更好的在一起

How Integrating Enterprise Risk Management Can Strengthen Federal Cybersecurity

Logo for Partnership for Public Service
The Partnership for Public Service is a nonpartisan, nonprofit organization that works to revitalize the federal government by inspiring a new generation to serve 而且 by transforming the way government works. 该伙伴关系与联邦机构和其他利益相关者合作,使我们的政府更加有效和高效.
标志为德勤
德勤 provides industry-leading audit, 咨询, tax 而且 advisory services to many of the world’s most admired br而且s, including nearly 90% of the Fortune 500® 而且 more than 5,000 private 而且 middle market companies. Our people work across the industry sectors that drive 而且 shape today’s marketplace — delivering measurable 而且 lasting results that help reinforce public trust in our capital markets, inspire clients to see challenges as opportunities to transform 而且 thrive, 而且 help lead the way toward a stronger economy 而且 a healthy society. 德勤 is proud to be part of the largest global professional services network serving our clients in the markets that are most important to them. Now celebrating 175 years of service, our network of member firms spans more than 150 countries 而且 territories. 了解德勤在全球的312,000多名员工如何在www上产生重要的影响.德勤.com.
表的内容

简介

每一天, federal agencies h而且le huge volumes of sensitive information—from the personal data of those who receive government benefits to national security information analyzed by the intelligence community. 数字系统存储, manage 而且 process much of this data, making critical government operations vulnerable to cyberattacks.

然而,, 自1997年以来, the Government Accountability Office’s biannual High-Risk List has identified cybersecurity as a crucial area requiring more attention from federal agencies.1 And as agencies continue to modernize their digital operations, new cybersecurity challenges compound existing ones, posing even greater risk to effective government operations. 例如, in 2020, the widespread SolarWinds attack affected multiple federal agencies 而且 highlighted the need for government to 优先考虑 cybersecurity.2

澳门网赌正规网址平台加强网络安全风险管理至关重要. 这样做, 联邦网络安全项目可以与其机构的企业风险管理职能合作, an approach highlighted in recent guidance from both the National Institute of St而且ards 而且 Technology 而且 the Office of Management 而且 Budget. 企业风险管理, 或嗯, is a practice used to methodically identify, 优先考虑, address 而且 monitor all risks, 包括威胁组织使命成功的网络安全风险. 在我们2020年的报告中,”掌握风险,澳门网赌正规网址平台合作组织和德勤详细介绍了联邦嗯最近取得的进展, 并呼吁各机构更频繁、更积极地将嗯与网络风险管理等其他风险功能整合在一起.

在2021年的春天, Partnership和德勤为嗯和网络安全领域的专家和从业者组织了一次工作会议. 与会者讨论了各机构如何利用嗯项目和原则来提高网络安全举措的有效性, noting in particular how 嗯 can help evaluate cybersecurity risks with a strategic lens 而且 bring those risks to the attention of agency leaders. This issue brief summarizes these discussions 而且 highlights several leading practices used by agencies that work at the intersection of 嗯 而且 cybersecurity.

Why Federal Agencies Should Integrate Cybersecurity 而且 嗯

许多政府机构都有强大的网络安全项目,由首席信息官和首席信息安全官监督. 各机构可以通过更好地协调其网络安全项目和嗯活动,建立在这一坚实的基础上. 反过来, agency leaders can be better positioned to fully assess, monitor 而且 make decisions about cybersecurity risks. Discussions in our working session revealed several ways that this increased coordination can help ensure effective 而且 secure federal operations, thus enabling government to better carry out its mission.

Bridge communication gaps between agency leadership, staff 而且 technical experts

在我们的工作期间, federal cybersecurity practitioners discussed the challenge of communicating complex information about threats 而且 vulnerabilities to agency leaders who may not have in-depth technical knowledge. This communication gap can have serious consequences—if leaders don’t underst而且 the information presented to them 而且 the risks associated with that information, 他们可能不会做出必要的决定或投资来保护该机构的网络安全. 联邦嗯项目有工具和专业知识来帮助机构建立一个全面的风险登记册. A good risk register can clearly articulate the full picture of an agency’s cybersecurity risks 而且 serve as a resource to help agency leaders underst而且, 优先考虑 而且 address those risks.

Increase underst而且ing of cyber-related risk

整合网络安全与企业风险管理还可以帮助嗯专业人员更好地了解机构的网络风险. 嗯 programs can work with cybersecurity professionals to connect information on cyber risks 而且 vulnerabilities to information about other agency programs 而且 strategic priorities. These efforts enable 嗯 professionals to better underst而且 而且 monitor cybersecurity risks in relation to other elements of an organization’s risk profile. 因此,嗯从业者能够更全面地把握机构的整体风险. 与此同时, the urgent nature of cybersecurity work means that practitioners must constantly focus on addressing immediate threats 而且 often lack the time to step back 而且 assess the full scope of cybersecurity risks. By connecting cyber risk to other agency priorities, 嗯可以帮助网络安全从业者更加战略性地思考如何管理这些风险.

Bring risks to the attention of agency leaders

一旦嗯从业者分析了网络安全风险与其他机构项目和战略重点的关系, 他们可以与网络安全专家合作,将关键问题和领域提升到机构的领导地位. 这种协调可以帮助机构领导人更高效、更有效地应对迅速演变的网络安全威胁. 例如, 在工作会议上, officials from the State Department shared that the agency’s Office of Global IT Risk uses 嗯 principles to frame technical information about cybersecurity risks for agency leaders 而且 then relays their decisions about risk tolerance back to technical staff as it evaluates specific programs 而且 systems. “If we’re going to have a conversation at the organizational level, 我们需要把它放在领导者如何处理日常决策的背景下,彼得·古尔德曼说, director of the Office of Global IT Risk. “We have to look at the strategic implications.“嗯项目, with their broad view of risk, can also help leaders assess trade-offs 而且 make decisions about how to manage cybersecurity risks while also addressing the other risks an agency faces.

虽然相对较新的, 联邦嗯和网络安全项目之间更密切合作的想法正在政府中获得支持. 例如,2020年10月,国家标准与技术研究院发布了"Integrating Cybersecurity 而且 Enterprise Risk Management,” an overview of how agencies can integrate the two disciplines. “[Agencies] have generally treated these areas as separate 而且 created some silos…this document talks about how [嗯 而且 cybersecurity] can work in concert,斯蒂芬·奎因说。, senior computer scientist at NIST 而且 one of the document’s authors.

该文件表明,NIST认识到网络安全与嗯之间的关键关系, 而且 details how an integrated approach can help agencies better identify, assess 而且 manage cybersecurity risks. 奎因还指出,NIST目前正在制定进一步的指导意见,以帮助各机构协调其网络安全和嗯项目.

Leading Practices for Aligning Cybersecurity And 嗯

网络安全威胁和漏洞仍然是政府各部门领导人的主要担忧. To better manage these risks, federal 嗯 practitioners should closely coordinate with cybersecurity programs. 这种类型的集成对机构的企业风险管理和网络安全功能至关重要.

The good news is that many agencies have already started this integration. 随着这个过程的继续, 嗯, cybersecurity 而且 digital transformation practitioners should keep in mind several leading practices generated by our working sessions:

使用通用的术语. 有效地合作, 嗯 而且 cybersecurity teams should build a common terminology to identify, 优先考虑 而且 communicate cyber risks. 这个术语应该对技术专家有用,对组织领导人也可以访问.

使信息可操作的. 机构应该超越使用嗯来生成澳门顶级网赌网址大全网络安全风险的知识——他们必须使这些信息具有可操作性. 应该分析风险信息,然后将其分发给每天工作以管理网络安全工作的领导人.

Connect risk governance 而且 align leadership. 嗯 而且 cyber risk management processes should be interconnected, 每个小组的领导一起工作,共同讨论,促进信息共享和合作. 风险拥有者和那些日常管理风险的人也应该合作.

Incorporate risk appetite 而且 risk tolerance. 这些嗯概念指的是一个机构在追求其战略目标时愿意接受多大的风险. Using these concepts in relation to cybersecurity risk can help agencies 优先考虑 而且 monitor top cybersecurity risks 而且 identify which cyber events 而且 activities agency leaders are willing to accept.

Connect cybersecurity 而且 enterprise risk registers. St而且ardized risk registers at the organizational level can help agencies incorporate cybersecurity risk activities into overall decision-making about risk.

Examine risks at the organizational level. 各机构应全面了解其网络安全风险, 包括企业级的风险以及子组件和主要办公室面临的风险. 2019年7月, GAO reported that 11 of the 23 Chief Financial Officers Act agencies it reviewed had not fully established a process for assessing agencywide cybersecurity risks by compiling system-level risks.3 This gap prevents agencies from getting a full picture of the risks they face.

By developing regular coordination between their cybersecurity 而且 嗯 functions, 机构可以更好地了解其网络安全风险,并更有效地管理它们. These efforts will in turn enable agencies to better carry out their missions.

Additional Areas for Exploration

The ideas generated in our working session provide a starting point to help agencies more effectively coordinate 而且 integrate their 嗯 而且 cybersecurity efforts. These sessions also brought up several questions that merit additional exploration. Further research could explore:

  • Ways 嗯 can help support the development of a risk-based cybersecurity strategy.
  • 嗯和网络安全项目可能使用数据进一步了解网络安全风险的方式.
  • 这两个学科的从业人员可以使用常用术语进行有效沟通.
  • 嗯和网络安全项目应该建立组织能力来成功协调.
脚注
  • 1. Government Accountability Office, “Ensuring the cybersecurity of the nation.“检索 位.ly / 3 eixehl.
  • 2. Government Accountability Office, “SolarWinds Cyberattack Dem而且s Significant Federal 而且 Private-Sector Response.2021年4月22日. 从检索 位.ly / 3 hrwmxc.
  • 3. Government Accountability Office, “网络安全:各机构需要全面建立风险管理计划,应对挑战.2019年7月25日. 从检索 位.ly / 38 dwv2p.
附录I:方法

2021年4月至7月, the Partnership 而且 德勤 hosted a working session for enterprise risk management 而且 cybersecurity professionals to discuss the intersection of these disciplines 而且 examine how 嗯 principles 而且 concepts can support federal cybersecurity. 另外, 我们向政府问责局的专家征求意见,听取他们对这些问题的建议.

Appendix II: Acknowledgements

The individuals listed below generously offered their input on this issue brief. We greatly appreciate their time 而且 counsel. 然而, 这个问题简报的内容可能不能反映参与的联邦雇员的观点. 另外, the views of participating federal officials do not necessarily reflect positions or policies of the federal government or its agencies.

彼得Gouldmann
全球资讯科技风险总监
国务院

尼克·马里诺
Director, Information Technology 而且 Cybersecurity
Government Accountability Office

斯蒂芬·奎因
Senior Computer Scientist 而且 Program Manager
National Institute of St而且ards 而且 Technology, Department of Commerce

附录三:项目组

Partnership for Public Service

伊丽莎白·拜尔斯
联系 Manager, Research, Analysis 而且 Evaluation

罗兰DeJonge舒尔曼
Vice President, Research, Analysis 而且 Evaluation

萨曼莎·唐纳森
Vice President, Communications

巴里·戈德堡
编辑器

林赛Laferriere
高级经理

凯蒂Malague
Vice President, Government Effectiveness

安德鲁·帕可
数字设计助理

杰西卡Reynoso
联系

 

德勤政府 & 澳门网赌正规网址平台

辛西娅·维特
Managing Director, Enterprise Risk Management
实践领导者
德勤 & Touche LLP)

约翰低音部
高级经理, Enterprise Risk Management
德勤 & Touche LLP)

戴夫·马德尔
Chief Strategy Officer, 德勤 Consulting Civilian Sector
德勤咨询律师事务所

瑞恩墨菲
Manager, Enterprise Risk Management
德勤 & Touche LLP)

格雷格Stavrou
Senior Consultant, Enterprise Risk Management
德勤 & Touche LLP)

马克Stofanak
Analyst, Enterprise Risk Management
德勤 & Touche LLP)