This deck was presented live at the Federal Computer Security Manager’s Forum Offsite on Tuesday, June 20th at NIST Headquarters in Gaithersburg, MD.
Risk management can be done top-down, bottom-up, middle-out, or some combination. Many of our government institutions have insecure systems because they confuse compliance with security when reviewing their enterprise as well as cybersecurity risks.
* Tie cybersecurity risks to enterprise risks
* Understand where compliance ends and where security begins or vice-versa
* Evaluate risk management frameworks from other countries to see where we’re lacking or more advanced