cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
dougjaworski
Newcomer I

Cyber Risk Library

I am working on an exercise with an internal group to develop a library of common cyber related risk and mapping those risk to secuirty controls. Does anyone have any recomendations, or developed a good approach to documenting common risks (not to be confused with threats)?

 

Much Appreciated,

Doug

10 Replies
Deyan
Contributor I

I have thought about that several times but seems like an enormous amount of work and have never even started it - have not seen anything like it apart of the NIST control lists but when you create that I would appreciate if you could share it - thanks

AmitavaS
Viewer

Hi, 

Risk without a threat is not possible. In absolute meaning its the threat which if causes damage actually becomes a risk. By collecting data on the most common threats we will have the data for the common risks which will also details on what vulnerabilities will lead to such risks.

Steve-Wilme
Advocate II

There are a large number of risk taxonomies; e.g. ISO 27005 annexes, Software Engineering Institute, SAN top 25, OWASP, Octave, IS1/IS2 etc.   Maybe it'd be best to start be understanding the context of you business and it's operations to narrow down your scope.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
dougjaworski
Newcomer I

AmitavaS , could not agree with you more.
dougjaworski
Newcomer I

Steve-Wilme, thank you for your reply. I am making some progress and will share the end-results of the work product here in the next few weeks. In short, leveraging existing risk taxonomies such as BASEL, OCTAVE, and FAIR are helping.
clyoneer
Newcomer II

Wouldn't you need to identify your business processes, assess the appropriate level of risk and then identify the appropriate security controls to mitigate those risks? 

 

Not sure I understand how having a library of cyber related risks would add value if those risks are not applicable to your specific IT ecosystem.  

Flyslinger2
Community Champion

I reference both the NIST docs and this resource to get both.  I'm partial to the second resource as it represents the real world use of the NIST guidelines.

CISOScott
Community Champion

I found this at auditscripts.com. It is a mapping of all of the different frameworks.

https://www.auditscripts.com/?attachment_id=3805

It maps the critical controls to 43 of the most popular frameworks. It can be used backwards too. If you don't trust links you can also google for this:

AuditScripts-Critical-Security-Control-Master-Mappings-v6.1h.xlsx

 

jj30
Newcomer I

Really very useful security control master list.