Skip to content

Cyber risk: Get on top of your controls and frameworks: Webinar Q&A

In an era of escalating cyber threats, organisations face mounting pressure to ensure their cybersecurity controls are not just compliant but effective in protecting critical assets. With the threat landscape constantly evolving, it's crucial for cyber risk professionals to have confidence that their controls are robust, aligned with industry frameworks, and capable of adapting to new risks.

In Protecht’s Cyber risk: Get on top of your controls and frameworks webinar, we explored practical solutions to common cyber risk challenges.

We had great feedback from our attendees, including the questions answered below. If you missed the webinar live, then you can view it on demand here:

Register now

Questions

1. If we needed to do an IT Governance review, what/where is a good starting point from a checklist
perspective?

2. What frameworks have overall expected control around legacy or end of life IT components such as DBs, OS, apps, etc? Any thoughts team?
3. Do you need to define a risk for every technology system so that you can define the relevant control objectives (or discrete controls), and then record the results for each of those controls in the context of the specific system?
4. With the introduction of the new domain (govern) this year in NIST CSF 2.0. Is there a due date obligation for FIs to comply the newly introduced domain to be included?
5. What is the difference between CSA and RCSA and in its context?
6. Classically a 'framework' relates to the Policies, Processes, Procedures, Training, Monitoring, and Controls (Metric Indicators) which might be employed against a specific risk/regulatory framework. EG Data Privacy Risk, AML Risk, ESG Risk.
7. I'm relatively new to the ERM space so my question is under what circumstances would an
organisation adopt multiple control frameworks?


If we needed to do an IT Governance review, what/where is a good starting point from a checklist perspective?

The most common place to start is with the IT and Cyber related policies. Do you have the Policy designed so that they meet some key requirements:

  •  Do your policies align to your Strategic Business Objectives
  • Have you considered how you meet any Laws and Regulations
  • Do you have the resources to fulfil your business requirements?
  • Do your control frameworks provide full coverage for your business objectives?
  • Are roles and responsibilities clear?

< Back to top

What frameworks have overall expected control around legacy or end of life IT components such as DBs, OS, apps, etc? Any thoughts team?

Several frameworks provide controls for managing legacy or end-of-life IT components:
1. COBIT (Control Objectives for Information and Related Technologies)
2. ITIL (Information Technology Infrastructure Library)
3. ISO/IEC 27001 (Information Security Management)
4. NIST (National Institute of Standards and Technology) Cybersecurity Framework

These frameworks offer guidelines for risk assessment, asset management, lifecycle planning, and security controls to address vulnerabilities in aging systems while ensuring business continuity and compliance

< Back to top

Do you need to define a risk for every technology system so that you can define the relevant control objectives (or discrete controls), and then record the results for each of those controls in the context of the specific system?

The ultimate goal is to effectively manage the risks to your organisation. While it is common to assess or assign a risk level to an information asset, it needs to be captured in business language. For example, ‘risk to information assets’ doesn’t mean anything to Executives, focus on the effect on business objectives. You might identify a single risk in your risk library, and link it to multiple assets where that risk can arise.

There are two approaches to applying the same or similar controls to multiple assets:

  • Document the control once, then link it to multiple assets. When assessing the control, assess its operation against each of the assets where the control is applied.
  • Duplicate the control and like to each asset. When assessing the control, you are discretely showing the effectiveness of each control. 
Neither way is ‘correct’, and you will have to consider what makes sense for your organisation. The former may be more appropriate for General IT controls that should be applied identically across all assets (such as multi-factor authentication), while the latter might be more applicable where the control design or how it operates will differ across the different systems, or where control testing will be conducted by different people or across different timeframes.

< Back to top

With the introduction of the new domain (govern) this year in NIST CSF 2.0. Is there a due date obligation for FIs to comply the newly introduced domain to be included?

To our knowledge, alignment with NIST CSF 2.0 (or the previous version) is not mandatory for financial institutions, and is typically only required for government agencies in the USA. However, many organisations align with this standard as good practice, and to demonstrate how they are meeting cyber and data protection requirements of financial services regulators.

If there is an expectation that you need to abide by the NIST control framework, it may be driven from expectations from third parties or other stakeholders – perhaps contractually. This might have developed over time into an assumption of compliance

< Back to top

What is the difference between CSA and RCSA and in its context?

This is primarily a matter of scope. A control self-assessment just considers whether a set of pre-existing controls are effective, but looking at each control in isolation. I.e. Is it meeting that control's objective.

A risk and control self-assessment (RCSA) considers the set of controls, as well as their overall effect on the risk. This broader scope might identify that, even though the existing controls are effective individually, the overall risk is still too high and requires additional controls or other treatments to modify the risk

< Back to top

Classically a 'framework' relates to the Policies, Processes, Procedures, Training, Monitoring, and Controls (Metric Indicators) which might be employed against a specific risk/regulatory framework. EG Data Privacy Risk, AML Risk, ESG Risk.

The dictionary definition of framework is ‘a supporting structure around which something can be built’. This definition aligns with your description, but can be applied quite broadly. For example, we refer to an ‘Enterprise risk management framework’ to include all of the components that enable enterprise risks to be managed. For some domains, as you’ve highlighted, there might be more specific components.

In the context of our webinar, we were leaning into a common phrase of ‘control frameworks’ to include information security controls standards such as NIST, ISO 27001, and others. These are usually quite structured with hierarchies, taxonomies and standard formatting, which make up the ‘framework’ component. The Frameworks tool we have built in Protecht ERM is flexible and can be used to map other requirements and standards beyond information security. For example, mapping different ESG or corporate sustainability disclosure requirements.

< Back to top

I'm relatively new to the ERM space so my question is under what circumstances would an
organisation adopt multiple control frameworks?

We anticipate that most organisations will have a ‘primary’ control framework to manage information security or cyber risks. Here are some reasons why organisations may comply or align with multiple frameworks:

  • Third parties who want to see you align with a specific framework. Their risk profile or risk appetite may be different than yours, and they want to see a specific standard being met.
  • As an extension to the above, you may want to use this as a competitive advantage. Demonstrating to third parties that you align with multiple frameworks shows commitment to security which might influence strategic engagements
  • Proactive identification of gaps. Even if you adopt a primary framework, you might want to review secondary frameworks as a way to identify additional controls that will further improve your cyber resilience.

Next steps for your organisation

In Protecht’s Cyber risk: Get on top of your controls and frameworks webinar, we explored the pain points in cyber risk management and the pressures to manage cyber risks effectively while aligning with accepted frameworks.

Protecht ERM’s latest controls solution is designed to streamline your IT controls management. Discover how Protecht ERM can simplify control testing, automate reporting, and help you stay compliant with multiple frameworks – without the headache of repetitive tasks. Find out more in our Streamline your IT controls: Simplify cyber compliance with Protecht ERM webinar:

Register now

About the author

Michael is passionate about the field of risk management and related disciplines, with a focus on helping organisations succeed using a ‘decisions eyes wide open’ approach. His experience includes managing risk functions, assurance programs, policy management, corporate insurance, and compliance. He is a Certified Practicing Risk Manager whose curiosity drives his approach to challenge the status quo and look for innovative solutions.