This guide is dedicated to target organizations who are interested in managing cyber risks efficiently. The use of CRF framework is highly customizable, and can be implemented in an incremental way. you can If you need to demonstrate to relevant stakeholders that your organization manage cyber risks in a consistent manner, there will be additional steps to do so via external (independant) party.
The first step in risk assessment is to define the scope from multiple perspectives. You might take the freedom not to answer all questions, but that inevitably impact the completness of the assessment.
The effort required for this activity can be estimated between 1 to 5 Man Days. The size of the organization usually has no direct impact on the effort needed for this step.
Based on the outcome of the the previous step, you can perform the threat assessment on the relevant threat scenarios (See: Catalogue of threat scenarios).
The gap assessment can be executed by internal or external parties (See: Gap assessments). The main criteria for choosing who can perform a specific assessment are: Qualification and Independance. Other criteria might also influence the choice to certain degree, such as costs and trust. If the assessment if performed internally, the conflict of interest should be prevented (for example, by performing peer review).
The assessment shall identify all (potential) gaps where risks might arise. These can be risks related to compliance, security, privacy, safety, operation, etc. specific properties can be identified to help quantify the risks more accuratly.
Risks from former assessments, or assessment of similar organizations may be used to help identify relevant risks and likelihood of occurence. Please note that the assessment should not be perceived as one-time activity, and keep in mind that the fist iteration will strongly influence all subsequent steps. So even if the budget is limited, it is still recomended to have a comprehensive assessment.
After gathering all relevant data about potential risks and gaps, these need to be formally reported to senior management (or management board). This is when the CISO can make a difference and real impact on the risk posture. The risks shall be associated with a brief description of recommended actions and an estimation of the associated costs. The senior management do not need to hear technical and operational details. However, they need to be able to approve an action plan that can be adjusted further if needed.
The action plan should be planned in a timely manner for a specific period of time. Success criteria shall be defined, and - if appliable - relevant KPI milestone projections shaould be mentionned in the action plan. It is also important to illustrate the Return on Investment (ROI) for a reasonble range of budget. This will make it easy for senior managment to adjust the budget if needed, depending on their risk apetite.
Hint: You might find the following webcast helpful: How to Present Cyber Security Risk to Senior Leadership
Execution depends on the nature of planned actions. This might be one or multiple actions such as: the acquisition and integration of an external tool, hiring dedicated staff or and external service provider, implementing a technical change or a solution in house. It is important to communicate the progress to the relevant stakeholders. items that are overdue or below target shall be analyzed and justified.
While it is not easy to manage cyber risks, small and consistent steps can quickly add up and help you build a highly resilient system. The scope of threat actors usually include any possible path to compromise your assets. Thus you might need to expand the scope to the entire value chain if this was deliberatly omitted. Certain incidents might seem nearly impossible to prevent. However, each failure (no matter how small) should be perceived as an opportunity to improve the whole process, and take the relevant measures to limit the risk of future occurence of such events.
The following section include questions and answers related to Cyris360 Risk Framework (CRF) and cyber domain in general.
How is the CRF related to other frameworks and standards such as NIST CSF and ISO/IEC 27001 ? The CRF can be used to help you identify and choose the right solution(s) to manage the cyber risks. This may be one or a combination of multiple standards depending on your context.
What are the prerequisites to start using CRF for my organization ? The CRF is designed such that the barrier to entry is virtally non-existant. You can use it nearly for any type of organisation regardless of its industry sector, geographic location, or size. Please mind that the use of CRF is at your own risk. See LICENSE for more details.
What are the costs associated with the use of CRF ? None! CRF is a community driven solution initated by Cyris360 BV to help organizations learn from each other, and improve the common knowledge around the cyber risks. Of course you still need to invest time when adopting CRF (or a custom version of it), and when you do, we encourage you to give back to the community. See details in contributing section.
What kind of risks can CRF help me manage ? CRF is mainly focused on risks from the cyber environment. This include online services and applications, as well as products that run in dedicated host environment (device or equipement) with or without internet connectivity. A list of risks categories will be indexed in a list of to be released and maintained in the future.