Mature Your Cyber Program with a Cybersecurity Risk Register

Risk-based cybersecurity risk management is the process of identifying, tracking and mitigating the risks to your organization. By tracking your risks in a cybersecurity risk register, or a central record of the risks facing your organization, you can proactively protect your data, addressing the most critical risks first and ensuring that your actions have the maximum possible impact. 

This blog will follow a single risk, “Lack of a Security-Minded Workforce,” through the risk register to demonstrate how you can track and mitigate risk with the right platform. 

1. Identify and catalog risks within the risk register 

First, you’ll want to identify the risk and catalog it with a description in the risk register. In this case, the description would be: “The workforce lacks user-level understanding about security and privacy principles.” By entering risks into your register, you enable stronger prioritization in your mitigation efforts and more agile decision making. 

2. Perform periodic risk assessments

Once you’ve identified the risk, you should schedule periodic assessments to evaluate the likelihood of an event and the impact the event would have if it occurred. In your register, you’ll record both factors, along with the planned review schedule. In this case, it’s appropriate to assess the risk on a quarterly basis. While the impact of this event would be major, such an event is ultimately unlikely. By assessing both likelihood and impact of an event, you can more accurately determine how urgently action is needed and prioritize your efforts on that basis.  

3. Map mitigating controls to risks  

Each risk in your register should have specific controls in place to mitigate both the likelihood of an event and the impact were it to happen. In this case, the controls would be “SAT-01 – Security & Privacy Minded Workforce,” “SAT-02 – Security and Privacy Awareness,” and “SAT-03 – Role-Based Security & Privacy Training.”  

4. Identify and catalog controls in control library 

Once you’ve determined which controls correspond to the risk you’re tracking, it’s time to catalog those controls within your risk library along with a description. In this case, the control “SAT-02 – Security & Privacy Awareness” could be described in these terms: “Mechanisms exist to provide all employees and contractors appropriate awareness education and training that is relevant for their job function.”  

5. Assess control effectiveness and maturity 

Just as it’s necessary to assess the risks facing your organization, you must also assign owners and schedule regular control assessments to determine their maturity and effectiveness. In the case of security and privacy awareness training, an annual assessment schedule would be enough.  

6. Automate evidence collection using software 

Once you’ve determined your assessment schedule, your control owner should automate the distribution and collection of evidence requests. For this control, you’ll request both “documented evidence of initial user training for cybersecurity and/or privacy topics” and “documented evidence of practical user training exercises for cybersecurity and/or privacy topics.” These requests will be sent to different business units within the organization, who will respond with screenshots of systems or specific documentation to demonstrate that the appropriate controls are in place. 

7. Relate policies to controls 

At this stage, it’s also worth using a cybersecurity risk management platform to relate the policies you have in place to enforce their appropriate controls. For “SAT-02 – Security & Privacy Training,” the corresponding policy is “Security Awareness Training Policy,” and the listed intent is to help “minimize risk thus preventing the loss of PII, IP, money or brand reputation.” By linking these policies, which are sent to your organization’s end users, to your controls, you demonstrate a commitment to keeping your data safe both internally and externally. 

8. Conduct policy reviews 

To keep your controls in good shape, policies should be assigned owners who conduct reviews on a regular schedule to determine whether they should be updated, retired or used as they are. In this case, the appropriate review cadence is quarterly. Sometimes, a policy is doing what it’s supposed to, but must be adjusted to meet new regulatory requirements or controls. Sometimes, you will review a policy and find that it is no longer relevant to your organization due to a change in controls, and that it should be retired. 

9. Align controls with the relevant standards 

Next, you must identify the industry standards relevant to your organization and align your controls with the appropriate provisions. In the case of “SAT-02 – Security & Privacy Awareness,” it is relevant to the ISO 27001 provision “ISO – 6.4: Communication,” which demands that organizations “determine the need for internal and external communications relevant to the information security management system.”  

10. Demonstrate regulatory alignment 

Additionally, you should also ensure alignment with the relevant regulations. In this case, the Payment Card Industry Data Security Standard (PCI DSS) requires that organizations implement a “formal security awareness program to make personnel aware of the entity’s information security policy and procedures.” This can be related to the control “SAT-01 – Security & Privacy-Minded Workforce” to demonstrate coverage. 

Once you’ve identified and tracked your risks, controls and policies within a cybersecurity risk management platform, you can continue to evaluate and enhance your controls, improving program maturity and keeping your organization safe. This process is made easier by software like ProcessUnity for Cybersecurity Risk Management, which enables risk tracking and the prioritization of mitigation efforts with its industry-leading risk register. With the help of a powerful program like ProcessUnity, you can mature your program from compliant to exceptional.