"X-Analytics + CRI Framework" is the place where "C" & "g" meets "R" and "G" in GRC. Anyone can populate and use the CRI framework without X-Analytics. However, X-Analytics provides a unique set of CRI opportunities that you will not find anywhere else.
X-Analytics provides a standard and repeatable way to create and manage your CRI profile, including the ability to share results and invite collaborators.
X-Analytics automatically determines your CRI achievement (or compliance score) for clear reporting and defining compliance actions.
If you are new to CRI, X-Analytics shows you were to focus initial CRI implementations to ensure you achieve the most success.
X-Analytics automatically connects your CRI profile to your exposure and threat profiles to determine your cyber risk condition and benefit of your CRI implementation.
X-Analytics provides a prioritized list of CRI actions to help you best improve your cyber risk condition.
Since cyber risk management is not fixed in time, X-Analytics helps you understand and adapt to all changes in your cyber risk landscape and modify your CRI strategy.
What is the CRI Framework?
The Cyber Risk Institute (CRI) Framework, also known as the Financial Services Cybersecurity Profile, is a comprehensive framework developed to help financial institutions manage and mitigate cyber risks. It was created in collaboration with the financial services industry, regulatory agencies, and other stakeholders to provide a standardized approach to cybersecurity, tailored specifically to the needs of the financial sector.
For more information, please visit here.
How Do I Use the CRI Framework Within X-Analytics?
Using the CRI Framework, within X-Analytics, is super easy. You just need to create a profile, turn on the CRI Framework, enter your responses per diagnostic statement, select save and submit, and then review your unique and valuable CRI-based X-Analytics insights within the X-Analytics Report Center.
The CRI Framework module, within X-Analytics, aligns to the CRI Framework structure.
For more information, please visit here.
Why Should I Use the CRI Framework Within X-Analytics?
In short, because X-Analytics gives you a CRI-informed cyber risk perspective that you will not find anywhere else.
With X-Analytics, you get a standard and repeatable way to create and maintain your CRI profile, and you get an incredible way to understand the value of your CRI profile.
CRI Profile Maintenance: X-Analytics provides you with a standard and repeatable way to create and maintain your CRI profile. You are no longer in the world of spreadsheets. You are in a modern and connected world where more than one person at a time can update their section of the CRI profile, where you can invite collaborators, and where you see how your profile informs your cyber risk condition upon each "save and submit".
CRI Achievement: After completing or updating your CRI profile, X-Analytics automatically determines your CRI achievement (or compliance score). X-Analytics provides a macro CRI achievement score and provides an achievement score per CRI function and category. You can compare these scores to your CRI compliance targets and quickly determine where you can pause and where you need to take action.
New to CRI, Need to Know Where to Focus: Since X-Analytics is a risk management application, you have the ability to see which CRI Framework functions, categories, and sub-categories offer the most risk reducing capability in relation to your inherent risk profile. This prioritized view gives you a starting place with CRI by allow you to focus on the CRI functions, categories, and sub-categories that are most important to your organization.
CRI Risk Benefit: Beyond compliance, X-Analytics takes your CRI profile and combines it with your exposure and threat landscape to determine your cyber risk condition. The delta between your inherent risk and residual risk condition is the benefit of your CRI profile. This benefit is expressed as a monetary value to help you show a CRI return on investment, to help you express a degree of success from your cyber maturity, and to help you compare your CRI benefit with other risk management activities.
CRI Opportunity: After completing your first CRI profile and after any updates, X-Analytics provides a prioritized view of CRI opportunities. The CRI functions and categories are sorted in order of risk reduction. This prioritized view proves that all compliance efforts are not equal in risk reducing value. Additionally, this prioritized view helps you align future actions with the CRI function and categories that would best improve your cyber risk condition.
CRI Trending: Your cyber risk landscape is constantly evolving, and X-Analytics helps you keep up with the changes. As you update your CRI profile, you will see how each update improves your cyber risk condition and trending will show your aggregated progress. As your threat and exposure landscapes change, you will see how these changes either improve or erode the quality of your CRI profile. In all cases, X-Analytics automatically updates your prioritized guidance to ensure you focus on the actions that best align to your targets and that would best improve your cyber risk condition.
X-Analytics + CRI Framework = the place where C" & "g" meets "R" and "G" in GRC.
The Cyber Risk Institute developed the CRI Framework to help financial institutions manage and mitigate cyber risks. However, they did not provide a direct method that connects your CRI profile to your risk profile. Like all other cybersecurity frameworks, this step is left open for interpretation. Without interpretation, most organizations will adopt CRI as a compliance framework, implement all diagnostic statements within their Impact Tier, and assume that all diagnostic statements have an equal risk reducing quality.
Fortunately, X-Analytics solves this problem. X-Analytics automatically connects your CRI profile to your risk profile. Additionally, X-Analytics expands on Govern function to give you a dynamic cyber governance score that helps you better understand the roles, responsibilities, and practices wrapped around your cyber risk strategy.
The table below illustrates how X-Analytics expands on the default capabilities of the CRI Framework.
GRC Category | CRI Framework | X-Analytics + CRI Framework |
Compliance | The CRI Framework provides 318 diagnostic statements that are grouped into sub-categories, categories, and functions. As a compliance effort, organizations can select to implement all diagnostic statements or implement the diagnostic statements within their CRI Impact Tier. | With X-Analytics you don't need to manage spreadsheets. X-Analytics provides a standard and repeatable way to create and manage your CRI framework. You can share results and invite collaborators through the X-Analyics application. |
Risk | The CRI Framework was developed to help organizations manage and mitigate cyber risks. However, the CRI Framework does not provide a way to connect your CRI profile to you risk profile. | X-Analytics automatically connects your CRI profile to your risk profile, giving you the ability to understand the benefit of CRI implementation, where to focus future efforts in order to get the best risk reduction, and how your CRI implementation holds up in a constantly changing risk landscape. Most importantly, X-Analytics shows that all compliance controls are not equal and that certain controls are much better in reducing risk. |
Governance | The CRI Framework includes the Govern function. This function includes a set of diagnostic statements to help you understand your organization's technology and cybersecurity risk management strategy, and expectations, and if you organization's policies are established, communicated, and monitored. | X-Analytics provides a full Governance module that expands the CRI Govern function. This module provides additional Governance inputs, including targets, and combines Governance with Risk and Compliance to determine your dynamic cyber governance score. The dynamic cyber governance score consists of your Govern function implementation, your Governance Rigor, and your Risk Strategy Effectiveness. |
CRI Profile Maintenance.
With X-Analytics, creating and maintaining a CRI profile is super easy. You just need to turn on the CRI Framework module and enter your responses per CRI diagnostic statement. Upon each Save and Submit, you see how our responses change your Current Cyber Exposure value.
You will notice that we followed the exact same structure in the CRI Framework, including the response key.
Since X-Analytics is a cloud-based application, you can invite collaborators into X-Analytics to help answer and update your CRI profile. Additionally, can you share your CRI results through the X-Analytics application without having to mess with power point decks, spreadsheets, or other offline mechanisms that easily get outdated.
CRI Achievement.
After each Save and Submit, X-Analytics automatically determines your CRI Framework achievement (or compliance achievement).
X-Analytics provides a macro CRI achievement score and provides an achievement score per CRI function and category. You can compare these scores to your CRI compliance targets and quickly determine where you can pause and where you need to take action.
New to CRI - Need to know where to start?
Adopting new concepts can be hard. If you are new to CRI and if you are not sure where to start with your implementation, then X-Analytics can give you the focus you need.
Based on your inherent risk profile, X-Analytics determines your Cyber Exposure (without the benefit of a CRI implementation) and provides a view so you can see which CRI functions and categories offer the most risk reducing capabilities. This prioritized view give you the ability to prioritize your CRI Framework implementation.
CRI Risk Benefit
Beyond compliance, X-Analytics takes your CRI profile and combines it with your exposure and threat landscape to determine your cyber risk condition. The delta between your inherent risk and residual risk condition is the benefit of your CRI profile.
This benefit is expressed as a monetary value to help you show a CRI return on investment, to help you express a degree of success from your cyber maturity, and to help you compare your CRI benefit with other risk management activities.
CRI Opportunity
After completing your first CRI profile and after any updates, X-Analytics provides a prioritized view of CRI opportunities. The CRI functions and categories are sorted in order of risk reduction.
This prioritized view proves that all compliance efforts are not equal in risk reducing value. Additionally, this prioritized view helps you align future actions with the CRI function and categories that would best improve your cyber risk condition.
CRI Trending
Your cyber risk landscape is constantly evolving, and X-Analytics helps you keep up with the changes. As you update your CRI profile, you will see how each update improves your cyber risk condition.
Original CRI Diagnostic Responses. Notice that Current Cyber Exposure is $23.4M.
Revised CRI Diagnostic Response on PR.DS-01.02. Notice that Current Cyber Exposure is $23.2M, which is a $0.2M improvement from the original response.
As your threat and exposure landscapes change, you will see how these changes either improve or erode the quality of your CRI profile. In all cases, X-Analytics automatically updates your prioritized guidance to ensure you focus on the actions that best align to your targets and that would best improve your cyber risk condition.
X-Analytics - Putting the "G" in GRC.
X-Analytics provides a full Governance module that expands the CRI Govern function.
This module provides additional Governance inputs, including targets, and combines Governance with Risk and Compliance to determine your dynamic cyber governance score.
The dynamic cyber governance score consists of your Govern function implementation, your Governance Rigor, and your Risk Strategy Effectiveness.
With the X-Analytics Governance Module, you can also tie your CRI profile to your risk transfer mechanism.
Next Steps
Work with your X-Analytics Customer Success Team to best leverage X-Analytics for your CRI use case and to optimize your cyber risk management plan.
Comments