Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
dougjaworski
Newcomer I
‎04-20-2018 03:52 PM
‎04-20-2018 03:52 PM

Cyber Risk Library

I am working on an exercise with an internal group to develop a library of common cyber related risk and mapping those risk to secuirty controls. Does anyone have any recomendations, or developed a good approach to documenting common risks (not to be confused with threats)?

 

Much Appreciated,

Doug

Reply
0 Kudos
11 Replies
Deyan
Contributor I
‎04-23-2018 02:13 AM
‎04-23-2018 02:13 AM

I have thought about that several times but seems like an enormous amount of work and have never even started it - have not seen anything like it apart of the NIST control lists but when you create that I would appreciate if you could share it - thanks

Reply
0 Kudos
AmitavaS
Viewer
‎04-23-2018 07:01 AM
‎04-23-2018 07:01 AM

Hi, 

Risk without a threat is not possible. In absolute meaning its the threat which if causes damage actually becomes a risk. By collecting data on the most common threats we will have the data for the common risks which will also details on what vulnerabilities will lead to such risks.

Reply
Steve-Wilme
Advocate II
‎04-23-2018 10:38 AM
‎04-23-2018 10:38 AM

There are a large number of risk taxonomies; e.g. ISO 27005 annexes, Software Engineering Institute, SAN top 25, OWASP, Octave, IS1/IS2 etc.   Maybe it'd be best to start be understanding the context of you business and it's operations to narrow down your scope.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
Reply
dougjaworski
Newcomer I
‎04-24-2018 10:16 AM
‎04-24-2018 10:16 AM

AmitavaS , could not agree with you more.
Reply
0 Kudos
dougjaworski
Newcomer I
‎04-24-2018 10:18 AM
‎04-24-2018 10:18 AM

Steve-Wilme, thank you for your reply. I am making some progress and will share the end-results of the work product here in the next few weeks. In short, leveraging existing risk taxonomies such as BASEL, OCTAVE, and FAIR are helping.
Reply
0 Kudos
clyoneer
Newcomer II
‎07-22-2018 10:21 AM
‎07-22-2018 10:21 AM

Wouldn't you need to identify your business processes, assess the appropriate level of risk and then identify the appropriate security controls to mitigate those risks? 

 

Not sure I understand how having a library of cyber related risks would add value if those risks are not applicable to your specific IT ecosystem.  

Reply
0 Kudos
Flyslinger2
Community Champion
‎07-30-2018 10:39 AM
‎07-30-2018 10:39 AM

I reference both the NIST docs and this resource to get both.  I'm partial to the second resource as it represents the real world use of the NIST guidelines.

Reply
CISOScott
Community Champion
‎07-31-2018 10:08 AM
‎07-31-2018 10:08 AM

I found this at auditscripts.com. It is a mapping of all of the different frameworks.

https://www.auditscripts.com/?attachment_id=3805

It maps the critical controls to 43 of the most popular frameworks. It can be used backwards too. If you don't trust links you can also google for this:

AuditScripts-Critical-Security-Control-Master-Mappings-v6.1h.xlsx

 

Reply
jj30
Newcomer I
‎07-31-2018 12:05 PM
‎07-31-2018 12:05 PM

Really very useful security control master list.

 

 

 

Reply
0 Kudos