How will you ensure that your Risk Assessment adapts to changing business operations and Cybersecurity threats and adequately informs your Cybersecurity Program?
Risk Assessment is not a static process and organizations must update Risk Assessments to address changes to Information Systems, Nonpublic Information, or business operations.
The NYC500 requires that organization’s Risk Assessments be able to respond to technological advancements and evolving threats while taking into account particular risks of business operations as they pertain to Cybersecurity and Nonpublic Information collected or stored and Information Systems.
The Risk Assessment must be carried out in accordance with written policies and procedure and be documented.
These policies and procedures must include:
1. Criteria for evaluation and categorization of Cybersecurity risks or threats facing the Covered Entity
2. Criteria for assessment of confidentiality, integrity, security and availability of Information Systems and Nonpublic Information, including the adequacy of existing controls as they pertain to identified risks
3. Requirements describing how identified risks will be mitigated or accepted based on the Risk Assessment and how the Cybersecurity Program will address these risks
By determining Cybersecurity-related activities that are important to your business strategy and critical service delivery, your organization will be able to prioritize investments in managing Cybersecurity risks.
Understanding how best to enable your workforce, customers, suppliers, partners, and collaborators to be risk conscious and security aware will lead to fulfillment of Cybersecurity roles and responsibilities across the Cyber Risk Chain.
Assessing the effectiveness and efficiency of your Cybersecurity policies and procedures will allow your organization to assess the Cybersecurity results you achieve and ultimately identify opportunities and priorities for improvement. Once identified, it will be up to each organization to determine how these Cybersecurity risks will be accepted and mitigated.
Some questions that each organization subject to NYC500 should consider when approaching and designing a Risk Assessment:
- How will my organization evaluate the three main categories of Cybersecurity Risk: Outside Attackers, Insider Threats and Third Party Incidents?
- What criteria will my organization use to assess the confidentiality, integrity, security and availability of Information Systems and Nonpublic Information?
- Once I address these Cybersecurity Risks, how will I respond to them? How will I recover from them? and how will I report them?
The NYC500 Risk Assessment may seem vague. This is entirely intentional.
The goal of the program is the implementation of custom security procedures. This can only be done by providing a wide birth of evaluation based on every Covered Entity's current structure.