CYBERSECURITY

RISK MANAGEMENT PROGRAM

ACME Business Consulting. Inc.

 Table of Contents
FOREWORD 5
CYBERSECURITY RISK MANAGEMENT FRAMEWORK OVERVIEW 6
WHAT IS RISK? 6
WHAT IS MEANT BY MANAGING RISK? 6
RISK MANAGEMENT ACTIVITIES 6
RISK MANAGEMENT BENEFITS 6
CORPORATE GOVERNANCE 7
WHEN SHOULD RISK BE MANAGED? 7
WHO HAS THE AUTHORITY TO MANAGE RISK? 8
BUSINESS UNIT 8
INFORMATION TECHNOLOGY 8
CYBERSECURITY 8
HOW ARE RISK MANAGEMENT DECISIONS ESCALATED? 8
TIER 1 – LINE MANAGEMENT 8
TIER 2 – SENIOR MANAGEMENT 8
TIER 3 – EXECUTIVE MANAGEMENT 8
TIER 4 – BOARD OF DIRECTORS 9
HOW DO WE CATEGORIZE RISK? 10
LOW RISK 10
MEDIUM RISK 10
HIGH RISK 10
SEVERE RISK 10
EXTREME RISK 10
RISK MANAGEMENT PRINCIPLES 11
PRINCIPLE #1 – CORPORATE GOVERNANCE & RISK MANAGEMENT 11
PRINCIPLE #2 – MANAGEMENT COMMITMENT 11
PRINCIPLE #3 – BUILD A RISK-AWARE CULTURE 12
PRINCIPLE #4 – MAINTAIN SITUATIONAL AWARENESS (REVIEW & MONITOR) 12
PRINCIPLE #5 – APPLY RISK TOLERANCE CONSISTENTLY 12
PRINCIPLE #6 – SEEK OPPORTUNITIES 12
RISK MANAGEMENT FUNDAMENTALS 13
CONTEXT OF RISK MANAGEMENT 13
RISK MANAGEMENT MATURITY LEVELS 13
RISK MANAGEMENT MODEL (RMM) 13
TARGET MATURITY LEVEL 13
DEFINING THE RISK APPETITE 14
SITUATIONAL AWARENESS 14
IDENTIFYING RISKS 14
KEY QUESTIONS IN IDENTIFYING RISK 15
POSSIBLE METHODS OF IDENTIFYING RISK 15
ANALYZING RISKS 15
RISK ASSESSMENT METHODS 15
ASSESSING CYBERSECURITY CONTROLS 16
CONSEQUENCE ANALYSIS 16
EVALUATING & PRIORITIZING RISKS 17
SCREENING RISKS 17
PRIORITIZATION DECISIONS 17
RISK TREATMENT 18
UNDERSTANDING OPTIONS TO TREAT RISKS 18
RISK TREATMENT OPTIONS 18
MONITORING & REPORTING RISK 19
DEALING WITH UNCERTAINTIES 19
METHODS OF ONGOING REVIEW 19
KEY QUESTIONS IN RISK MONITORING & REVIEW 20
BUSINESS VALUE FROM ONGOING RISK MANAGEMENT 20

Cybersecurity Risk Management Framework (RMP) - Version 2017.1 Page 2 of 57

 DOCUMENTING RISK & REPORTING FINDINGS 20
CYBERSECURITY RISK MANAGEMENT METHODOLOGY 21
MAINTAINING FLEXIBILITY – HYBRID APPROACH TO RISK MANAGEMENT 21
COSO / COBIT – STRATEGIC APPROACH TO RISK MANAGEMENT 21
ISO – OPERATIONAL APPROACH TO RISK MANAGEMENT 21
NIST – TACTICAL APPROACH TO RISK MANAGEMENT 21
ENTERPRISE LEVEL – STRATEGIC APPROACH TO RISK MANAGEMENT 22
RISK ASSESSMENTS FOR THE ENTERPRISE 24
CYBERSECURITY CONTROL SELECTION FOR THE ENTERPRISE 24
IMPLEMENTING COSO THROUGH CONTROL OBJECTIVES FOR INFORMATION AND RELATED TECHNOLOGY (COBIT) 24
INITIATIVE / PROGRAM LEVEL – OPERATIONAL APPROACH TO RISK MANAGEMENT 26
ISO 31010 RISK MANAGEMENT FRAMEWORK 26
RISK ASSESSMENTS FOR INITIATIVES / PROGRAMS 27
CYBERSECURITY CONTROL SELECTION FOR INITIATIVES / PROGRAMS 27
ASSET / PROJECT-LEVEL – TACTICAL APPROACH TO RISK MANAGEMENT 28
NIST 800-37 RISK MANAGEMENT FRAMEWORK – SECURITY LIFE CYCLE 28
RISK ASSESSMENTS FOR ASSETS / PROJECTS 29
CYBERSECURITY CONTROL SELECTION FOR PROJECTS / ASSETS 29
RISK ASSESSMENT LAYERS 30
THREAT & RISK ASSESSMENT METHODOLOGY 32
DEFINING POTENTIAL IMPACT 32
INSIGNIFICANT 32
MINOR 32
MODERATE 32
MAJOR 32
CRITICAL 32
CATASTROPHIC 32
DEFINING POTENTIAL LIKELIHOOD 33
CATEGORIES OF POTENTIAL LIKELIHOOD 33
ESTIMATING PROBABILITY 34
DEFINING CRITICALITY LEVELS (CL) FOR ASSETS / SYSTEMS / DATA 35
MISSION CRITICAL (CL1) 35
BUSINESS ESSENTIAL (CL2) 35
BUSINESS CORE (CL3) 35
BUSINESS SUPPORTING (CL4) 36
DEFINING RISK LEVELS 36
APPENDICES 37
APPENDIX A – SOURCES OF RISK 37
NATURAL THREATS 37
MAN-MADE THREATS 38
INFORMATION & TECHNOLOGY RISKS 39
EXAMPLES 39
APPENDIX B – RISK ROLES & RESPONSIBILITIES 41
CHIEF RISK OFFICER (CRO) 41
CHIEF INFORMATION SECURITY OFFICER (CISO) 41
EXECUTIVE AND SENIOR MANAGEMENT 41
LINE MANAGEMENT 41
ALL EMPLOYEES 42
RISK OWNER 42
AUDIT, COMPLIANCE AND RISK COMMITTEE 42
INTERNAL AUDIT 42
APPENDIX C – RISK MATURITY MODEL 43
LEVEL 0 – NONEXISTENT 43
LEVEL 1 – AD HOC 43
LEVEL 2 – INITIAL 44
LEVEL 3 – REPEATABLE 44
LEVEL 4 – MANAGED 45

Cybersecurity Risk Management Framework (RMP) - Version 2017.1 Page 3 of 57

 LEVEL 5 – LEADERSHIP 46
APPENDIX D – RISK ASSESSMENT TECHNIQUES 48
LOOK UP METHODS 48
CONTROLS ASSESSMENT 49
STATISTICAL METHODS 50
SCENARIO ANALYSIS 51
FUNCTION ANALYSIS 53
OTHER METHODS 54
GLOSSARY: ACRONYMS & DEFINITIONS 56
ACRONYMS 56
DEFINITIONS 56
RECORD OF CHANGES 57

Cybersecurity Risk Management Framework (RMP) - Version 2017.1 Page 4 of 57

CYBERSECURITY RISK MANAGEMENT FRAMEWORK OVERVIEW

The Cybersecurity Risk Management Program (RMP) framework provides definitive information on the prescribed measures used to
manage cybersecurity-related risk at ACME Business Consulting. Inc. (ACME).

ACME is committed to protecting its employees, partners, clients and ACME from damaging acts that are intentional or unintentional.
An effective cybersecurity program is a team effort involving the participation and support of every ACME user who interacts with
data and systems. Therefore, it is the responsibility of every user to conduct their activities accordingly to reduce risk across the
enterprise.

Protecting company data and the systems that collect, process, and maintain this information is of critical importance. Consequently,
the security of systems must include controls and safeguards to offset possible threats, as well as controls to ensure accountability,
availability, integrity, and confidentiality of the data:

 Confidentiality – Confidentiality addresses preserving restrictions on information access and disclosure so that access is
restricted to only authorized users and services.
 Integrity – Integrity addresses ensuring that sensitive data has not been modified or deleted in an unauthorized and
undetected manner.
 Availability – Availability addresses ensuring timely and reliable access to and use of information.

Security measures must be taken to guard against unauthorized access to, alteration, disclosure or destruction of data and systems.
This also includes protecting data and systems from accidental loss or destruction.

WHAT IS RISK?
One important concept to understand is that risk is variable - it is able to be changed and is not static. This is important to keep in
mind, since the “risk rating” is subject to change as the risk environment changes.

What is important to understand is that risk represents exposure to harm or loss. This is commonly quantified as a combination of
potential impact, likelihood and control effectiveness. Appendix A – Types of Information & Technology Risk provides examples of
specific types of risk associated with information and technology.

WHAT IS MEANT BY MANAGING RISK?

Risk management is the coordinated activities which optimize the management of potential opportunities and adverse effects. The
alternative to risk management is crisis management. Risk management provides a way of realizing potential opportunities without
exposing ACME to unnecessary peril.

RISK MANAGEMENT ACTIVITIES

Risk management activities are logical and systematic processes that can be used when making decisions to improve the effectiveness
and efficiency of performance. The activities have these characteristics:
 Should be integrated into everyday work;
 Identifies and helps prepare for what might happen;
 Involves taking action to avoid or reduce unwanted exposures;
 Involves taking action to maximize opportunities identified;
 Encourages proactive management, rather than reactive management; and
 Identifies opportunities to improve performance.

RISK MANAGEMENT BENEFITS

The benefits of comprehensive risk management include:
 Improves transparency in decision making because criteria are made explicit;
 Reduces costly surprises, since undesirable risks are identified and managed;
 Establishes a more rigorous basis for strategic planning as a result of a structured consideration of the key elements of risk;
 Allows for better identification and exploitation of opportunities; and
 Improves effectiveness and efficiency in compliance with applicable statutory, regulatory and contractual requirements.

Cybersecurity Risk Management Framework (RMP) - Version 2017.1 Page 6 of 57

CORPORATE GOVERNANCE
Corporate governance refers to the way in which ACME is directed and controlled in order to achieve its strategic goals and operational
objectives. It involves governance of ACME to ensure the control environment makes the organization reliable in achieving its goals
and objectives within an acceptable degree of risk.

Essential to corporate governance and compliance are management and staff knowledge of:
 Statutory, regulatory and contractual requirements;
 ACME’s internal policies, standards and procedures;
 Impact of changes; and
 Consequences of non-compliance.

WHEN SHOULD RISK BE MANAGED?

Risk should be managed continuously. All business decisions involve the management of some kind of risk. That is true whether the
decisions affect everyday operations (e.g., deciding work priorities, making budget or staffing decisions) or decisions about policies,
strategies or projects.

It is desirable to develop a mindset of a conscious approach to managing the risks inherent in every decision. Many decisions have to
be made quickly and are often based on intuition, but it is nevertheless important to think about the risks involved. The formal step-
by-step process is to be applied to decision making at all levels throughout ACME. The risk management process involves establishing
the context, identification, analysis, evaluation, treatment, monitoring and review of risks. Effective communication and consultation
with stakeholders is required throughout the risk management process, as well.

Risks can arise from both internal and external sources. While it is not possible to have a totally risk-free environment, it may be
possible to treat risk by avoiding, reducing, transferring, or accepting the risks.

ASSET OWNERS value

wish to minimize

impose

COUNTERMEASURES

to reduce

RISK

THREAT AGENTS
that increase

give rise to

THREATS
ASSETS
to

wish to abuse and/or may damage

Figure 1: Understanding connected nature of managing risk.

Cybersecurity Risk Management Framework (RMP) - Version 2017.1 Page 7 of 57

WHO HAS THE AUTHORITY TO MANAGE RISK?
Determining how to handle risk is always a management decision. Appendix B – Risk Roles & Responsibilities provides more granular
guidance on risk-related roles and responsibilities.

It is important to keep in mind that risk management is far more than a “technology issue,” and it requires the direct involvement of
business process owners, IT personnel, and cybersecurity. Each has a role to play in risk management operations:

BUSINESS UNIT
 The Business Unit (BU) that requires the technology to be in place and function ultimately “owns” the risk associated with
ongoing operation of systems.
 Business Process Owners (BPOs) are individuals within BUs who are the central point of contact for IT and cybersecurity to
work with on risk management decisions.

INFORMATION TECHNOLOGY
 IT has a shared responsibility with the BUs to securely operate and maintain systems.
 IT executes vulnerability management tasks.

CYBERSECURITY
 Cybersecurity operates as a facilitator of vulnerability and patch management decisions.
 Cybersecurity focuses on providing expert guidance and support to both IT and the Business Unit.

Figure 2: Risk governance model.

HOW ARE RISK MANAGEMENT DECISIONS ESCALATED?

To empower management at the lowest level, four (4) tiers are established that allow for escalation. These tiers provide ACME with
the appropriate level of management oversight, based on the level of risk:

TIER 1 – LINE MANAGEMENT

Line Management is authorized to decide on risk treatment options for LOW risks and:
 May decide on a risk treatment plan or decide to accept the risk.
 Should develop a plan to incorporate remediation actions within a reasonable period of time.

TIER 2 – SENIOR MANAGEMENT

Senior Management is authorized to decide on risk treatment options for MEDIUM risks and:
 May decide on a risk treatment plan or decide to accept the risk.
 Should develop a plan to incorporate remediation actions within a reasonable period of time.

TIER 3 – EXECUTIVE MANAGEMENT

Executive Management is authorized to decide on risk treatment options for HIGH risks and:
 May decide on a risk treatment plan or decide to accept up to HIGH risk.
 Must develop a plan to incorporate remediation actions within a reasonable period of time.

Cybersecurity Risk Management Framework (RMP) - Version 2017.1 Page 8 of 57

HOW DO WE CATEGORIZE RISK?
The following five (5) categories establish the risk taxonomy for ACME. These categories range from “low” to “extreme” risk and allow
for a more granular understanding of risk. The intent of standardizing risk terminology for categories is so that all ACME personnel can
speak the same “risk language” across the enterprise. Categorization also allows management to compare and prioritize risks.

Based on the degree of exposure, these risk categories help enable ACME’s leadership to have informed decisions at the appropriate
level of management oversight. See the Threat & Risk Assessment (TRA) Methodology section for more details on calculating risk
categories.

LOW RISK
Insignificant damage could occur from a low risk:
 Financial impact is negligible (less than $[MODERATE RISK VALUE]).
 Impact would not be damaging to ACME's reputation or impede business operations.
 There are no violations of contractual, statutory or regulatory requirements.

MEDIUM RISK
Minimal damage could occur from a medium risk:
 Financial impact is potentially between $[MODERATE RISK VALUE] and $[MAJOR RISK VALUE].
 Impact would not be damaging to ACME's reputation or impede business operations.
 Impact could impede Business Core (CL3) or Business Supporting (CL4) systems or business operations.
 This may involve a violation of contractual requirements.
 There are no violations of statutory or regulatory requirements.

HIGH RISK
Moderate damage could occur from a high risk:
 Impact could include damage to ACME's reputation.
 Impact could impede Business Essential (CL2) systems or business operations.
 This may involve a violation of contractual, statutory and/or regulatory requirements.
 Financial impact is potentially between $[MAJOR RISK VALUE] and $[CRITICAL RISK VALUE].
 ACME's stock price could be negatively affected (<5% negative deviation).

SEVERE RISK
Significant financial and brand damage could occur from a severe risk.
 Impact could include significant damage to ACME's reputation.
 Impact could impede Mission Critical (CL1), and below, systems or business operations.
 Impact could negatively affect ACME's short-term competitive position.
 This may involve a violation of contractual, statutory and/or regulatory requirements.
 Financial impact is potentially between $[CRITICAL RISK VALUE] and $[CATASTROPHIC RISK VALUE].
 ACME's stock price could be moderately affected (>5% negative deviation).

EXTREME RISK
Extensive financial and long-term brand damage could occur from a critical risk:
 Impact could include extensive damage to ACME's reputation.
 Impact could impede Mission Critical (CL1) systems or business operations.
 Impact could negatively affect ACME's long-term competitive position.
 Risk scenarios involving potential physical harm or fatality are included in this category.
 Financial impact is potentially over $[CATASTROPHIC RISK VALUE].
 ACME's stock price could be significantly affected (>10% negative deviation).

Cybersecurity Risk Management Framework (RMP) - Version 2017.1 Page 10 of 57

RISK MANAGEMENT PRINCIPLES

ACME is committed to establishing an organizational culture that ensures risk management is an integral part of all activities. The core
function of risk management is the achievement of ACME’s objectives and supporting ACME’s strategic direction.

Risk management is focused on identifying, evaluating, controlling and managing risks - it is not a negative or constraining concept. It
allows ACME to seek and take advantage of opportunities to achieve improved outcomes and outputs by ensuring that any risk taken
is based on informed decision-making, realistic and measurable objectives, and sound analysis of possible outcomes. The process can
be applied at all levels of ACME.

Sound risk management not only contributes to good governance; it also provides protection for managers in the event of adverse
outcomes. Provided risks have been managed in accordance with ACME’s guidelines, protection occurs on two levels:
 Firstly, the adverse outcome may not be as severe as it might otherwise have been.
 Secondly, those accountable can, in their defense, demonstrate that they have exercised a proper level of diligence.

The goal is for ACME to optimize its risk taking.

Figure 4: Optimizing risk model.

PRINCIPLE #1 – CORPORATE GOVERNANCE & RISK MANAGEMENT

Managing risk is an integral component of effective corporate governance and builds upon transparent and accountable processes,
consistent with sound business practice. Risk management is applied to the development and implementation of policy, plans and
future directions of ACME.

PRINCIPLE #2 – MANAGEMENT COMMITMENT

All levels of ACME are committed to the proactive management of risk in a systematic way to enhance our operation as “one company”
rather than as a group of individual entities. The risk management process makes a significant contribution towards establishing the
priorities in the allocation of resources. Managers at all levels are accountable and responsible for the management of risk within their
area of control.

The accountability and responsibility for ACME’s risk management practice rests with management at three different levels:
 Executive Management;
 Senior Management; and
 Line management.

It is the responsibility of the executive and senior management who are ultimately accountable for managing the risks that may affect
their operations to review risk management documentation prepared by their line managers.

Cybersecurity Risk Management Framework (RMP) - Version 2017.1 Page 11 of 57

RISK MANAGEMENT FUNDAMENTALS

CONTEXT OF RISK MANAGEMENT

Managers need to identify their role in contributing to ACME’s wider goals, objectives, values, policies and strategies when making
decisions about risk. This assists with defining the criteria by which it is decided whether a risk is tolerable or not, and forms the basis
of controls and management options.

Questions to clarify context include, but are not limited to:

 What are ACME’s strengths and weaknesses?
 What are the major outcomes expected?
 What are the major threats and opportunities presented?
 What are the significant factors that impact ACME’s internal and external environment?
 What is the policy, program, process or activity to which the risk management process is being applied?
 What problems were identified in previous reviews?
 What risk criteria should be established?
 Who are the stakeholders?

RISK MANAGEMENT MATURITY LEVELS

The Risk Maturity Model (RMM) provides standardized criteria by which organizations can benchmark risk management strategies to
identify program maturity levels, strengths and weaknesses, and next steps in the evolution of an Enterprise Risk Management (ERM)
program.1 Appendix C – Risk Maturity Model provides additional information on this topic, with specifics about which characteristics
exist for each maturity level.

The RMM maturity levels are organized progressively from “ad hoc” to “leadership” and depict corresponding levels of risk
management competency. The seven drivers for the systematic progression of levels are termed as "Attributes" and include variables
such as Process Management, Risk Appetite Management, Uncovering Risks, and Business Resiliency and Sustainability.

The RMM helps the leadership team define a roadmap to the successful adoption of an ERM. An ERM should be designed to view risks
across all areas of the business to identify strategic opportunities and reduce uncertainty. A unique feature of the RMM is its
applicability regardless of the specialized frameworks and standards that an organization is using, whether it is COSO ERM, COBIT,
Standard & Poor’s ERM or Sarbanes-Oxley.

RISK MANAGEMENT MODEL (RMM)

There are six (6) distinct levels of the RMM:

Figure 5: Risk maturity levels.

TARGET MATURITY LEVEL

As part of ACME’s multi-year strategy to reduce risk, the target is to achieve at least a Level 3 (Repeatable) maturity level.

1
Risk Management Society - https://www.rims.org/resources/ERM/Pages/RiskMaturityModelFAQ.aspx

Cybersecurity Risk Management Framework (RMP) - Version 2017.1 Page 13 of 57

CYBERSECURITY RISK MANAGEMENT METHODOLOGY

MAINTAINING FLEXIBILITY – HYBRID APPROACH TO RISK MANAGEMENT

There is no single “best practice” to managing risk, and risk assessments may require a multidisciplinary approach since risks may
cover a wide range of causes and consequences. Therefore, ACME is adopting a “best of breed” or hybrid approach to implementing
its risk management methodology. This will allow ACME to be flexible in how it assesses risk.

Since every organization is managed by different people, who have unique skills and experiences that drive their professional
judgments, one organization’s accepted method for internal control will not equally apply to other organizations. As it pertains to
ACME, while the COSO framework provides principles and points of focus that direct ACME towards well-designed control activities,
COSO was not intended to dictate the specific controls that should be implemented. Therefore, ACME must also rely upon additional
frameworks to provide granularity in evaluating risks in order for ACME to be secure, vigilant, and resilient.

ACME will use guidance from the following best practice frameworks to manage risk, according to which framework is most applicable:

COSO / COBIT – STRATEGIC APPROACH TO RISK MANAGEMENT

 The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative and is dedicated to
providing thought leadership through the development of frameworks and guidance on Enterprise Risk Management (ERM),
internal control and fraud deterrence.
 The 2013 version of the COSO framework establishes the enterprise-level model used to manage risk. 2
 Control Objectives for Information and Related Technology (COBIT) establishes a control base to help implement COSO.

ISO – OPERATIONAL APPROACH TO RISK MANAGEMENT

 The International Organization for Standardization (ISO) 31010 establishes a framework for managing risk that builds on
existing ISO standards, guidelines, and practices to guide organizations to reduce the potential impacts of cyber risks. 3
 ISO 31010 guidance establishes the initiative/program-level model used to manage risk, since it provides a higher-level model
for evaluating and managing risk.

NIST – TACTICAL APPROACH TO RISK MANAGEMENT

 The National Institute of Standards and Technology (NIST) of the U.S. Department of Commerce publishes information
security guidance for the public and private sectors.
 NIST Special Publication 800-37 establishes a framework for managing risk that builds on existing NIST standards, guidelines,
and practices to guide organizations to reduce the potential impacts of cyber risks. 4
 NIST SP 800-37 guidance establishes the asset/project-level model used to manage risk, since it provides a granular model
for evaluating and managing risk throughout the lifecycle of an asset or project.

Figure 6: Hierarchical risk frameworks.

2
COSO - http://www.coso.org/
3
ISO 31010 - http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=51073
4
NIST 800-37 - http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf

Cybersecurity Risk Management Framework (RMP) - Version 2017.1 Page 21 of 57

ENTERPRISE LEVEL – STRATEGIC APPROACH TO RISK MANAGEMENT
When a company manages cyber risk through a COSO lens, it enables the board of directors and senior executives to better
communicate their business objectives, their definition of critical information systems, and related risk tolerance levels. This enables
others within the organization, including IT personnel, to perform a detailed cyber risk analysis by evaluating the information systems
that are most likely to be targeted by attackers, the likely attack methods, and the points of intended exploitation. In turn, appropriate
control activities can be put into place to address such risks.

Ultimately, ACME needs to identify its information systems, determine their value, and protect them against cyber-attacks. This is
accomplished through the deployment of control activities that are commensurate with the value of the information systems. To
achieve these results, business and IT stakeholders must initially arrive at a common understanding of the structure of the business,
including outsourced service providers, and the related business objectives and sub-objectives that are important to ACME. While this
concept is easy to grasp, it is important to formally document this approach. Documenting the business structure will help ensure that
processes and controls can be executed consistently with relevant, quality information, in a manner that allows continuous refinement
as people, process, and technology evolve along with ACME’s objectives.

In order to manage cyber risks, ACME needs to view its cyber risk profile through the components of internal control. This includes,
but is not limited to:

 Control Environment
o Does the board of directors understand ACME’s cyber risk profile, and are they informed of how the organization is
managing the evolving cyber risks management faces?
 Risk Assessment
o Has ACME and its critical stakeholders evaluated its operations, reporting, and compliance objectives and gathered
information to understand how cyber risk could impact such objectives?
 Control Activities
o Has ACME developed control activities, including general control activities over technology, that enable ACME to
manage cyber risk within the level of tolerance acceptable to the organization?
o Have such control activities been deployed through formalized policies and procedures?
 Information and Communication
o Has ACME identified information requirements to manage internal control over cyber risk?
o Has ACME defined internal and external communication channels and protocols that support the functioning of
internal control?
o How will ACME respond to, manage, and communicate a cyber risk event?
 Monitoring Activities
o How will ACME select, develop, and perform evaluations to ascertain the design and operating effectiveness of
internal controls that address cyber risks?
o When deficiencies are identified how are these deficiencies communicated and prioritized for corrective action?
o What is ACME doing to monitor their cyber risk profile?

COSO 2013 INTERNAL CONTROL COMPONENTS

Principles 6 through 9 of the COSO 2013 framework focus on risk assessment.

Figure 7: COSO 2013 risk management components.

Cybersecurity Risk Management Framework (RMP) - Version 2017.1 Page 22 of 57

ASSET / PROJECT-LEVEL – TACTICAL APPROACH TO RISK MANAGEMENT
Risk management requires finding security equilibrium between vulnerabilities and acceptable security controls. This equilibrium can
be thought of as acceptable risk – it changes as vulnerabilities and controls change.

NIST’s Risk Management Framework (RMF) is specified in NIST Special Publication 800-37 - Guide for Applying the Risk Management
Framework to Federal Information Systems. 11 This framework is the TACTICAL approach that ACME will utilize for specific projects.

NIST 800-37 RISK MANAGEMENT FRAMEWORK – SECURITY LIFE CYCLE

At a project level, from a systems perspective, the components used to determine acceptable risk cover the entire Defense-in-Depth
(DiD) breadth. If one component is weakened, another component must be strengthened to maintain the same level of security
assurance. Risk management activities can be applied to both new and legacy information systems.

Figure 9: NIST 800-37 Risk Management Framework (RMF) Security Life Cycle

CATEGORIZE
ACME shall assign a potential security impact value for all information systems, including the information being processed, stored, and
transmitted by the system, based on the potential impact to ACME (see Threat & Risk Assessment (TRA) Methodology section).

SELECT
An appropriate set of security controls are selected for the information system after categorizing and determining the minimum-
security requirements.

ACME will meet the minimum-security requirements by selecting an appropriately tailored set of baseline security controls based on
an assessment of risk and local conditions, including ACME’s specific security requirements, threat information, cost-benefit analyses,
or special circumstances.

IMPLEMENT
Security controls must be properly installed and configured in the information system. Checklists of security settings are useful tools
that have been developed to guide IT administrators and security personnel in selecting effective security settings that will reduce the
risks and protect systems from attacks.

11
NIST 800-37 - http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf

Cybersecurity Risk Management Framework (RMP) - Version 2017.1 Page 28 of 57

THREAT & RISK ASSESSMENT METHODOLOGY

DEFINING POTENTIAL IMPACT

The categories of potential impact are listed below and include a non-exhaustive list of criteria to help in the decision-making process.

The six (6) categories of potential impact are:

INSIGNIFICANT
There is little-to-no impact to business operations:
 Financial impact is less than $[MINOR RISK VALUE].
 Performance or availability of up to Business Essential (CL2) systems is minimally impacted.
 Isolated staff dissatisfaction.

MINOR
There are moderate impacts to business operations:
 Financial impact is less than $[MODERATE RISK VALUE].
 Performance or availability of up to Business Essential (CL2) systems is moderately impacted.
 Local, short-term, negative media coverage.
 Department-level staff morale problems.

MODERATE
There are serious impacts to business operations:
 Financial impact is less than $[MAJOR RISK VALUE].
 Performance or availability of Mission Critical (CL1) systems is minimally impacted.
 Performance or availability of up to Business Essential (CL2) systems is significantly impacted.
 A contractual, statutory and/or regulatory requirement is violated.
 National, short-term, negative media coverage.
 Widespread staff morale problems and increase in turnover.

MAJOR
There are major impacts to business operations:
 Financial impact is less than $[CRITICAL RISK VALUE].
 Performance or availability of Mission Critical (CL1) systems is moderately impacted.
 Performance or availability of up to Business Essential (CL2) systems is impacted to the point of being unusable.
 A contractual, statutory and/or regulatory requirement would be violated, where no punitive action would be an expected
outcome.
 Widespread management morale problems, and multiple senior leaders leave.
 International, short-term, negative media coverage.

CRITICAL
There are critical impacts to business operations:
 Financial impact could exceed $[CRITICAL RISK VALUE].
 The ACME’s reputation and/or competitive position would be damaged.
 Performance or availability of Mission Critical (CL1) systems is significantly impacted.
 Performance or availability of up to Business Essential (CL2) systems is impacted to the point of being unusable.
 A contractual, statutory and/or regulatory requirement would be violated, where some level of punitive action would be an
expected outcome.
 International, long-term, negative media coverage with noticeable loss of market share.

CATASTROPHIC
There are catastrophic impacts to business operations:
 Financial impact could exceed $[CATASTROPHIC RISK VALUE].
 The ACME’s reputation and/or competitive position would be severely damaged.
 Performance or availability of up to Mission Critical (CL1) systems is impacted to the point of being unusable.
 Key technologies will not be available and there are no alternatives.
 A contractual, statutory and/or regulatory requirement would be violated, where significant punitive action would be an
expected outcome.

Cybersecurity Risk Management Framework (RMP) - Version 2017.1 Page 32 of 57

  International, long-term, negative media coverage with game-changing loss of market share.

For the most part, assessing the potential impact of an event involves making an “educated guess” based on the available facts of the
situation. With or without clear facts to justify potential impact, assessors need to document the justification for the value that was
determined, including the facts and assumptions used in the decision-making process.

DEFINING POTENTIAL LIKELIHOOD

Assumptions based on likelihood may come from various internal and external sources, depending on the specific circumstances. As
with potential impact, assessors need to document the justification for the value that was determined, including the facts and
assumptions used in the decision-making process.

CATEGORIES OF POTENTIAL LIKELIHOOD

The six (6) categories of potential likelihood are:

REMOTE POSSIBILITY
The likelihood of a “remote possibility” event occurring can be quantified as less than a 1% chance of occurrence.

Examples of a remote possibility event occurrence:

 Negative impact from downstream fallout of volcanic eruption.
 Impact from space debris.

HIGHLY UNLIKELY
The likelihood of a “highly unlikely” event occurring can be quantified as between a 1%-10% chance of occurrence.

Examples of a highly unlikely event occurrence:

 Pandemic impacts portion of global workforce.
 Widespread damage to electrical grid from solar flares.

UNLIKELY
The likelihood of an “unlikely” event occurring can be quantified as between a 10%-25% chance of occurrence.

Examples of an unlikely event occurrence:

 Hot site experiences outage at the same time as the primary site.
 Multiple, important system administrators quit at the same time.

POSSIBLE
The likelihood of a “possible” event occurring can be quantified as between a 25%-70% chance of occurrence.

Examples of a possible event occurrence:

 Unauthorized change to a production application prevents the company’s ability to process credit cards.
 5+ year old server will experience a catastrophic hard drive failure.

LIKELY
The likelihood of a “likely” event occurring can be quantified as between a 70%-99% chance of occurrence.

Examples of a likely event occurrence:

 Users will open phishing emails and infect their workstations with malware.
 Team working on a project will overwrite data and require files to be restored from backup.

ALMOST CERTAIN
The likelihood of an “almost certain” event occurring can be quantified as greater than a 99% chance of occurrence.

Examples of an almost certain event occurrence:

 User will have a laptop or smart phone lost or stolen.
 The company’s external web presence will be probed/attacked by hackers.

Cybersecurity Risk Management Framework (RMP) - Version 2017.1 Page 33 of 57

ESTIMATING PROBABILITY
Three (3) general approaches are commonly employed to estimate probability:
 Relevant historical data;
 Probability forecasts; and
 Expert opinion.

These approaches may be used individually or jointly.

RELEVANT HISTORICAL DATA

The use of relevant historical data to identify events or situations which have occurred in the past can be extrapolates the estimate
the probability of their occurrence in the future.
 The data used should be relevant to the type of system, facility, organization or activity being considered and to the
operational standards of the organization involved.
 If historically there is a very low frequency of occurrence, then any estimate of probability will be very uncertain.
 This applies especially for zero occurrences, when one cannot assume the event, situation or circumstance will not occur in
the future.

PROBABILITY FORECASTS
Probability forecasts use predictive techniques such as fault tree analysis and event tree analysis. When historical data are unavailable
or inadequate, it is necessary to derive probability by analysis of the system, activity, equipment or organization and its associated
failure or success states. Numerical data for equipment, personnel, organizations and systems from operational experience, or
published data sources are then combined to produce an estimate of the probability of the top event.
 When using predictive techniques, it is important to ensure that due allowance has been made in the analysis for the
possibility of common mode failures involving the coincidental failure of multiple different parts or components within the
system arising from the same cause.
 Simulation techniques may be required to generate probability of equipment and structural failures due to ageing and other
degradation processes.

EXPERT OPINION
Expert opinion can be used in a systematic and structured process to estimate probability.
 Expert judgements should draw upon all relevant available information including historical, system-specific, organizational-
specific, experimental, design, etc.
 There are several formal methods for eliciting expert judgement which provide an aid to the formulation of appropriate
questions.
 The methods available include the Delphi approach, paired comparisons, category rating, and absolute probability judgments.

Cybersecurity Risk Management Framework (RMP) - Version 2017.1 Page 34 of 57

BUSINESS SUPPORTING (CL4)
Business Supporting systems are the least important category of systems and handle information that is used in the conduct of routine,
day-to-day business. CL4 systems are not mission-critical in the short or long term.

The impact of a CL4 system, or its data, being unavailable includes, but is not limited to:
 Localized employee productivity degradation;
 Localized delays or degradation of services or routine activities;
 No revenue impact; and
 No impact on customer satisfaction.

Examples of CL4 systems include, but are not limited to:

 Team-level metrics reporting
 Team-level productivity or reporting tools

DEFINING RISK LEVELS

ACME’s five (5) levels of risk categorization are:
 Low;
 Medium;
 High;
 Severe; and
 Extreme.

See the How Do We Categorize Risk? Section for more information on ACME’s risk levels.

Figure 11: Risk matrix.

Cybersecurity Risk Management Framework (RMP) - Version 2017.1 Page 36 of 57

APPENDIX B – RISK ROLES & RESPONSIBILITIES

It is the responsibility of the executive and senior management who are ultimately accountable for managing the risks that may affect
their operations to review risk management documentation prepared by their line managers.

CHIEF RISK OFFICER (CRO)

The Chief Risk Officer (CRO) is accountable to ACME’s executive management for the development and implementation of the risk
management program.

The CRO’s responsibilities include, but are not limited to:

 Protecting ACME from unacceptable risk or losses associated with operations; and
 Developing and implementing mechanisms for effectively managing the risks that may affect the achievement of ACME
objectives and operational outcomes.

CHIEF INFORMATION SECURITY OFFICER (CISO)

The CISO is accountable to ACME’s executive management for the development and implementation of the information security
program. The CISO will be the central point of contact for setting the day-to-day direction of the information security program and its
overall goals, objectives, responsibilities, and priorities.

The CISO’s responsibilities include, but are not limited to:

 Oversee and approve the company’s information security program to govern the behavior of the employees, contractors and
vendors who safeguard the company’s systems and data, as well as prescribe the physical security precautions for employees
and visitors;
 Ensure an appropriate level of protection for the company’s information resources; whether retained in-house or under the
control of outsourced contractors;
 Issue information security policies, standards and guidance that establish a framework for an Information Security
Management System (ISMS);
 Identify protection goals, objectives and metrics consistent with corporate strategic plan;
 Ensure appropriate procedures are in place for Security Testing & Evaluation (ST&E) for all systems; and
 Monitor, evaluate, and report to company management on the status of IT security within the corporate computing
environment.

EXECUTIVE AND SENIOR MANAGEMENT

The effectiveness of risk management is unavoidably linked to management competence, commitment and integrity, all of which
forms the basis of sound corporate governance. Corporate governance provides a systematic framework within which the executive
management group can discharge their duties in managing ACME.

Executive and Senior Management responsibilities include, but are not limited to:
 Considering and documenting new and existing risks and their impact on proposed plans as part of the annual planning cycle.
o Risk records must be maintained up-to-date on an on-going basis to reflect any changes which may occur;
 Providing direction and guidance within their areas of accountability so that staff best utilize their abilities in the preservation
of ACME’s resources;
 Successfully promoting, sponsoring and coordinating the development of a risk management culture throughout ACME;
 Guiding the inclusion of risk management in all strategic and operational decision making;
 Possessing a clear profile of major risks within their area of control incorporating both opportunity and negative risks;
 Maintaining a framework to manage, monitor and report risk;
 Managing risks to meet ACME objectives, goals and vision; and
 Improving corporate governance.

LINE MANAGEMENT
Line managers at all levels are responsible for the adoption of risk management practices and are directly responsible for the results
of risk management activities relevant to their area of responsibility.

Cybersecurity Risk Management Framework (RMP) - Version 2017.1 Page 41 of 57

APPENDIX D – RISK ASSESSMENT TECHNIQUES

The techniques listed below have unique attributes, which make selecting the correct technique for a specific risk assessment very important. While a simple matrix can work for
most simple risk assessments, other methods are needed for more complex assessments.

LOOK UP METHODS

FACTORS TO CONSIDER RISK ANALYSIS STRENGTHS

EVALUATING RISK
IDENTIFICATION?
USEFUL FOR RISK
QUANTITATIVE

STRENGTH IN
SOLUTION?

CONSEQUENCE
UNCERTAINTY

LEVEL OF RISK
PROBABILITY
COMPLEXITY
DEGREE OF

DEGREE OF
REQUIRED
TECHNIQUE TECHNIQUE DESCRIPTION

SKILLS
The consequence/probability matrix is a means
of combining qualitative or semi-quantitative
ratings of consequence and probability to
Consequence
produce a level of risk or risk rating. The format Great Great Great Great
& Probability No Low Low Low OK
of the matrix and the definitions applied to it Choice Choice Choice Choice
Matrix
depend on the context in which it is used, and it
is important that an appropriate design is used
for the circumstances.

The objective is to use a range of criteria to

objectively and transparently assess the overall
Multi- worthiness of a set of risk treatment options. In
Criteria general, the overall goal is to produce a
Great Great
Decision preference of order between the available No OK Medium Medium Medium OK OK
Choice Choice
Analysis options. The analysis involves the development
(MCDA) of a matrix of options and criteria which are
ranked and aggregated to provide an overall
score for each option.

A simple form of risk identification. A technique

which provides a listing of typical uncertainties Great
Check Lists No Low Low Low Weak Weak Weak Weak
which need to be considered. Users refer to a Choice
previously developed list, codes or standards.

Cybersecurity Risk Management Framework (RMP) - Version 2017.1 Page 48 of 57