This page contains a Flash digital edition of a book.
PRINCIPLE 4: Efforts to improve cybersecurity must be based on risk management. Why is this important?


Security is not an end state. It is a means of ensuring that the benefits from the digital infrastructure continue to grow. No sector of the economy, whether offline or online, is – or can ever be – 100% secure and without some inherent risk. We will never be completely free from natural disasters, crime, espionage, war, airplane or automobile accidents, project failures, credit risks, threats to public health, or terrorists. However, in all of these scenarios, practitioners use risk management to identify risk, assess risk, and take steps to manage risk to an acceptable level. Strategies to manage risk include avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk. Cybersecurity must be part of an overall risk management framework, incorporating technology, people, and processes.


What are we doing now?


The information technology (IT) industry and governments are continuously developing and utilizing a range of risk management strategies and best practices for cyberspace. Some key examples follow.


• Industry standards such as International Standards Organization / International Electrotechnical Commission (ISO/IEC) 27001 and 27002 and similar international standards establish practices and controls to manage cybersecurity risks.


• National Institute of Standards and Technology (NIST) risk management standards and special publications - created with extensive industry input - are built around risk assessment and risk management.


• The U.S. IT industry contributes to the National Infrastructure Protection Plan (NIPP), a framework announced by the Department of Homeland Security (DHS) in 2006 to help government agencies and their partner organizations protect the nation’s critical infrastructure and other key resources (CIKR) against damage or loss due to terrorist attack, natural disaster, or other catastrophe.


• Major U.S. IT companies build risk management into their ongoing daily operations through legal and contractual agreements, cybersecurity operational controls, adherence to global risk management standards, and a host of other practices.


PAGE 16


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24