cbyer Security

Enterprise Risk Management (ERM) is described as procedures lead and organized by qualified individuals in the planning and designing of a risk strategy but also handle risk as through the entire company to meet the intended goals. ERM is important because it provides a plan to keep security risk at bay. The text describes the importance as encompasses a set of resources, procedures, and actions adapted to organization characteristic to enable management to keep risks at a reasonable level (Yap et al, 2016).

National Institute of Standard and Technology (NIST) framework is a mitigation method for managing risk, using a three-part approach. The First is Framework Core, presents standards, guidelines and best practices that are implemented on the entire company from top level executives to operational levels. The core involves five functions- Identify, Protect, Detect, Response, and Recover with an emphasis in Incident Response. The second is Framework Implementation Tiers, these tears represent the process that is set in place for the risk that has been identified. The example provided by the text: (Tier 1) partial to (Tier 4) adaptive. Finally Framework Profile, this is where all of the guidelines and standards set are positioned to scenarios specific to the organization. These profiles can also be used to compare and adjust the current cybersecurity position.

NIST is important because it can provide self-assessment of a cybersecurity aspect, and point out possible changes in current and future risk. NIST also provides a communication channel with stakeholders to represent the needs of critical products and services to stay secure. NIST (2018) states that according to the Cybersecurity Enhancement Act (CEA) 2014 NIST must identify

A prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security                        measures and controls that may be voluntarily adopted by owners and operators of critical infrastructure to help them identify, assess, and manage cyber risks. (p. 1)

ISO 27001 establishes an Information Security Management System (ISMS) in respects to information security risk. This standard covers various entities in a broad range of classifications e.g. commercial, government, even nonprofits just to name a few of the most pronoun, and it also ranges in sizes and markets to meet the needs of any organization. First, an assessment of the organizations' security risk is taken aiding the selection process that is right for the organization. ISO 27001 can be combined for more specific security controls with ISO 27002 although not required. The controls set by the 27K standards provide a certification that due to its high standard is increasingly required by partners’, suppliers, or other organization all who have high concerns of security risk. There is a list of mandatory requirements for certification as stated by ISO/IEC 2013 to stay in compliance, providing benefits such as high compliance within information security all while demonstrating the importance of information security for the organization.

ISO/IEC (2013). ISO/IEC 27001: Information security management systems – Requirements (2nd Ed.). Retrieved from http://www.iso27001security.com/html/27001.html

NIST (2018). Framework for improving critical infrastructure cybersecurity. Cybersecurity Framework, 1(1). Retrieved from https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

Yap Kiew Heong Angeline, & Yap Saw Teng. (2016). Enterprise Risk Management: Evidence from Small-Medium