Jump to content

Search the Community

Showing results for tags 'Risk Management'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Founder
  • Platinum
  • Gold
  • Silver
  • Partners


  • Framework 101
    • Webseries
    • Tiers
    • Profiles
    • Framework Core
  • General
    • Implementation Guidance
    • Solutions
    • Framework in the News
    • Supply Chain Risk Management
    • Success Stories
    • General Discussion
  • Version 2.0
    • Governance
    • Technical Qualifications
    • Updates and Improvements
  • Workshop
    • Feedback
  • Members
    • Member's Lounge
  • BSI RFI Responses


  • Team CForum
  • Mike Brown's Blog
  • Tom.Conkle's Blog
  • Tony Sager's Blog
  • RonGula's Blog
  • Whitsitt on the NIST Framework
  • Frank Downs' Blog
  • Thoughts from Greg
  • matthew.smith's Blog


  • General
  • BSI RFI Responses
  • Guides
  • Templates
  • Example Profiles
  • Other Resources

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...


  • Start














Company Name




Found 3 results

  1. On October 1, 2015, NIST initiated a two day workshop on Cyber Supply Chain Risk Management. The workshop provided an opportunity for industry, acedemia, and government to discuss challenges and best practices in cyber SCRM. The first day featured two panels that initiated the discussion on cyber SCRM that led to breakout sessions that allowed participants to collaborate on the topics. The first panel provided an overview on how cyber suply chain risk are managed within the panelists' organizations: Johnson & Johnson, Northor Gruman, Verizon, and Intel Corp. Each panelist provided an overview of how cyber SCRM is addressed in their organizatin and techiques they have implemented to inform executives of cyber supply chain risks. The second panel discussed Organiational Strategies to SCRM. This panel featured panelist from organziations that have robust, but different approaches for addressing Cyber SCRM within their organizations. The panelists from Cisco Systems, John Deere, Johnson & Johnson, and Schweitzer Engineering Laboratories (SEL) described their approaches for communicating cybersecurity concerns within the supply chain to their executives as well as their approach for monitoring their suppliers. Many panelists expressed the requirement to audit suppliers to ensrue they are operating with similiar cybersecurity protections as they expect for their own organization. Deere specificially addreesed a need to protect their brand name by ensuring they understand the value chain of their suppliers. This understanding is developed through continuous auditing for suppliers production, quality,and cybersecurity capabilities. After the two panels, workshop attendees were provided and opportunity to discuss these topics in breakout sessions. The breakout sessions provided attendees an opportunity to comment on their organizations approach to SCRM, identify additional best practices, and confirm current gaps in SCRM. The breakout sessions idenified several gaps within SCRM. The gaps included a general lack of education and awareness of SCRM risks within their organization, the perception that cyber is a IT risk and not a supply chain risk, and a general lack of participation at the executive and board level of organizations. NIST also identified several SCRM case studies that they completed. The case studies are available at the NIST SCRM site at: http://www.nist.gov/itl/csd/best-practices-in-cyber-supply-chain-risk-management-october-1-2-2015.cfm. The case studies identify the current SCRM practices within ~20 leading companies. They provide organizations an understanding of what others are doing and provide a sample for how SCRM can be implemented within their organization. NIST will also provide a summary of the workshop and additional guidance to industry based on the information obtained during the workshop to further help organizations get started or improve their SCRM processes. What are your thoughts from the workshop?
  2. matthew.smith

    Risk Management Through the Framework

    Version 1.0


    By combining a business risk portfolio (BRP) approach and the Cybersecurity Framework (CSF), organizations can effectively manage cybersecurity risk.
  3. As a follow-up to my blog post here in December, I wanted to mention a class I'll be offering in different U.S. throughout this year that helps define cybersecurity as a problem space, as discipline, and which attempts to fill in some of the larger gaps in the framework: Risk Management, Metrics, Communicating about Cybersecurity, etc. Hopefully some of you will see value in attending; I think it is relatively unique content with an unusual perspective. Overview: This 2-day class – one of several throughout the U.S. in 2015 – is intended for those leaders, decisions makers, and technologists who feel that they are lacking a usable bridge between the technology and business aspects of cybersecurity and wish to do more than simply build a standard security program and hope for the best. Value: The instructor will use two common security frameworks (NIST and C2M2) alongside custom material (developed over 9 years and unavailable elsewhere) to provide students with the necessary cybersecurity, framework, and communication theory required to make practical improvements to their cybersecurity environments, including, potentially: More effective management of the organizational behaviors outside of the CISO shop that lead to increased cybersecurity risk Enhancement of the functioning and efficacy of security-specific programs and organizations Development of appropriate, actionable metrics for all organizational levels, including the executive Increased assurance that critical business success criteria are met despite ongoing cyber risk More comprehensive plans to defend against specific external threats Improved management of Perception, Communication, Scale, and Uncertainty risks associated with cybersecurity Improved partnership and collaboration within and across organizations, public and private Reduced gap between “Compliance” and “Security” Easier, more effective development of custom formal and informal frameworks to bridge gaps between disciplines Audience: The target audience for this class includes executives, security leaders, technology practitioners, architects, policymakers, lawyers, and other individuals interested in moving beyond industry and media hype to develop a broader understanding of both the problem space and discipline of “Cybersecurity” as it applies to their specific roles. Class will be tailored, within the constraints of the topic areas, to the backgrounds and needs of attendees. The first day will focus on theory presentation and the second day will apply that theory to practical problems – some as requested by students - in a workshop environment. Students should also be aware that, despite some use of jargon, no technical experience or security expertise is assumed and each class will be tailored to the experience levels of those in attendance wherever possible. Dates: Phoenix, April 14-15 Minneapolis, June 16-17 Portland, August 11-12 Dallas, October 13-14 Nashville, November 10-11 Custom Dates and Locations Available http://www.energysec.org/upcoming-live-events/