The National Institute of Standards and Technology or NIST has issued a comprehensive library of special publications related to cyber security, risk, and their own risk management framework. The framework is compulsory for Federal systems but also gaining popularity in commercial enterprises because they are free, ubiquitous, and often necessary for doing business with government entities anyway. However, the sheer volume of this body of work can be daunting. While thoroughness and precision can be an asset, it can also make it difficult to see the forest for the trees.
This presentation will define the foundational elements of any meaningful cyber security risk management program using the NIST Special Publications (SP) as a guide, with an emphasis on what it means for the internal auditor. It will cover the more common documents such as 800-37, and 800-53. It will cover more obscure documents such as SP 800-18, SP 800-60 vol. I & II, and other related documents not published by NIST. It will conclude with tips and techniques for any cyber security risk management audit program, regardless of the actual framework in use.