Page 120 - COSO Guidance Book
P. 120
4 | Managing Cyber Risk in a Digital Age
COSO Infographic with Principles
As a result, the reality is that cyber risk is not something that techniques to protect the organization’s informational
can be avoided; instead, it must be managed. Organizations assets, brand and reputation, supply chains, etc.
should ensure they have an understanding of all data that
is collected, how it is collected, where that data is stored, Organizations may view their cyber risk profile through the
and then focus on their most important data to deploy the following components of risk management as per the COSO
appropriate security controls and other risk mitigation ERM Framework :
1
Risk Management Components
ENTERPRISE RISK MANAGEMENT
MISSION, VISION STRATEGY BUSINESS IMPLEMENTATION ENHANCED
& CORE VALUES DEVELOPMENT OBJECTIVE & PERFORMANCE VALUE
FORMULATION
Governance Strategy & Performance Review Information,
& Culture Objective-Setting & Revision Communication,
& Reporting
Source: COSO
1. Exercises Board Risk 6. Analyzes Business 10. Identifies Risk 15. Assesses Substantial 18. Leverages Information
Oversight Context 11. Assesses Severity Change and Technology
2. Establishes Operating 7. Defines Risk Appetite of Risk 16. Reviews Risk and 19. Communicates Risk
Structures 8. Evaluates Alternative 12. Prioritizes Risks Performance Information
• Review and Revision: By reviewing cyber risk
• Governance and Culture: Governance and culture 13. Implements Risk 17. Pursues improvement 20. Reports on Risk,
3. Defines Desired Culture
Strategies
in Enterprise Risk
Culture, and
together form a basis for all other components of ERM. management capabilities and practices, and the entity’s
Responses
9. Formulates Business
4. Demonstrates
Management
Performance
Objectives
Commitment
Governance sets the entity’s tone, reinforcing the 14. Develops Portfolio
performance relative to its targets, an organization can
to Core Values
View
importance of cyber vigilance and establishing oversight consider how well the cyber risk management capabilities
5. Attracts, Develops,
responsibilities for the entity. and practices have increased value over time and will
and Retains Capable
Individuals
continue to drive value in light of substantial changes.
• Strategy and Objective-Setting: Cyber risk management
is integrated into the entity’s strategic plan through the • Information, Communication, and Reporting:
process of setting strategy and business objectives. With Communication is the continual, iterative process of
an understanding of business context, the organization obtaining information and sharing it throughout the entity.
can gain insight into internal and external factors and Management uses relevant information from both internal
their effect on risk. An organization sets its cyber risk and external sources to support cyber risk management.
appetite in conjunction with strategy-setting. The business The organization leverages information systems to
objectives allow strategy to be put into practice and shape capture, process, and manage data and information.
the entity’s day-to-day operations and priorities. By using information that applies to all components, the
organization reports on risk, culture, and performance.
• Performance: An organization identifies and assesses
risks that may affect an entity’s ability to achieve its While organizations should customize their approach
strategy and business objectives. As part of that pursuit, to managing cyber risks based on their unique business
the organization identifies and assesses cyber risks that context, the ERM Framework provides a foundation for
may affect the achievement of that strategy and business designing such an approach. The ERM Framework’s 20
objectives. It prioritizes risks according to their severity principles are described below, with discussion tailored to
and considering the entity’s cyber risk appetite. The how these principles can address the inherent exposure to
organization then selects risk responses and monitors cyber risks.
performance for change. In this way, it develops a portfolio
view of the amount of risk the entity has assumed in the
pursuit of its strategy and entity-level business objectives.
c oso . or g
