless of whether the organisation performs the activity internally or through a third party.
  The organisation engages in robust planning and due diligence to identify risks related to third parties and establishes processes to measure, monitor, and control the risks associated with them. The process for risk identification and monitoring controls effectiveness may include testing or auditing of security controls with the third party.
  Contracts between the organisation and third parties are drafted to define clearly which party is responsible for configuring and managing system access rights, configuration capabilities, and deployment of services and information assets.
  The organisation has processes for validating that third-party systems used for delivering critical operations and core business lines will be operational during disruptions or able to return to operation in accordance with the organisation’s tolerance for disruption.
  Relationships with third parties include sound risk management practices to identify and mitigate hazards. The organisation employs controls to verify that resilient operational processes are in place at the third party and consistent with the organisation’s internal standards.