Washington, DC, U.S.A. --- (METERING.COM) --- May 30, 2012 - The U.S. Department of Energy has release cybersecurity risk management guidelines aimed at enabling organizations to apply effective and efficient risk management processes and tailor them to meet their organizational requirements.

Developed by the DOE in collaboration with the National Institute of Standards and Technology (NIST) and the North American Electric Reliability Corporation (NERC), the guidelines may be used to implement a new cybersecurity program within an organization or to build upon existing internal cybersecurity policies, standard guidelines, and procedures.

The risk management model presented uses a three-tiered structure to provide a comprehensive view of an electricity subsector organization:

  • Tier 1: Organization
  • Tier 2: Mission and business processes
  • Tier 3: Information technology and industrial control systems.

This model represents the organization’s strategic focus in Tier 1, the mission and business processes focus in Tier 2, and tactical focus in Tier 3.

Tier 1 activities may include:

  • Establishing and implementing a structure for risk management and governance
  • Identifying and prioritizing mission and business processes with respect to strategic goals and objectives
  • Establishing the recovery order for critical mission and business processes
  • Establishing the organization’s risk tolerance
  • Defining techniques and methodologies for assessing cybersecurity risk
  • Defining risk management constraints and requirements
  • Establishing the organization’s cybersecurity risk management strategy

Tier 2 activities may include:

  • Identifying and prioritizing assets necessary to support the mission and business processes of an organization defined in Tier 1
  • Identifying cybersecurity processes needed to successfully execute mission and business processes
  • Mapping cybersecurity requirements against mission and business processes
  • Developing a disciplined and structured approach for managing IT and ICS assets that
  • support mission and business processes
  • Providing a clear and concise roadmap.

Tier 3 activities may include:

  • Categorizing IT and ICS into levels by risk and value to mission and business processes
  • Allocating cybersecurity controls to systems and the environments in which they operate
  • Managing the selection, implementation, assessment, and monitoring of cybersecurity controls
  • Establishing a process to routinely reassess a system’s cybersecurity posture based on new threat information, vulnerabilities, or system changes.

The risk management cycle is an iterative and continuous process. The output is a strategy addressing how the organization intends to frame, assess, respond to, and monitor risk. The strategy makes explicit and transparent the risk perceptions that the organization routinely uses to make investment and operational decisions.