Survey of Risk Management Methods, Frameworks and Capability Maturity Models for the EU Network Information Security Platform

Introduction

The EU Cyber Security Strategy established the NIS Platform (NISP) to provide voluntary guidance on risk management and information sharing, including incident notification, based on the identification of cross-sectorial best practices. NISP comprises three working groups of governments and industry. Each WG is tasked to complete their first contributions in Dec 13 and final contributions by late April 14.

NISP WG1 (Risk Management) has established four sub-groups (SG1 – Risk Management Models; SG2 – Risk Management Metrics; SG3 – Risk Management Frameworks and Capability Maturity Models; SG4 – Education and Awareness). SG1 is tasked to review existing risk management methods and perform a gap analysis. SG3 is tasked to conduct a review of risk management frameworks and capability maturity models to inform the work of the WG and to help identify the few primary frameworks that are likely to endure. This survey is from SGs 1 and 3.

Your response is valuable and valued. Thank you for responding to this survey.

Purpose

The purpose of this survey is to identify and capture key reference documents for cybersecurity risk management, and to gather views of all EU nations and lead industries.

The results will enable NISP WG 1 to develop recommendations on risk management for the NIS Directive.

This survey has been designed to be as simple and flexible as possible.

Assumptions

Having consulted all WG1 members, our analysis approach is to develop a balanced view based on the following assumptions:

Use all the previous work available (including the risk management methods analysis and comparison done by ENISA).
Methods and frameworks must address both internal/enterprise risks and external/supply chain/community /shared risks.
They must address both static and dynamic risks.
They must be adaptable to manage risks presented by new technologies, including mobile and cloud computing.
They must have a structure that enables parameters to be measured and compared for the purpose of analysis and assessment, and also to enable predictable and repeatable results
There will be multiple standards and/or specifications. This is not a competition; the issue is about interoperability and re-use.
Successful national methods or standards should be internationally interoperable.
Analysis will be use-case driven. Communities must understand their primary use cases before selecting any framework.
The requirements of communities, not enterprises, will drive market adoption.
Each method or framework document should be, or plan to become, an international standard via an approved standards body. Where this is not possible, the barriers to its use should be minimised.
Each document should be freely available at no cost or minimal cost. Cost should not be a barrier to widespread adoption.

The anonymised results of the survey will be used only to inform the Risk Management WG. Detailed comments will not be published further without the permission of relevant contributors.

Risk Management Methods

The risk management methods in scope are all those brought into this survey including those listed on the ENISA risk management website[1]:

International
- ISO/IEC 13335-2
- ISO/IEC 27001 – ISO/IEC 31000
- National public or private standards
  - Austrian IT Security Handbook
  - Belgian ISAMM
  - French Ebios
  - French Marion
  - French Mehari
  - German IT-Grundschutz
  - Italian Migra
  - NL A&K Analysis
  - Spanish Magerit
  - UK CRAMM
  - US SP800-30
  - Any other national document yet to be provided or suggested
  - Private sector
    - CORAS
    - DREAD
    - IASME
    - IS
    - ISF Methods
    - ISRAM
    - Octave
    - RiskSafe Assessment
    - VERIS
    - Industrial Controls
      - IEC 62443
      - ISA-99

Risk Mitigation Cyber Controls Frameworks

The frameworks of interest to the survey include risk assessment and associated risk management mitigations, with a special interest on their ability to support automation.

Besides the risk management methods included in previous section, the main risk mitigation frameworks of international interest include the following because they specify cyber controls:

Internationally recognised and significantly interoperable:
- ISO/IEC 27002 and 27006 controls
- Australian Top 35 Mitigations
- US SP800-53 R4
- SANS 20 Critical Controls
- Other national or industry specific risk mitigation frameworks or standard
  - COBIT
  - German BSI 100 series
  - Any other national document yet to be provided or suggested

Risk Management Capability Maturity Models

Capability models are of interest to the survey but it is recognised that such models can embedded in the cyber controls frameworks.

The risk management capability maturity models of interest include:

CERT CC Resilience Maturity Model
COBIT
US Dept of Energy (DoE) Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2)
Any other national document yet to be provided or suggested

[1] http://rm-inv.enisa.europa.eu/methods/rm_ra_methods.html

Question details

Please enter your Name (Required)

Please enter your email address: (Required)

Please enter the name of your Company: (Required)

Country (Required)

Describe the nature of your organisation’s business, its number of employees (>5000, <5000, <250, <50, <10) and the nature of its external interactions – e.g. business community or sector, supply chain, partner organisations, government customers (Required)

1. Describe the nature of your organisation’s business, its number of employees (>5000, <5000, <250, <50, <10) and the nature of its external interactions – e.g. business community or sector, supply chain, partner organisations, government customers as well as your role in the organization.

> 5000

< 5000

< 250

< 50

< 10

Describe the strategic nature of the risks faced by your organisation and its primary concerns regarding risk mitigation. (Required)

Describe your risk management approach within the organisation, including risk assessment and risk mitigation, and the risk appetite of the business. (Required)

Describe your risk management approach outside the organisation, including risk assessment and risk mitigation, and the risk appetite of the business. (Required)

In your opinion, what are the key elements that a risk management methodology should include in order to be used for any kind of organization (from critical infrastructure operator to SMEs) ? Please provide them in priority order. (Required)

Regarding critical infrastructure protection, some organizations are switching from risk analysis to impact analysis for taking cyber security decisions. (Required)

Considering that risk analysis addresses both probability of threats and potential impacts in case of occurrence, and impact analysis only focused on potential impacts of threats. Do you think that they are compatible? If so, in what way?

As a predictive technique, risk analysis (on its own) has been shown not to be effective for preventing any incident organizations could suffer (black swans –rare or unexpected events are more difficult to rationalized and treat– or new threats). (Required)

How do you think it could be overcome? Do you think that publicly available information regarding incidents could be useful (for actuarial techniques)?

In your opinion, should risk analysis be complemented with other techniques to improve levels of cyber security? If you think so, which techniques could complement risk analysis to improve cyber security levels ? (Required)

Using different risk management methodologies will normally lead to levels of risk that are difficult to compare. (Required)

Do you think that some kind of criteria should be established to make results comparable between different organizations (for example, for supply chain purposes)? Please, provide suggestions of such criteria.

What recognised standards or frameworks (listed above) does your organisation use to assess and mitigate risks ? (Required)

What is your experience? How effective are these standards/frameworks at assessing and mitigating your internal and external risks ? (Required)

If there was a framework for risk assessment and risk mitigation, what would “good” look like ? (Required)

What gaps exist and what improvements need to be made to these standards/frameworks to address your risks more effectively ? (Required)

Does your organisation use one of the following frameworks or one equally as effective ? If not, how do you mitigate for risks that less effective frameworks do not address ? (Required)

Globalisation is driving greater collaboration and re-use of capabilities. This in turn, drives the requirement for standardisation, particularly for policies, procedures and mechanisms to support trust and interoperability across organisations. US SP800-R4 is one example of a mature cyber controls framework for risk mitigation. It provides a range of controls in 18 families, mapped to three Levels of Assurance (High, Medium, Low), which map to Levels of Assurance 2-4 of ISO 29115. ISO 27002 and 27006, SANS 20 Critical Controls and Australian Top35 controls are similar.

Describe any potential or perceived barriers to the adoption of best practices for risk management, particularly in support of the EU Cyber Security Strategy, which you believe need to be addressed. (Required)

If possible, please provide examples of what you consider effective motivators to conduct risk management.

Does your organisation use a risk management capability maturity model based on standards. If so, which one(s)? If not, what would you require from a capability maturity model to use it for your organisation or community? (Required)

— filed under: NIS Platform

Home

Log in

Survey of Risk Management Methods, Frameworks and Capability Maturity Models for the EU Network Information Security Platform

Introduction

Purpose

Assumptions

Risk Management Methods

Risk Mitigation Cyber Controls Frameworks

Risk Management Capability Maturity Models

Please enter your Name (Required)

Please enter your email address: (Required)

Please enter the name of your Company: (Required)

Country (Required)

Describe the nature of your organisation’s business, its number of employees (>5000, <5000, <250, <50, <10) and the nature of its external interactions – e.g. business community or sector, supply chain, partner organisations, government customers (Required)

Describe the strategic nature of the risks faced by your organisation and its primary concerns regarding risk mitigation. (Required)

Describe your risk management approach within the organisation, including risk assessment and risk mitigation, and the risk appetite of the business. (Required)

Describe your risk management approach outside the organisation, including risk assessment and risk mitigation, and the risk appetite of the business. (Required)

In your opinion, what are the key elements that a risk management methodology should include in order to be used for any kind of organization (from critical infrastructure operator to SMEs) ? Please provide them in priority order. (Required)

Regarding critical infrastructure protection, some organizations are switching from risk analysis to impact analysis for taking cyber security decisions. (Required)

As a predictive technique, risk analysis (on its own) has been shown not to be effective for preventing any incident organizations could suffer (black swans –rare or unexpected events are more difficult to rationalized and treat– or new threats). (Required)

In your opinion, should risk analysis be complemented with other techniques to improve levels of cyber security? If you think so, which techniques could complement risk analysis to improve cyber security levels ? (Required)

Using different risk management methodologies will normally lead to levels of risk that are difficult to compare. (Required)

What recognised standards or frameworks (listed above) does your organisation use to assess and mitigate risks ? (Required)

What is your experience? How effective are these standards/frameworks at assessing and mitigating your internal and external risks ? (Required)

If there was a framework for risk assessment and risk mitigation, what would “good” look like ? (Required)

What gaps exist and what improvements need to be made to these standards/frameworks to address your risks more effectively ? (Required)

Does your organisation use one of the following frameworks or one equally as effective ? If not, how do you mitigate for risks that less effective frameworks do not address ? (Required)

Describe any potential or perceived barriers to the adoption of best practices for risk management, particularly in support of the EU Cyber Security Strategy, which you believe need to be addressed. (Required)

Does your organisation use a risk management capability maturity model based on standards. If so, which one(s)? If not, what would you require from a capability maturity model to use it for your organisation or community? (Required)

Home

Log in

Introduction

Purpose

Assumptions

Risk Management Methods

Risk Mitigation Cyber Controls Frameworks

Risk Management Capability Maturity Models

Please enter your Name (Required)

Please enter your email address: (Required)

Please enter the name of your Company: (Required)

Country (Required)

Describe the nature of your organisation’s business, its number of employees (>5000, <5000, <250, <50, <10) and the nature of its external interactions – e.g. business community or sector, supply chain, partner organisations, government customers (Required)

Describe the strategic nature of the risks faced by your organisation and its primary concerns regarding risk mitigation. (Required)

Describe your risk management approach *within* the organisation, including risk assessment and risk mitigation, and the risk appetite of the business. (Required)

Describe your risk management approach *outside* the organisation, including risk assessment and risk mitigation, and the risk appetite of the business. (Required)

In your opinion, what are the key elements that a risk management methodology should include in order to be used for any kind of organization (from critical infrastructure operator to SMEs) ? Please provide them in priority order. (Required)

Regarding critical infrastructure protection, some organizations are switching from risk analysis to impact analysis for taking cyber security decisions. (Required)

As a predictive technique, risk analysis (on its own) has been shown not to be effective for preventing any incident organizations could suffer (black swans –rare or unexpected events are more difficult to rationalized and treat– or new threats). (Required)

In your opinion, should risk analysis be complemented with other techniques to improve levels of cyber security? If you think so, which techniques could complement risk analysis to improve cyber security levels ? (Required)

Using different risk management methodologies will normally lead to levels of risk that are difficult to compare. (Required)

What recognised standards or frameworks (listed above) does your organisation use to assess and mitigate risks ? (Required)

What is your experience? How effective are these standards/frameworks at assessing and mitigating your internal and external risks ? (Required)

If there was a framework for risk assessment and risk mitigation, what would “good” look like ? (Required)

What gaps exist and what improvements need to be made to these standards/frameworks to address your risks more effectively ? (Required)

Does your organisation use one of the following frameworks or one equally as effective ? If not, how do you mitigate for risks that less effective frameworks do not address ? (Required)

Describe any potential or perceived barriers to the adoption of best practices for risk management, particularly in support of the EU Cyber Security Strategy, which you believe need to be addressed. (Required)

Does your organisation use a risk management capability maturity model based on standards. If so, which one(s)? If not, what would you require from a capability maturity model to use it for your organisation or community? (Required)

Describe your risk management approach within the organisation, including risk assessment and risk mitigation, and the risk appetite of the business. (Required)

Describe your risk management approach outside the organisation, including risk assessment and risk mitigation, and the risk appetite of the business. (Required)