Cyber and information security risk programme
- 1 July 2019
What is the ORX CISR programme?
We're trialling how we can support firms with their day-to-day cyber and information security risk (CISR) management. Cyber presents a significant problem to operational risk managers. Cyber and digital are both considered to be strong emerging risks, as shown in our recent Operational Risk Horizon study. And there is pressure from boards, regulators and senior management to show that these risks are being effectively managed.
The challenge operational risk professionals face is how to manage cyber and information security risks when there is a lack of data and information. This makes it difficult to understand your experiences and exposure, and compare them with your peers. It also means you are unable to see if you are taking the right risk management actions.
This is where we think ORX can help, by supporting firms to:
- Understand their risk exposure for cyber and information risk
- Improve how they respond to and actively manage the risk
A global community of experts
To help us work out how we can best support the industry, we've created a working group of cyber and information security experts from among a variety of our member firms. This community has identified the key activities that we are currently exploring:
- Information sharing
Current working group
Join the ORX CISR programme
Your firm can take part in this programme, even if you're not currently a member of ORX. To find how you can get involved, please contact us.
How are we doing it?
We are currently focusing on two primary areas of the overall project, which are running simultaneously:
- Information sharing
- Governance and management practice standards
Within each of these is a number of smaller workstreams concentrating on specific aspects of the cyber and information security challenge.
(Timings and priorities may change as the project progresses)
The information sharing part of the programme has been split into three smaller deliverables:
- Definition development – completed, find out more about the definitions
- Sharing key controls, indicators and frameworks May-September 2019
- Incident data sharing (timings and details tbc)
Governance and practice standards
This part of the programme is looking at:
- Operating models, roles, responsibilities and budgets May-July 2019
- Regulatory drivers and priorities (timings and details tbc)
- Reporting (timings and details tbc)
- Risk management practices (timings and details tbc)
- Practice standards (timings and details tbc)