Page 127 - COSO Guidance Book
P. 127
Managing Cyber Risk in a Digital Age | 11
Because the cyber risk assessment informs management’s As an output of Principles 10 and 11, an organization should
decisions about how to deploy risk responses toward have a clear understanding of the information systems
information systems that support an entity’s objectives, critical to the achievement of its objectives. Then, applying
it is important that senior management and other critical Principle 12, risk assessment is taken deeper as the
stakeholders drive the risk assessment process to identify organization assesses and prioritizes risks in relation to the
what must be protected in alignment with the entity’s severity and likelihood of cyber risk events and outcomes.
objectives. Many organizations do not spend enough time When led by senior management, through collaboration
gaining an understanding of what information systems with business and IT stakeholders, an organization is
are truly critical to the organization; they also may have positioned to evaluate the risks that could impact the
difficulty understanding where and how the information achievement of its objectives across the entity.
is stored. This can lead to attempts to protect everything,
which may result in overprotecting certain information During this stage of the risk assessment process, it is also
systems and under protecting others. important to apply an industry lens to cyber risks versus
just looking broadly at cyber risks. The perpetrators of
Placing a value on information systems requires a cyber attacks have unique objectives that differ between
high degree of collaboration between business and IT industry sectors. For example, in the retail sector,
stakeholders. Because organizations are not able to act organized criminals are the most likely attackers, focused
on all risks, given the limited time, budget, and resources primarily on exploiting vulnerabilities in systems that
available, management should also determine the levels of contain information that can be used for profit (e.g., credit
risk tolerance acceptable to the organization and focus its card data or Personally Identifiable Information (PII)).
efforts to protect the most critical information systems. Alternatively, the oil and gas industry might be targeted by
nation-states with a motive to steal strategic data about
Risk Assessment Prioritization future exploration sites. Chemical companies may find
themselves targeted by hacktivists because of perceived
environmental issues around their products.
High
Through careful evaluation of the motives and likely attack
methods and the techniques, tools, and processes the
attackers may use, the organization can better anticipate
what might occur and be in a position to design controls
Severity Risk Prioritization and other risk responses that are highly effective in
minimizing the disruption of potential cyber attacks and
keeping highly valued assets secure.
The portfolio view of risks should be updated on a
continuous basis to reflect changes that could impact
an organization’s deployment of cyber risk management
Low High
Likelihood of Occurrence activities to protect its most critical information systems.
Copyright © 2019, Deloitte Development, LLC. As information is generated from the vigilant monitoring
of the changing threat landscape and the risk assessment
process, senior executives and other stakeholders must
share and discuss this information to make informed
decisions on how to best protect the organization against
exposure to cyber risks.
c oso . or g
