The Risk Management framework, cybersecurity framework profiles and U.S, EU and cyber regulator compliance
To comply with U.S and EU cybersecurity risk management regulations organizations will be required to provide assurance that they have implemented a cybersecurity Risk Management Framework(RMF), with cybersecurity practices in line with the organizations risk profile. This will demonstrate appropriate oversight, assurance and attestation of cybersecurity risks through the organization’s governance processes. Boards may also be required to inform regulators of their cybersecurity risk management experience and knowledge, along with employing external cybersecurity expertise.
As an example, the Securities and Exchange Commission (SEC) cybersecurity risk management proposal and EU NIS 2.0 and DORA require organizations to implement some form of an RMF that acts as the foundations for cybersecurity risk management program. Boards are going to be held accountable and responsible for cybersecurity risk management which requires the implementation of appropriate solutions to Frame, Assess, Respond and Monitor cyber risk. Cyber risk management needs to be integrated into all strategic, leadership and governance processes. These actions should demonstrate to regulators that an appropriate RMF has been implemented and cybersecurity risk management oversight, assurance and attestation is taking place through its governance processes.
The risk management process and risk management framework rely upon a cybersecurity standard, to mitigate cyber risks. Reducing the organizations inherent risk down to an acceptable residual level using a cybersecurity standard. The CSF profile acts as a ‘bucket’ into which a cyber security standard can be input and be tailored to meet specific organizational risks that are identified through the risk assessment process and defined through the Risk Management Framework. Various U.S Federal Agencies have adopted the use of the CSF profile and it has been adopted by various sectors as the means by which cybersecurity practices are baselined based upon risk. These include profiles for the Maritime sector, energy and nuclear energy, chemical production, manufacturing, transportation, dam infrastructure, water and waste water, small business and health and human services. An indication that cybersecurity standards have been set and could be adopted by industry.