Date Published: July 20, 2022
Comments Due:
Email Questions to:
Author(s)
Stephen Quinn (NIST), Nahla Ivy (NIST), Julie Chua (U.S. Department of Health and Human Services), Karen Scarfone (Scarfone Cybersecurity), Matthew Barrett (CyberESI Consulting Group), Larry Feldman (Huntington Ingalls Industries), Daniel Topper (Huntington Ingalls Industries), Gregory Witte (Huntington Ingalls Industries), Robert Gardner (New World Technology Partners)
Announcement
NIST is posting two draft Special Publications (SP) on the Enterprise Impact of Information and Communications Technology (ICT) Risk, with a public comment period open through September 6, 2022.
The increasing dependency on ICT means that all enterprises must ensure ICT risks receive the appropriate attention along with other risk disciplines –legal, financial, etc. – within their enterprise risk management (ERM) programs. These documents and resources are intended to help ICT risk practitioners at all levels of the enterprise, in private and public sectors, to better understand and practice ICT risk management (ICTRM) within the context of ERM. Using organizing constructs, such as risk appetite and tolerance statements, business impact analysis (BIA), risk registers, and key risk indicators, enterprises, can better identify, assess, communicate, monitor, and manage their ICT risks in the context of their stated mission and business objectives using language and constructs already familiar to senior leaders.
- NIST Special Publication 800-221 ipd (initial public draft), Enterprise Impact of Information and Communications Technology Risk: Governing and Managing ICT Risk Programs Within an Enterprise Risk Portfolio, promotes a greater understanding of the relationship between ICT risk management and ERM, and the benefits of integrating those approaches.
- NIST Special Publication 800-221A ipd, Information and Communications Technology (ICT) Risk Outcomes: Integrating ICT Risk Management Programs with the Enterprise Risk Portfolio, provides a set of desired outcomes and applicable references that are common across all types of ICT risk. It provides a common language for understanding, managing, and expressing ICT risk to internal and external stakeholders. It can be used to help identify and prioritize actions for reducing ICT risk, and it is a tool for aligning policy, business, and technological approaches to managing that risk. Using this approach for each type of ICT risk will help organizations improve the quality and consistency of ICT risk information they provide as inputs to their ERM programs. That, in turn, will help organizations address all forms of ICT risk more effectively in their ERM. This publication complements SP 800-221 as the ICTRM catalog of outcomes. SP 800-221A can be browsed and downloaded in standardized JSON and Excel formats.
The public comment period for both drafts is open through September 6, 2022.
NOTE: A call for patent claims is included in each draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.
The increasing frequency, creativity, and severity of technology attacks means that all enterprises should ensure that information and communication technology (ICT) risk is receiving appropriate attention within their enterprise risk management (ERM) programs. Specific types of ICT risk include, but are not limited to, cybersecurity, privacy, supply chain, and artificial intelligence risk. This document provides a framework of outcomes that applies to all types of ICT risk. It complements NIST Special Publication (SP) 800-221, Enterprise Impact of Information and Communication Technology Risk, which focuses on the use of risk registers to communicate and manage ICT risk.
The increasing frequency, creativity, and severity of technology attacks means that all enterprises should ensure that information and communication technology (ICT) risk is receiving appropriate attention within their enterprise risk management (ERM) programs. Specific types of ICT risk include,...
See full abstract
The increasing frequency, creativity, and severity of technology attacks means that all enterprises should ensure that information and communication technology (ICT) risk is receiving appropriate attention within their enterprise risk management (ERM) programs. Specific types of ICT risk include, but are not limited to, cybersecurity, privacy, supply chain, and artificial intelligence risk. This document provides a framework of outcomes that applies to all types of ICT risk. It complements NIST Special Publication (SP) 800-221,
Enterprise Impact of Information and Communication Technology Risk, which focuses on the use of risk registers to communicate and manage ICT risk.
Hide full abstract
Keywords
enterprise risk management (ERM); enterprise risk profile (ERP); enterprise risk register (ERR); information and communication technology (ICT); ICT risk; ICT risk management (ICTRM); ICT risk measurement; ICT Risk Outcomes Framework (ICT ROF); risk appetite; risk register; risk tolerance
Control Families
None selected