Relevant Standards for Cybersecurity Risk Management

In the section on Cyber Security Risk Management, we introduced two important concepts:

  • A formal process for the assessment and management of risk, with well-defined steps;
  • Best practices and technologies for mitigation of cyber security risk.

We also mentioned the fact that it is important to have a consistent approach, both to the categorization of risk factors and to their evaluation, in order to avoid comparing apples to oranges. This is where a harmonized set of standards has an important role to play. 

Of course, many organizations already implement standards mainly as a requirement for compliance (for example, Data protection Risk assessment / impact assessment as prescribed by EU 679/2016 ISO 9001). But that is not the only, or even the best reason for implementing standards. Several national and international standards organizations have published standards both for risk management and for cybersecurity best practices. The advantage of such standards is that they have been elaborated with the broad consensus of organizations in such a way as to guarantee a consistency of approach and terminology. By adopting such standards whenever possible, you are not only ensuring the highest possible quality of your methodology, but also facilitating ease of communication with others.

 

Standards for Risk Assessment and Management

Perhaps the best-known standard for overall management of information security is ISO 27000 – actually a family of standards (well over forty in total). ISO 27001:2013 in particular is a risk-based standard approach for the information security management system. It adopts a global vision of business, process, people and technology risks, and top management is actively involved in the entire risk mitigation process. In that sense, it provides an excellent framework for the implementation of an integrated Enterprise Risk Management system. Effectively implemented, it can provide:

  • Stakeholders with substantiated and consistent opinions over the current state of risk throughout the enterprise;
  • Guidance on how to manage risk to levels within the enterprise’s risk appetite;
  • Guidance on how to set up the appropriate risk culture for the enterprise;
  • Wherever possible, quantitative risk assessments enabling stakeholders to consider the cost of mitigation and the required resources against the loss exposure;
  • A more accurate view of significant current and near-future risk throughout the enterprise—and the impact (both negative and positive) of this risk on the enterprise;
  • Opportunities for integration of IT risk management with the overall risk and compliance structures within the enterprise;
  • Promotion of risk responsibility and its acceptance throughout the enterprise.

The main message here is: you don’t have to go it alone. You don’t have to reinvent the wheel. Enterprise Risk Management, and in particular cyber security risk management, have been codified into standards that have broad international acceptance by all kinds of organizations.

 

Risk Management for Small-to-Medium Enterprises

One particular initiative is of special interest to smaller organizations. “A simplified approach to Risk Management for SMEs” is an initiative begun in 2007 and promoted by the European Agency for the Security of Networks and Information (ENISA). As indicated in the title of the initiative, ENISA decided to equip management staff who are not expert in matters of security with a simple tool to perform a guided and modular risk self-evaluation. In this regard, security aspects have been simplified and acceptable target security levels have been established, identifying a target risk profile.

Another example of an initiative targeting SMEs is the U.S. National Institute of Standards and Technology (NIST) initiative “Small Business Information Security: The Fundamentals” (publication NISTIR 7621, Revision 1). Like its ENISA counterpart, this initiative also aims to give small businesses a more lightweight, yet effective approach to understanding and managing its risks, safeguarding its information, and working safely and securely in a smaller context that than of very large organizations.

 

Standards for Cyber Security Best Practices

Recall that an important step is the identification of measures to mitigate the identified risk (see the dedicated section on Risk Mitigation). Recall also that there are two principal categories: technological measures (like state-of-the-art equipment) and best practices followed within the organization.

What are “best practices” for cybersecurity risk mitigation? Do we have to develop our own? Here, too, standards based upon the collective experience of organizations around the world provide us with best practices that have been proven in the field and are being constantly updated to reflect new knowledge. 

In the dedicated section on Risk Management, we encountered the NIST Cybersecurity Framework, which provides recommendations and requirements in many formats (spreadsheet, PDF, etc.) which may be customized for the organization. Examples of best practices you can find here are:

  • Asset Management – external information systems are catalogued;
  • Business environment – the organization’s role in the supply chain is identified and communicated;
  • Governance – Information security roles & responsibilities are coordinated and aligned with internal roles and external partners;
  • Access Control – identities and credentials are managed for authorized devices and users;
  • Information Protection Processes and Procedures – Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed.

Note that these are organized according to categories, with each category containing specific recommendations.

Here, too, the message is: you don’t have to go it alone. There are standards and initiatives worldwide that provide sets of best practices that you can implement for credible cybersecurity risk mitigation as part of your overall cybersecurity risk management process. This is an important prelude to the successive step of residual cyber risk management, which is where the evaluation of cyber risk insurance enters into the picture.

 

Brief Standards Overview

Here is an overview of just some of the relevant standards for an organization implementing cybersecurity risk management and best practices.

 

Regulation/Standard

Title

Regulation (EU) N° 910/2014

Electronic Identification and Trust Services for Electronic Transactions in the Internal Market (eIDAS Regulation)

Regulation (EU) 2016/679 

 

General Data Protection Regulation (GDPR)

 

 

Directive on privacy and electronic communications (e-privacy directive)

Implementing Regulation (EU) N° 2016/68

Commission Implementing Regulation on common procedures and specifications necessary for the interconnection of electronic registers of driver cards

ISO/IEC 15408:2009

Security techniques -- Evaluation criteria for IT security

ISO/IEC 17030:2003

Conformity assessment – General requirements for third-party marks of conformity

ISO/IEC 17065:2012

Conformity assessment -- Requirements for bodies certifying products, processes and services

 

ISO/IEC 18045:2005

Security techniques -- Methodology for IT security evaluation

ISO/IEC 27000:2016

Security techniques -- Information security management systems -- Overview and vocabulary

ISO/IEC 27001:2013

Security techniques -- Information security management systems – Requirements

ISO/IEC 29100:2011

Security techniques -- Privacy framework

ISO/IEC 29190:2015

Security techniques -- Privacy capability assessment model

ISO/IEC 40500:2012

(W3C) Information technology -- W3C Web Content Accessibility Guidelines (WCAG)

ITU-T X1208 (01/2014)

A cybersecurity indicator of risk to enhance confidence and security in the use of telecommunication/information and communication technologies

ITU-T Y2060 (06/2012)

Overview of the Internet of things

ITU-T Y3051 (03/2017)

The basic principles of trusted environment in information and communication technology infrastructure

ITU-T Y3052 (03/2017)

Overview of trust provisioning for information and communication technology infrastructures and services

ITU-T Y4050 (07/2012)

Terms and definitions for the Internet of things

ITU-T Y4100 (06/2014)

Common requirements of the Internet of Things

ETSI TR 103 304

CYBER; Personally Identifiable Information (PII) Protection in mobile and cloud services

ETSI TR 103 305

CYBER; Critical Security Controls for Effective Cyber Defence

NIST SP 800-53 R4

Security and Privacy Controls for Federal Information Systems and Organizations

NIST SP 800-122

Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

 

Swiss Federal Act on Data Protection (FADP)

 

Swiss Ordinance on Data Protection Certification

 

Code for drug use on humans

 

News

UNICORN’s Validation Contest now open for participation!

UNICORN project is looking for SMEs and start-ups to test and validate the UNICORN platform by developing their own software or use-cases. The selected participants will receive 10.000€ funding each (find here a template for the contract)

Events

17/01/2019
Reinforcing Cyber Security in the EU: Building Coordinated Security, Confidence and Capability in the Cyber Domain

With 315 million Europeans using the internet each day, the provision of critical services and the functioning of a modern economy are now entirely dependent upon the robustness and safety of cyberspace and its infrastructure. Cyber security attacks are a growing source of threat and concern, while also representing a growing economic opportunity for Europe, with the market predicted to be worth over $100 Billion by 2018 (European Commission). Moreover, cyber attacks in the EU are constantly growing in both their frequency (quintuplicate between 2013 and 2017) and sophistication.