10.1 Reports and Studies

The reports that appear in figures have so far been standard reports that may be generated automatically, depending on the capabilities of the information security management system or governance, risk, and control system used by the enterprise. There are also standard reports that are manually generated. It is not unusual for a CRO to ask all business units to produce the same information in the same format for easy assimilation by the risk and audit staff. This is usually a standard in financial reporting. It is especially common in large global organizations where different business units use different systems to manage risk and financial data, respectively. While some business process owners will be able to produce the report automatically, others may have to use a template and fill in the blanks.

What is common about reports is that these are developed in anticipation of the need for system stakeholders to review and understand cybersecurity risks within their scope of responsibility. Ideally, they are provided proactively for easy retrieval, when needed, to make decisions with respect to cybersecurity risk. Because they contain sensitive information, there may be a designated individual in each department charged with accessing and sharing reports or sections of reports with others who may not need ongoing access to all department risk information (e.g., an event contact or issue owner). There will typically be at least one report that ...