The National Institute of Standards and Technology has issued two new special publications designed to help decision makers incorporate information and communication technology, or ICT, risks into the enterprise risk management programs of their respective organizations.
The first publication — NIST Special Publication 800-221, Enterprise Impact of Information and Communications Technology Risk: Governing and Managing ICT Risk Programs Within an Enterprise Risk Portfolio — aims to help readers understand the relationship between ERM and ICT risk management, NIST said Friday.
The second publication — NIST Special Publication 800-221A Information and Communications Technology Risk Outcomes: Integrating ICT Risk Management Programs with the Enterprise Risk Portfolio — complements the first document and offers a “framework of outcomes” applicable to all ICT risk types.
NIST SP 800-221 says it endorses an approach to ERM that sees ITC and the associated risks as an interconnected portfolio rather than a set of disparate programs in light of how ICT comprises a system of systems.
The document also endorses the practice of ICT risk information aggregation and normalization, which would help identify and communicate risk scenarios to decision makers.