In an era of escalating cyber threats, organisations face mounting pressure to ensure their cybersecurity controls are not just compliant but effective in protecting critical assets. With the threat landscape constantly evolving, it's crucial for cyber risk professionals to have confidence that their controls are robust, aligned with industry frameworks, and capable of adapting to new risks.
In Protecht’s Cyber risk: Get on top of your controls and frameworks webinar, we explored practical solutions to common cyber risk challenges.
We had great feedback from our attendees, including the questions answered below. If you missed the webinar live, then you can view it on demand here:
Questions
1. If we needed to do an IT Governance review, what/where is a good starting point from a checklist
perspective?
2. What frameworks have overall expected control around legacy or end of life IT components such as DBs, OS, apps, etc? Any thoughts team?
3. Do you need to define a risk for every technology system so that you can define the relevant control objectives (or discrete controls), and then record the results for each of those controls in the context of the specific system?
4. With the introduction of the new domain (govern) this year in NIST CSF 2.0. Is there a due date obligation for FIs to comply the newly introduced domain to be included?
5. What is the difference between CSA and RCSA and in its context?
6. Classically a 'framework' relates to the Policies, Processes, Procedures, Training, Monitoring, and Controls (Metric Indicators) which might be employed against a specific risk/regulatory framework. EG Data Privacy Risk, AML Risk, ESG Risk.
7. I'm relatively new to the ERM space so my question is under what circumstances would an
organisation adopt multiple control frameworks?
If we needed to do an IT Governance review, what/where is a good starting point from a checklist perspective?
The most common place to start is with the IT and Cyber related policies. Do you have the Policy designed so that they meet some key requirements:
- Do your policies align to your Strategic Business Objectives
- Have you considered how you meet any Laws and Regulations
- Do you have the resources to fulfil your business requirements?
- Do your control frameworks provide full coverage for your business objectives?
- Are roles and responsibilities clear?
What frameworks have overall expected control around legacy or end of life IT components such as DBs, OS, apps, etc? Any thoughts team?
Several frameworks provide controls for managing legacy or end-of-life IT components:
1. COBIT (Control Objectives for Information and Related Technologies)
2. ITIL (Information Technology Infrastructure Library)
3. ISO/IEC 27001 (Information Security Management)
4. NIST (National Institute of Standards and Technology) Cybersecurity Framework
These frameworks offer guidelines for risk assessment, asset management, lifecycle planning, and security controls to address vulnerabilities in aging systems while ensuring business continuity and compliance
Do you need to define a risk for every technology system so that you can define the relevant control objectives (or discrete controls), and then record the results for each of those controls in the context of the specific system?
The ultimate goal is to effectively manage the risks to your organisation. While it is common to assess or assign a risk level to an information asset, it needs to be captured in business language. For example, ‘risk to information assets’ doesn’t mean anything to Executives, focus on the effect on business objectives. You might identify a single risk in your risk library, and link it to multiple assets where that risk can arise.
There are two approaches to applying the same or similar controls to multiple assets:
- Document the control once, then link it to multiple assets. When assessing the control, assess its operation against each of the assets where the control is applied.
- Duplicate the control and like to each asset. When assessing the control, you are discretely showing the effectiveness of each control.
With the introduction of the new domain (govern) this year in NIST CSF 2.0. Is there a due date obligation for FIs to comply the newly introduced domain to be included?
To our knowledge, alignment with NIST CSF 2.0 (or the previous version) is not mandatory for financial institutions, and is typically only required for government agencies in the USA. However, many organisations align with this standard as good practice, and to demonstrate how they are meeting cyber and data protection requirements of financial services regulators.
If there is an expectation that you need to abide by the NIST control framework, it may be driven from expectations from third parties or other stakeholders – perhaps contractually. This might have developed over time into an assumption of compliance
What is the difference between CSA and RCSA and in its context?
This is primarily a matter of scope. A control self-assessment just considers whether a set of pre-existing controls are effective, but looking at each control in isolation. I.e. Is it meeting that control's objective.
A risk and control self-assessment (RCSA) considers the set of controls, as well as their overall effect on the risk. This broader scope might identify that, even though the existing controls are effective individually, the overall risk is still too high and requires additional controls or other treatments to modify the risk
Classically a 'framework' relates to the Policies, Processes, Procedures, Training, Monitoring, and Controls (Metric Indicators) which might be employed against a specific risk/regulatory framework. EG Data Privacy Risk, AML Risk, ESG Risk.
The dictionary definition of framework is ‘a supporting structure around which something can be built’. This definition aligns with your description, but can be applied quite broadly. For example, we refer to an ‘Enterprise risk management framework’ to include all of the components that enable enterprise risks to be managed. For some domains, as you’ve highlighted, there might be more specific components.
In the context of our webinar, we were leaning into a common phrase of ‘control frameworks’ to include information security controls standards such as NIST, ISO 27001, and others. These are usually quite structured with hierarchies, taxonomies and standard formatting, which make up the ‘framework’ component. The Frameworks tool we have built in Protecht ERM is flexible and can be used to map other requirements and standards beyond information security. For example, mapping different ESG or corporate sustainability disclosure requirements.
I'm relatively new to the ERM space so my question is under what circumstances would an
organisation adopt multiple control frameworks?
We anticipate that most organisations will have a ‘primary’ control framework to manage information security or cyber risks. Here are some reasons why organisations may comply or align with multiple frameworks:
- Third parties who want to see you align with a specific framework. Their risk profile or risk appetite may be different than yours, and they want to see a specific standard being met.
- As an extension to the above, you may want to use this as a competitive advantage. Demonstrating to third parties that you align with multiple frameworks shows commitment to security which might influence strategic engagements
- Proactive identification of gaps. Even if you adopt a primary framework, you might want to review secondary frameworks as a way to identify additional controls that will further improve your cyber resilience.
Next steps for your organisation
In Protecht’s Cyber risk: Get on top of your controls and frameworks webinar, we explored the pain points in cyber risk management and the pressures to manage cyber risks effectively while aligning with accepted frameworks.
Protecht ERM’s latest controls solution is designed to streamline your IT controls management. Discover how Protecht ERM can simplify control testing, automate reporting, and help you stay compliant with multiple frameworks – without the headache of repetitive tasks. Find out more in our Streamline your IT controls: Simplify cyber compliance with Protecht ERM webinar: