Asset management is most commonly associated with cybersecurity hygiene, which is associated with patching, anti-virus, access control, and other asset-specific protections. However, there are three NIST CSF sub-categories that I want to bring to your attention and how they align with a mission-based cybersecurity risk program.
ID.AM-1: Physical devices and systems within the organization are inventoried.
ID.AM-2: Software platforms and applications within the organization are inventoried.
ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value.
These three sub-categories are the foundation of your organization's cybersecurity program, specifically, your cybersecurity risk program.
Some factors to keep in mind when developing a priority methodology:
There are two types of third-party risk: product vendors and service providers. Product vendors outsource software, platform, and infrastructure, known as SaaS, PaaS, and IaaS. According to some estimates, only 40% of applications are hosted on-premises.
The service providers are consulting third-party vendors, such as management consultants, IT consultants, Cybersecurity consultants, and managed service consultants. However, regardless of the type of third-party vendor, these are the five focus areas your third-party risk management program should focus on:
Pursuing perfection takes a lot of resources, financially and people. In Cybersecurity risk management, there are two key questions:
The answer to these questions will be your risk tolerance. Chasing perfection has challenges and may not get you where you want to be. Chasing perfection may also risk missing the big picture, leaving security gaps in other areas of your organization, and burning out your staff.
A holistic and mission-driven approach to cybersecurity, with reasonable and measurable goals, will help secure your organization. To get you started, keep in mind three questions:
There is a three-point framework to keep in mind when preparing a report to the Board, especially if you are a small to medium-size business with annual revenue between $100M to $700M with [potentially] no CISO in your organization.
One key factor to remember is to be prepared to answer how your organization compares to others in the industry. I suggest discussing with other organizations in the same industry and of similar size.
Author: Dr. Bill Souza | Jul 8,...
NIST has developed a cybersecurity risk management framework that addresses the issue as a comprehensive process that requires organizations to:
These four pillars must be addressed by all small and midsize businesses. A small and midsize business (SMB) is a business that, due to its size, has different IT requirements — and often faces different IT challenges — than do large enterprises, and whose IT resources (usually budget and staff) are often highly constrained.
Author: Dr. Bill Souza | Jul 6, 2022