In this assignment, students will review the NIST cybersecurity framework and ISO 270001 certification process. In a visual format (such as table, diagram, or graphic) briefly explain the differences,

Running Head: RISK MANAGEMENT 0

Risk Management

Sean “Yogi” Stephen

Grand Canyon Unversity

CYB 515 Luis Pina

January 12, 2021

The process of developing a risk management framework is as follows;

STEP 1:Categorization Information Sys

This step involves assessment using the previously set standards in NIST. They provide a well-defined risk category.

STEP 2:SELECTION

The available security controls are identified, and the most appropriate for the risks identified are used. The controls help to obtain specifications for the security needs of the business.

STEP 3:IMPLEMENTATION

The security controls identified for the business are put in place. Documentation is done to ensure easy future reference.

STEP4:ASSESSMENT

The measures implemented are assessed. Performance is rated to ensure they meet the minimum standards set.

STEP 5:AUTHORIZATION

If the security measures are operating correctly, then they are implemented throughout the entire business processes. This is done after any gap identified is corrected.

STEP 6:MONITORING

Regular security threat audits are done to ensure new potential risks are factored into the security measures. Any new security measures are recorded and presented to the management.

Risk management identifies all the strengths and weaknesses of the business processes. Companies are hiring experts to create, evaluate, and analyze a risk management framework (Suprin et al., 2019). The framework must correspond with the business needs. This will ensure that each threat or potential threat is identified. The methods of mitigation are put in place. If the dangers cannot be avoided, then minimizing the losses becomes a priority.

Controls and Sub-controls

The controls in the Risk Management Framework are selected depending on the needs of the organization. The rules are put in place to control the risks identified. Internal controls are set to help the organization’s system to meet the set standard. It has several components and sub-controls that operate together to meet the set strategy (Suprin et al., 2019)s. The control environment includes the policies in the business that regulate ethics and values. The risk assessment control helps in identifying the needs of the system. The control activities used will educate and train employees to use encryption and passwords effectively.

Risk-Based Approach

A risk-based approach has several components that need to be identified for it to be effective. The first category is the identification of risk. This involves risk assessment procedures that audit the operating environment(Kielbus and Karpisz, 2019). The risk identified is analyzed in the second part. There are Business processes are related to threats identified. Documentation is vital during this stage. The third component is the ranking of risks. The categories involved are high, medium, and low risk. A holistic evaluation of the risks in the organization is easily achieved.

The next step is the treatment of the risks. The mitigation strategies identified are applied here. Any experts needed are called and work in collaboration with internal employees to ensure all gaps are covered (Kielbus and Karpisz, 2019). The last step is continuous monitoring and evaluation. Since all the risks identified cannot be eliminated simultaneously, there is a need for the business processes to be reviewed to mitigate them.

Advantages to Organizations

Organizations should base their strategies around a risk-based approach to ensure easy decision making. Informed decisions will guarantee business continuation. If there are business intelligence technologies such as the use of cloud technology necessary, it can be implemented. The resources needed will be delegated depending on the risks identified (Loeb et al., 2020). This will ensure optimal utilization of the available resources. 

Businesses will easily set goals and objectives that are Specific, Measurable, and Time-bound. This reduces uncertainties that may increase operational costs reducing profit and productivity. The approach also enhances teamwork and synergy as teams find collaborative techniques that save them time.

The organizations will also categorize their intellectual properties. The most sensitive information identified will be stored in highly regulated databases. Cloud computing is used to hide sensitive data. This will prevent sabotage and unauthorized access, which is a high risk to the business (Loeb et al., 2020). The cybersecurity involved will give the management time to focus on the core objectives of the company.

The business can also meet the compliance needs that are needed by authorities. Many frameworks, including risk management, are required in some countries or regions before operations, are authorized. Certification will ensure its business continuity is not interrupted by legal challenges.

Differences Between Risk Management and Enterprise Risk Management

Risk management occurs when the management identifies the threats that will limit their operational activities and identifies methods to curb their influence. The business can, therefore, increase its productivity and reduce operating costs. The benefits of controlling the risks identified must be compared with the benefits (Loeb et al., 2020). If the benefits are minimal compared to the costs, then it is not considered. Risk management only covers risks that can be mitigated by insurance, while ERM evaluates beyond insurable risks.

Risk management assessment covers a smaller business area compared to the ERM that has multiple-dimensions and possibilities. Risks are also evaluated separately in Risk Management, unlike the ERM, which finds the relationships between risks (Klucka and Grünbichler, 2020). Their patterns and trends are considered together. RM is more responsive and takes place after a risk has already occurred. ERM is proactive, meaning it covers the risk that is yet to occur.

Enterprise risk management identifies the risks associated with each business process. It is a range scale compared to risk management. The risk coverage is assessed and aligned with business strategies (Klucka and Grünbichler, 2020). The ERM assessment is more holistic, covering every department and process, unlike risk management, covering a smaller organization unit. The risk appetite is analyzed in ERM, while risk management is not. The culture, policies, and regulation strategies are used to enhance the foundation and framework of the ERM.

Good job on this assignment. You did great at explaining ERM vs traditional risk management. However, you did not answer the first question per the instructions. I did not see the count of controls and sub-controls. Please ensure you are reading the instructions carefully and answering them in your work.

References

Gordon, L. A., Loeb, M. P., & Zhou, L. (2020). Integrating cost-benefit analysis into the NIST Cybersecurity Framework via the Gordon–Loeb Model. Journal of Cybersecurity, 6(1), tyaa005.

Kiełbus, A., & Karpisz, D. (2019). Risk management as a process security tool. System Safety: Human-Technical Facility-Environment, 1(1), 234-239.

Klučka, J., & Grünbichler, R. (2020). Enterprise Risk Management–Approaches Determining Its Application and Relation to Business Performance. Quality Innovation Prosperity, 24(2), 51-58.

Suprin, M., Chow, A., Pillwein, M., Rowe, J., Ryan, M., Rygiel-Zbikowska, B., ... & Tomlin, I. (2019). Quality risk management framework: guidance for successful implementation of risk management in clinical development. Therapeutic Innovation & regulatory science, 53(1), 36-44.