ORX to create cyber control and indicator libraries
- 27 November 2019
This month, ORX has taken a major step forward in supporting operational risk teams with cyber and information security risk management. As part of our wider cyber and information security risk management programme, we’ve gathered key controls and indicators from over 20 financial institutions based around the world. This information will allow us to create libraries of controls and indicators used for managing and monitoring cyber and information security risk.
We asked participating firms to review and assess their controls against a suite of 98 taken from the industry-standard NIST framework. We wanted to understand how aligned to NIST the controls are, and where and how often they deviate. This information will allow ORX to provide a view of which are the most commonly used key controls. We also collected information on controls aligned with other frameworks and asked participants to provide their key risk indicators used to support the management of CISR – in total we received more than 170 indicators.
Supporting good practice in cyber and information security risk management
This data was collected through a survey, which we designed in collaboration with our expert cyber and information security risk management working group. The survey collected information on the controls and indicators, including:
- How frequently they are used
- How many of them are automated
- What primary risks do they manage
- The balance of leading and lagging indicators
- Whether they are dependent on a third-party
In addition to this, we asked participants to assess their level of maturity against set criteria created by our advisory group.
This information means ORX can create libraries which will help improve the controls and indicators used to support good practice in cyber and information security risk management. Crucially, these libraries will give institutions (not necessarily just financial ones) the ability to do peer comparisons across controls and indicators for this material risk. A summary of the results and initial findings from the survey will be available in the new year.