I am working on an exercise with an internal group to develop a library of common cyber related risk and mapping those risk to secuirty controls. Does anyone have any recomendations, or developed a good approach to documenting common risks (not to be confused with threats)?
I have thought about that several times but seems like an enormous amount of work and have never even started it - have not seen anything like it apart of the NIST control lists but when you create that I would appreciate if you could share it - thanks
Risk without a threat is not possible. In absolute meaning its the threat which if causes damage actually becomes a risk. By collecting data on the most common threats we will have the data for the common risks which will also details on what vulnerabilities will lead to such risks.
There are a large number of risk taxonomies; e.g. ISO 27005 annexes, Software Engineering Institute, SAN top 25, OWASP, Octave, IS1/IS2 etc. Maybe it'd be best to start be understanding the context of you business and it's operations to narrow down your scope.
Wouldn't you need to identify your business processes, assess the appropriate level of risk and then identify the appropriate security controls to mitigate those risks?
Not sure I understand how having a library of cyber related risks would add value if those risks are not applicable to your specific IT ecosystem.
I reference both the NIST docs and this resource to get both. I'm partial to the second resource as it represents the real world use of the NIST guidelines.
I found this at auditscripts.com. It is a mapping of all of the different frameworks.
It maps the critical controls to 43 of the most popular frameworks. It can be used backwards too. If you don't trust links you can also google for this:
Really very useful security control master list.