Page 126 - COSO Guidance
P. 126
10 | Managing Cyber Risk in a Digital Age
PERFORMANCE
Principle Description
10. Identifies Risk The organization identifies risk that impacts the performance of strategy and
business objectives.
11. Assesses Severity of Risk The organization assesses the severity of risk.
12. Prioritizes Risk The organization prioritizes risks as a basis for selecting responses to risks.
13. Implements Risk Responses The organization identifies and selects risk responses.
14. Develops Portfolio View The organization develops and evaluates a portfolio view of risk.
Every organization faces a variety of cyber risks from Organization’s Cyber Risk Assessment Program
external and internal sources. Cyber risks are evaluated
against the possibility that an event will occur and
adversely affect the achievement of the organization’s
objectives. Malicious actors, especially those motivated Assumptions
by financial gain, tend to operate on a cost/reward basis.
The perpetrators of cyber attacks, and the motivations
behind their attacks, generally fall into the following broad Risk Risk
categories: Profile Appetite
• Nation-states and spies: Hostile foreign nations who Risk Aware
seek intellectual property and trade secrets for military Decision
and competitive advantage (e.g., those that seek to steal Making
national security secrets or intellectual property).
Business Culture
Context
• Organized criminals: Perpetrators that use sophisticated
tools to steal money or private and sensitive information
about an entity’s consumers (e.g., identity theft). Strategy
• Terrorists: Rogue groups or individuals who look to use
the Internet to launch cyber attacks against critical
infrastructure, including financial institutions. Copyright © 2019, Deloitte Development, LLC.
• Hacktivists: Individuals or groups that want to make a An organization’s cyber risk assessment should begin first by
social or political statement by stealing or publishing an understanding what information and systems are valuable
organization’s sensitive information. to the organization. The value should be measured against
the potential impact to the entity’s objectives (including the
• Insiders: Trusted individuals inside the organization who potential impact of failed legal or regulatory compliance,
sell or share the organization’s sensitive information. which can have an indirect effect on accomplishing
business objectives). For example, companies in various
While the results of the risk assessment should ultimately industries (e.g., financial services, technology, healthcare)
drive the allocation of entity’s resources toward risk may be a prime target for cyber crime given their assets
management responses designed to prevent, detect, and and the highly automated nature of business transactions,
manage cyber risk, investments must also be directed at the processes, and systems.
risk assessment process itself. An organization has finite
resources and its decisions to invest in these responses
must be made upon relevant, quality information that
prioritizes funding to the information systems that are the
most critical to the entity.
c oso . or g
