How You Can Identify Your Cyber Risks

U.S. President Obama issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” on February 12, 2013. In enacting this policy, the Executive Order calls for the development of a voluntary risk-based Cybersecurity Framework – a set of industry standards and best practices to help organizations manage cybersecurity risks.
The Framework Core, which is outlined by National Institute of Standards and Technology (NIST) consists of five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover. When considered together, these Functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk.
In this blog I outline the first of these functions: Identify, which is described by NIST as follows – “Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.”
Identifying cyber risks is a stage of the NIST cyber security framework that helps an organisation understand the risks that it is facing, what it wants to protect itself against and the asset that it wants to protect. Looking at assets first of all there are many different types of which the financial assets are the most obvious.
It’s important to note in passing, however, that while NIST deals with cyber (and therefore digital assets), using NIST as a risk management system - or the foundations of such a system - also allows organisations to protect themselves more widely against risk irrespective of the threat that they face. So, for example, an organisation could apply the methodology to assess the threat and risk to its building against damage, flooding or vandalism. The framework applies to risks that insurance companies - or companies buying insurance - are always thinking about or managing.
Where NIST applies predominantly to digital assets - information that people hack into, steal, put on a USB thumb drive, print out or photograph off a screen – the framework attempts to identify how sensitive the information is or what type of information it is that organisations are looking to protect. In my next blog in this series I will outlined the Intellectual Property risk.