A Proposed Enterprise Cyber Risk Profile Framework [First Cut]

Posted on by Barry

Does your enterprise have a cyber risk profile? Is it continually updated? Is is ‘a real-time profile?”

(Does your enterprise know what a cyber risk profile is or why it might be necessary?)

If yes to any of those questions, do you believe your enterprise cyber risk profile encompasses every, or at least most, of the cyber risks under potential cyber-attack which your enterprise faces each second of each day?

You may not be a financial services enterprise and / or if you are, you may not conduct business in New York but regardless you should know that (regardless of what industry you are in because these cyber regulations make sense for every business in every industry – yes, even primarily OT-supported industries):

“New York recently announced amendments to the State Department of Financial Services’ cybersecurity regulations. The changes further solidify the state’s already comprehensive cybersecurity regulatory regime. The amendments were both announced by Gov. Hochul and became effective on November 1, 2023. They apply to DFS regulated entities and aim to strengthen provisions around cyber governance, risk mitigation, incident notification, and training.

New obligations under the amendments include:

  • Senior leadership is now explicitly required to exercise oversight of an entity’s cybersecurity risk management.
  • CISOs must make timely reports to an entity’s senior leadership on material cybersecurity issues, including on cybersecurity events and changes to the entity’s cybersecurity program.
  • Previously required cybersecurity risk assessments must now be conducted annually, or whenever there is a material change to the covered entity’s cyber risk. (I bolded this bullet point.)
  • Entities must now conduct annual cybersecurity awareness training that includes training on how to address social engineering.
  • Incident response plans must now include business continuity and disaster recovery plans. These plans must also be tested annually.
  • Entities must notify DFS within 24 hours after making an extorsion payment (i.e. a ransomware payment) and provide a detailed explanation of the reasons for making the payment within 30 days.

The amendments also created additional obligations for larger “Class A companies.” These are companies with a two-year average of (1) at least $20 million in gross revenue (including instate revenue from affiliates) and; (2) 2000 employees or $1 billion in total annual revenue (including all affiliate revenue). Class A companies must design and conduct independent cybersecurity program audits, implement a privileged access management solution that includes specific password requirements, and deploy an endpoint detection and response solution that includes logging and security event alerting.”

Link to NY Announcement: https://www.jdsupra.com/post/contentViewerEmbed.aspx?fid=4f8b0787-e763-45d1-87b1-16a0cfee7088

My question: how would any enterprise know that a material change has happened to their enterprise cyber risk profile? Or, equivalently does your enterprise know that a material change has happened to their enterprise? And what that material change is, specifically to their cyber – or other – assets?

I suggest that an enterprise would know if a material change occurred if it had a cyber risk profile that continually (preferably in real-time) reflected the cyber risks which the enterprise faced.

To create a cyber risk profile, I believe enterprises first need an enterprise cyber risk profile framework. I discuss such a cyber risk profile framework next.

Proposed Enterprise Cyber Risk Profile Framework

I used 11 dimensions or major categories of cyber risk profile elements in the Framework. Much like any taxonomy, there is nothing sacred here. Feel free to move elements within categories or add elements or add categories. Taxonomies are slippery beasts.

However, I’m using the concept of ‘dimensions’ because I believe that the categories really are dimensions: I want to stress that an entity can be from and use multiple dimensions to accomplish an objective in the Cyber Age. Moreover, the path through the various dimensions will change depending on the entity’s objectives (knowledge, skills, …) and in so doing, create one of many potential paths (perhaps consider the paths as digital, mobile, web-connected, cloud-accessible ‘footprints’) through the enterprise. Another entity, wanting to accomplish the same objectives, may do so by walking a different path.

First Dimension Web Connected Artifacts:

  • Digital Artifacts connected to the web;
  • Physical Artifacts with embedded telecommunications capabilities and/or digital content connected to the web;
  • Operational processes connected to the web;
  • Decision-making processes connected to the web;
  • Marketing processes connected to the web;
  • Financial processes connected to the web;
  • Enterprise Vehicles (ground / marine / air / space) connected to the web;
  • Logistics participants / Warehouse Shelves / Pallets connected to the web.

Second Dimension Reach (of web connected artifacts):

  • within enterprise
  • within an enterprise division
  • within an enterprise functional area
  • within an enterprise SBU
  • across enterprises’s ecosystem (across enterprise’s value chains)
  • across enterprise’s (or enterprise’s ecosystem’s or value chains’) marketing channels
  • across social media channels.

Third Dimension – Human Entities:

  • clients w/ smart devices (to access some web-connected part of the enterprise (or a firm of a company of the enterprise)
  • prospective clients w/ smart devices ( to access …)
  • regulators w/ smart devices (to access …)
  • 3rd party advisors w/ smart devices (to access …)
  • current employees w/ smart devices (to access …)
  • ex-employees w/ smart devices (to access …)
  • job applicants w/ smart devices (to access …).

Fourth Dimension – Infrastructure:

  • Telecommunications Infrastructure used (by various entities smart devices);
  • Operating Systems Used (by …);
  • DNS used (by …);
  • Browsers used (by …);
  • Cloud deployments used (by …);
  • Types of computing equipment used;
  • Types of data storage equipment used.

Fifth Dimension – External Resources:

  • Technology software / solution firms used (by enterprise, by different parts of the enterprise, by different firms of the enterprise’s ecosystem / value chain, by various external entities);
  • Telecommunications software / solution firms used (by …);
  • Communication platforms used (by …);
  • Social Media platforms used (by …);
  • Technology Hardware Firms used (by …);
  • Password Manager(s) used (by …);
  • Search Engines used (by …). (Added June 18, 2024)

Sixth Dimension – Non Human Entities:

  • Chatbots / Virtual Assistants created or purchased (by … human entities, by external resources);
  • Use of Robots;
  • Use of Drones.

Seventh Dimension – Enterprise Supporting software / solution processes:

  • purchasing processes;
  • equipment maintenance processes;
  • software patching processes;
  • integration (of software / solution) processes.

Eighth Dimension – Technology / Application:

  • Technologies and their applications used to currently support each enterprise process;
  • Technologies and their applications being experimented with to replace current technologies and their applications for each enterprise process;
  • Data Storage applications used;
  • Cloud applications used.

Ninth Dimension – Data:

  • Data (and what types of data) flowing in to the enterprise or to which parts of the enterprise (and from what sources with what frequency and with what levels of cleanliness);
  • Data (and what types of data) stored in enterprise (and in what business systems or decision systems or financial systems or marketing systems or …);
  • Data (and what types of data) flowing out of the enterprise (or from which parts of the enterprise) to what sources;
  • Data Dictionary used;
  • Data Interoperability standards used.

Tenth Dimension – Protocols & Procedures:

  • Protocols & Procedures to authorize access to various business and/or decision and/or other enterprise systems;
  • Protocols & Procedures to de-authorize access to various business and/or decision and/or other enterprise systems;
  • More work to do here in the 2nd Cut.

Eleventh Dimension – Monitoring & Compliance:

  • Monitoring procedures to remain aware of and Compliance procedures for new or changes to cyber security / resilience and/or data security and/or data privacy laws / rules / regulations of industry the enterprise conducts commerce;
  • Monitoring procedures to remain aware of and Compliance procedures for new or changes to cyber security / resilience and/or data security and/or data privacy laws / regulations of local jurisdiction the enterprise conducts commerce;
  • Monitoring procedures to remain aware of and Compliance procedures for new or changes to cyber security / resilience and/or data security and/or data privacy laws / regulations of US State the enterprise conducts commerce;
  • Monitoring procedures to remain aware of and Compliance procedures for new or changes to cyber security / resilience and/or data security and/or data privacy laws / regulations of US Federal Government;
  • Monitoring procedures to remain aware of and Compliance procedures for new or changes to cyber security / resilience and/or data security and/or data privacy laws / regulations of International Regulatory Authorities the enterprise conducts commerce.

Making Too Much of Discovering Material Changes to an Enterprise’s Cyber Risk Profile ???

I have a hunch some people will say that I’m making too much to what it takes to discover if an enterprise has made material changes to its cyber risk profile … or if cyber-hackers, through their cyber-attack, have made material changes to the enterprise’s cyber risk profile.

What do you think?

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.