Survey of Risk Management Methods, Frameworks and Capability Maturity Models for the EU Network Information Security Platform

Introduction

The EU Cyber Security Strategy established the NIS Platform (NISP) to provide voluntary guidance on risk management and information sharing, including incident notification, based on the identification of cross-sectorial best practices. NISP comprises three working groups of governments and industry.  Each WG is tasked to complete their first contributions in Dec 13 and final contributions by late April 14.

NISP WG1 (Risk Management) has established four sub-groups (SG1 – Risk Management Models; SG2 – Risk Management Metrics; SG3 – Risk Management Frameworks and Capability Maturity Models; SG4 – Education and Awareness).  SG1 is tasked to review existing risk management methods and perform a gap analysis.  SG3 is tasked to conduct a review of risk management frameworks and capability maturity models to inform the work of the WG and to help identify the few primary frameworks that are likely to endure.  This survey is from SGs 1 and 3.

Your response is valuable and valued.  Thank you for responding to this survey. 

Purpose

The purpose of this survey is to identify and capture key reference documents for cybersecurity risk management, and to gather views of all EU nations and lead industries.

The results will enable NISP WG 1 to develop recommendations on risk management for the NIS Directive.

This survey has been designed to be as simple and flexible as possible.

Assumptions

Having consulted all WG1 members, our analysis approach is to develop a balanced view based on the following assumptions:

  • Use all the previous work available (including the risk management methods analysis and comparison done by ENISA).
  • Methods and frameworks must address both internal/enterprise risks and external/supply chain/community /shared risks.
  • They must address both static and dynamic risks.
  • They must be adaptable to manage risks presented by new technologies, including mobile and cloud computing.
  • They must have a structure that enables parameters to be measured and compared for the purpose of analysis and assessment, and also to enable predictable and repeatable results
  • There will be multiple standards and/or specifications. This is not a competition; the issue is about interoperability and re-use. 
  • Successful national methods or standards should be internationally interoperable.
  • Analysis will be use-case driven.  Communities must understand their primary use cases before selecting any framework.
  • The requirements of communities, not enterprises, will drive market adoption.
  • Each method or framework document should be, or plan to become, an international standard via an approved standards body.  Where this is not possible, the barriers to its use should be minimised.
  • Each document should be freely available at no cost or minimal cost.  Cost should not be a barrier to widespread adoption.

The anonymised results of the survey will be used only to inform the Risk Management WG.   Detailed comments will not be published further without the permission of relevant contributors.

Risk Management Methods

The risk management methods in scope are all those brought into this survey including those listed on the ENISA risk management website[1]:

  • International
    • ISO/IEC 13335-2
    • ISO/IEC 27001 – ISO/IEC 31000
    • National public or private standards
      • Austrian IT Security Handbook
      • Belgian ISAMM
      • French Ebios
      • French Marion
      • French Mehari
      • German IT-Grundschutz
      • Italian Migra
      • NL A&K Analysis
      • Spanish Magerit
      • UK CRAMM
      • US SP800-30
      • Any other national document yet to be provided or suggested
      • Private sector
        • CORAS
        • DREAD
        • IASME
        • IS
        • ISF Methods
        • ISRAM
        • Octave
        • RiskSafe Assessment
        • VERIS
        • Industrial Controls
          • IEC 62443
          • ISA-99

Risk Mitigation Cyber Controls Frameworks

The frameworks of interest to the survey include risk assessment and associated risk management mitigations, with a special interest on their ability to support automation. 

Besides the risk management methods included in previous section, the main risk mitigation frameworks of international interest include the following because they specify cyber controls:

  • Internationally recognised and significantly interoperable:
    • ISO/IEC 27002 and 27006 controls
    • Australian Top 35 Mitigations
    • US SP800-53 R4
    • SANS 20 Critical Controls
    • Other national or industry specific risk mitigation frameworks or standard
      • COBIT
      • German BSI 100 series
      • Any other national document yet to be provided or suggested

Risk Management Capability Maturity Models

Capability models are of interest to the survey but it is recognised that such models can embedded in the cyber controls frameworks. 

The risk management capability maturity models of interest include:

  • CERT CC Resilience Maturity Model
  • COBIT
  • US Dept of Energy (DoE) Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2)
  • Any other national document yet to be provided or suggested


[1] http://rm-inv.enisa.europa.eu/methods/rm_ra_methods.html

Question details

(Required)

(Required)

(Required)

(Required)

(Required)

1. Describe the nature of your organisation’s business, its number of employees (>5000, <5000, <250, <50, <10) and the nature of its external interactions – e.g. business community or sector, supply chain, partner organisations, government customers as well as your role in the organization.

(Required)

(Required)

(Required)

(Required)

(Required)

Considering that risk analysis addresses both probability of threats and potential impacts in case of occurrence, and impact analysis only focused on potential impacts of threats. Do you think that they are compatible? If so, in what way?

(Required)

How do you think it could be overcome? Do you think that publicly available information regarding incidents could be useful (for actuarial techniques)?

(Required)

(Required)

Do you think that some kind of criteria should be established to make results comparable between different organizations (for example, for supply chain purposes)? Please, provide suggestions of such criteria.

(Required)

(Required)

(Required)

(Required)

(Required)

Globalisation is driving greater collaboration and re-use of capabilities. This in turn, drives the requirement for standardisation, particularly for policies, procedures and mechanisms to support trust and interoperability across organisations. US SP800-R4 is one example of a mature cyber controls framework for risk mitigation. It provides a range of controls in 18 families, mapped to three Levels of Assurance (High, Medium, Low), which map to Levels of Assurance 2-4 of ISO 29115. ISO 27002 and 27006, SANS 20 Critical Controls and Australian Top35 controls are similar.

(Required)

If possible, please provide examples of what you consider effective motivators to conduct risk management.

(Required)

— filed under: