cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Newcomer I

Cyber Risk Library

I am working on an exercise with an internal group to develop a library of common cyber related risk and mapping those risk to secuirty controls. Does anyone have any recomendations, or developed a good approach to documenting common risks (not to be confused with threats)?

 

Much Appreciated,

Doug

10 Replies
Contributor I

Re: Cyber Risk Library

I have thought about that several times but seems like an enormous amount of work and have never even started it - have not seen anything like it apart of the NIST control lists but when you create that I would appreciate if you could share it - thanks

Viewer

Re: Cyber Risk Library

Hi, 

Risk without a threat is not possible. In absolute meaning its the threat which if causes damage actually becomes a risk. By collecting data on the most common threats we will have the data for the common risks which will also details on what vulnerabilities will lead to such risks.

Contributor III

Re: Cyber Risk Library

There are a large number of risk taxonomies; e.g. ISO 27005 annexes, Software Engineering Institute, SAN top 25, OWASP, Octave, IS1/IS2 etc.   Maybe it'd be best to start be understanding the context of you business and it's operations to narrow down your scope.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
Newcomer I

Re: Cyber Risk Library

AmitavaS , could not agree with you more.
Newcomer I

Re: Cyber Risk Library

Steve-Wilme, thank you for your reply. I am making some progress and will share the end-results of the work product here in the next few weeks. In short, leveraging existing risk taxonomies such as BASEL, OCTAVE, and FAIR are helping.
Newcomer II

Re: Cyber Risk Library

Wouldn't you need to identify your business processes, assess the appropriate level of risk and then identify the appropriate security controls to mitigate those risks? 

 

Not sure I understand how having a library of cyber related risks would add value if those risks are not applicable to your specific IT ecosystem.  

Community Champion

Re: Cyber Risk Library

I reference both the NIST docs and this resource to get both.  I'm partial to the second resource as it represents the real world use of the NIST guidelines.

Community Champion

Re: Cyber Risk Library

I found this at auditscripts.com. It is a mapping of all of the different frameworks.

https://www.auditscripts.com/?attachment_id=3805

It maps the critical controls to 43 of the most popular frameworks. It can be used backwards too. If you don't trust links you can also google for this:

AuditScripts-Critical-Security-Control-Master-Mappings-v6.1h.xlsx

 

Newcomer I

Re: Cyber Risk Library

Really very useful security control master list.