The first step in the risk management framework is Risk Framing. During the Risk Framing step of the Risk Management Process, the organization makes high-level decisions about how it will approach and perform risk management.
Because the risk management environment is always changing, the risk management process allows for feedback to the risk framing step from the other steps in the risk management process.
Threat Sources and Threat Events
Consequences and Impact
The execution of the risk management process can be constrained in various ways, some of which are direct and obvious while others are indirect.
Risk Assessment Methodologies (depends on governance, structure, culture and how different business functions are across the company)
Degree of Rigor
Form of Results (possibly leaving the choice of specific risk assessment methods to the business owners)
Information systems are used to support the business goals and functions of your business. Those same vital information systems can expose you to serious threats that can compromise the confidentiality, integrity, and availability of the information that you process, transmit, and store. Successful attacks on your business can damage your operations, assets, reputation, staff, and/or partners. If an attack happens because you failed to comply with regulatory requirements, you (and your executive team) could face legal liability, fines, and jail. So what is a business owner to do?
Just as you would manage the many other business risks that you face, you should also assess and manage the risks to your information systems at all levels of your company. After conducting a risk assessment and determining the level of information security risk that you face, you must then decide how you will handle (and reduce) that risk consistent with the goals, objectives, and priorities of your business. Budgetary constraints will also impact your choices.
Although managing information security risk can seem complex and daunting, understanding the need to involve the entire organization will point you in the right direction. When risk-management is integrated into every aspect of your business, you are more likely to properly identify the threats that you face, consider security at the beginning of the acquisition process, and make informed risk-based decisions that allow you to protect your business and allocate budget in a manner that best serves your goals.
NIST SP 800-39, Integrated Enterprise-Wide Risk Management: Organization, Mission, and Information System View provides guidance on a holistic, three-tiered approach to risk management. The approach starts at an executive-level strategic approach at Tier 1, moves to Tier 2 where information and information flows within business processes are examined, and drills down to Tier 3 where individual information systems (and the operating environment) are analyzed.
Tier 1 addresses risk from a business-wide perspective. The tasks that happen at Tier 1 include:
Tier 2 addresses risk from a mission and business process perspective. Tier 2 activities are guided by the risk decisions that were made at Tier 1. Tier 2 activities re closely associated with enterprise architecture and include:
Tier 3 addresses risk from an information system perspective. Tier 1 decisions are guided by the risk decisions made at Tiers 1 and 2. Tier 3 tasks carry out the 6 steps in the NIST Risk Management Framework (RMF). See NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems; NIST SP 800-18??? (system security plans)
and security measures are taken to mitigate and continuously monitor risk.
starting at the very top (with an information security program), continuing to include system security plans, and measures to mitigate the risk.
To help your company manage information security risk at the system level, NIST developed the Risk Management Framework (RMF). The RMF promotes the idea of real-time risk management and ongoing system authorization by using a continuous monitoring process.
The 6 steps that comprise the Risk Management Framework include:
In the first step of the RMF you categorize the system in question and the information processed, stored, and transmitted by that system based on an impact analysis. You can find guidance on security categorization in FIPS 199 and NIST 800-60.
In the second step of the RMF, you select an initial set of baseline security controls for the system that are based on the security categorization. You also tailor and supplement the security control baseline as needed based on the environment the system operates in and your company’s risk assessment.
In the third step, you implement the security controls that you selected. You also document how the controls are used within the system and its environment of operation. There are a number of NIST publications that provide detailed information on security control implementation. These publications are available at the NIST Computer Security Resource Center website.
In the Assess step, you use appropriate assessment procedures to assess the security controls and determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. NIST SP 800-53A provides guidelines for developing assessment methods and procedures to determine security control effectiveness in federal systems.
Based on the results of a complete and through security assessment that the indicates the system is operating at an acceptable level of risk, you officially authorize the system to operate (or continue to operate).
The sixth step of the RMF is to continuously monitor the security controls in the system to ensure that they are effective over time as changes occur to the system and in the environment of operation. Your company will monitor the security controls in the system on an ongoing basis, including assessing control effectiveness, documenting changes to the system or operating environment, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated company officials. See NIST SP 800-137 for specific guidance on continuous monitoring.
Risk management is the process of minimizing risks to company operations, assets, individuals, and other companies. With respect to information security, NIST SP 800-39 identifies four steps to take when managing risk.
Risk framing describes how the company establishes a risk context for the environment in which it operates and makes risk-based decisions. The purpose of the risk framing component is to produce a risk management strategy that addresses how the company plans to assess, respond to and monitor risk. Risk perceptions that impact investment and operational decisions are explicitly delineated and included.
Describes how the company analyzes risk within the context of the risk frame established in step 1. The purpose of a risk assessment is to identify the following:
The risk response step addresses how the company will respond to the risk found during the risk assessment step. The purpose of the risk response component is to provide a consistent, company-wide response to risk that is in line with the company’s risk frame by doing the following:
Risk monitoring addresss how the company will monitor risk over time. The purpose of this step is to:
Information security policy is defined by NIST 800-12 Rev. 1 as “an aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information.” In crafting and implementing security policies, managers face difficult choices regarding competing objectives, resource allocation, employee behavior, and organizational strategy.
Managerial decisions regarding information security issues vary greatly but result in three different types of policy:
Program policy (issued by a senior manager or management team) is used to create an organization’s information security program. A Program Policy sets the strategic direction for security and assigns resources to implement security within the organization. This high-level policy defines the purpose of the Information Security program and its scope within the organization, addresses any compliance issues, and assigns responsibility for direct program implementation to the security organizations well as other related responsibilities.
Basic Elements of a Program Policy address a number of items including:
Issue-Specific policies provide specific guidance and instructions on the proper use of systems. Issue-specific policies address current technologies in use in the organization and expected employee behavior around those technologies. Because technologies change so frequently, issue-specific policies must be reviewed on a regular basis to ensure that they are current. New technologies and the discovery of new threats often require the creation of an issue-specific policy. Some examples of issue-specific policies include:
Basic Elements of an Issue-Specific Policy address a number of items including:
While program and issue-specific policies are broad, high-level and written to cover the entire organization, system-specific policies relate to specific technologies and provide information and direction on specific actions that are permitted on a given system. System-specific policies dictate the appropriate security configurations to the people responsible for implementing the required security controls in order to meet the organization’s information security needs. After management determines the security objectives for a specific system, rules for managing and operating that system can be identified and documented. A decision must be made concerning the level of detail to include in the policy as well as the degree of formality in documenting the system-specific policy.
Technology (especially access controls) plays an important role in implementing and enforcing system-specific policies. Management controls also play an important role in policy enforcement. Additionally, the occasional need for deviations from a policy must be anticipated and prepared for.
System-specific policies must be reviewed frequently to ensure that they conform to the most current security procedures.
Information security policies are often extensions of organizational policies in other forms. For example, an organization’s email policy would likely support its broader policy on privacy as well as policies regarding the appropriate use of equipment and facilities.
The cost of securing information and systems is unavoidable. Costs are incurred through the policy development process. Administrative and management acivities are required for drafting, reviewing, coordinating, disseminating, and publicizing policies. In many organizations, successful policy implementation may require additional staff and training.
The objective is to ensure that the security protections implemented are commensurate with risk by striking a balance between the protections required to meet the security objectives of the organization and the cost of those protections.
Note: Policy controls are addressed by the -1 controls for every security control family found in NIST SP 800-52. The -1 controls establish policy and procedures for the implementation of individual security controls and control enhancement.
In order to protect your information system from attack and implement cost-effective, risk-commensurate security measures, you need to know and understand the vulnerabilities of your system along with the threat sources that could exploit those vulnerabilities.
Vulnerabilities leave your systems open to a number of activities that can result in losses to your organization, clients, and business partners. Vulnerabilities can be anything from a single damaged file on a laptop, to a weak access control in your facilities, to poor password policies. With the right tools and knowledge, a threat source can exploit system vulnerabilities and gain access to the information stored on them.
A threat source is any person or event with the potential to cause harm to your organization’s operations, assets, individuals, or other organizations. Threat sources can lead to threat events. A threat event is an incident or situation that has the potential to negatively impact your organization. This could be a hacker installing a keystroke monitor on a computer. A threat source can be either adversarial or non-adversarial.
Adversarial threat sources are individuals or groups that seek to exploit your organization’s dependency on cyber resources. Employees, privileged users, and trusted users can all be adversarial threat sources, seeking to defraud your IT systems.
Adversarial Threat Sources and Events
Non-Adversarial Threat Sources and Events
Non-adversarial threat sources don’t intend to cause harm, but have the potential to do so. Non-adversarial threat sources are things like natural disasters, fire, flood, civil unrest, social media, strikes, or errors committed by individuals in the course of performing their everyday job duties. Some examples of non-adversarial threat sources and events include: