Risk management is an organization-wide strategy for reducing the risk of harm occurring against an organization and preventing them from fulfilling their mission or functions. In the context of cyber security, risk management must be included as part of the larger risk management strategy for the organization including business risk, financial risk, competitor risk, etc. Cyber security risk management addresses reducing the risk to the organization from adverse conditions which affect information and information systems. This is done in a similar fashion to other risk management strategies by planning and defining an organizational strategy, identifying specific threats, selecting controls to minimize threats, implementing those controls, assessing their effectiveness, and continuing to measure and adjust controls.
There is a level of risk which an organisation is willing to accept with regard to the costs required to implement controls which is known as the risk-appetite. The risk-appetite is defined during the planning phase of the risk management process. However, it is important that an organization's risk appetite be ethically devised, and that it does not ignore laws, regulations, statutes, or decency in the pursuit of profits. Unethical risk appetites ignore the harm organizations can cause to their customers, citizens, and employees and violate cyber security professional's ethics and standards.
There are numerous frameworks for managing cyber security risk. Two of the most popular frameworks include the National Institute of Standards and Technology's (NIST) Risk Management Framework (RMF) and the International Solutions Organization (ISO) 27005:2018 Information Security Risk Management standard. I have used both frameworks in my career, however, I find the NIST solution to be more robust, familiar, and it is provided free of charge by the United States Department of Commerce. For these reasons, we often use the NIST RMF for framing, assessing, and implementing controls for risk management.
References
There is a level of risk which an organisation is willing to accept with regard to the costs required to implement controls which is known as the risk-appetite. The risk-appetite is defined during the planning phase of the risk management process. However, it is important that an organization's risk appetite be ethically devised, and that it does not ignore laws, regulations, statutes, or decency in the pursuit of profits. Unethical risk appetites ignore the harm organizations can cause to their customers, citizens, and employees and violate cyber security professional's ethics and standards.
There are numerous frameworks for managing cyber security risk. Two of the most popular frameworks include the National Institute of Standards and Technology's (NIST) Risk Management Framework (RMF) and the International Solutions Organization (ISO) 27005:2018 Information Security Risk Management standard. I have used both frameworks in my career, however, I find the NIST solution to be more robust, familiar, and it is provided free of charge by the United States Department of Commerce. For these reasons, we often use the NIST RMF for framing, assessing, and implementing controls for risk management.
References
- ISO/IEC. (2018, July 9). ISO/IEC 27005:2018. Retrieved from https://www.iso.org/standard/75281.html?browse=tc
- Joint Task Force Transformation Initiative. SP 800-39, Managing Info Security Risk: Organization, Mission, & Info Sys, SP 800-39, Managing Info Security Risk: Organization, Mission, & Info Sys (2011). Retrieved from https://doi.org/10.6028/NIST.SP.800-39
The National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)
A methodology and process developed by NIST exists for managing risk while operating information systems. This process is the Risk Management Framework (RMF). It is a seven step process which works in tandem with numerous other NIST documents as shown in Figure 1. Here is a list of the general break down of the steps:
- Prepare: The organization prepares by creating a framework and deciding what level of risk is appropriate and how to classify those levels of risk.
- Categorize System: The organization categorizes the information systems and data types the organization manages to determine which risk profiles from step one are appropriate for protecting information systems and data.
- Select Controls: The organization selects controls which are appropriate for managing the risk of categorized information systems and data and tailor them for the information systems.
- Implement Controls: The organization operators implement the controls and document specific details regarding their implementation.
- Assess Controls: The implemented controls are assessed to determine if they are operating as expected and reducing risk.
- Authorize System: The system owners and senior managers review details regarding the assessment and sign off on approving their use if the risk is accepted and appropriate or describe what needs to be done to bring systems into compliance.
- Monitor Controls: The organization continuously monitors the security controls to ensure they are compliant, and they manage changes to the environment and systems.
References
- Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, & Department of Commerce. (2016, November 30). Risk Management Framework (RMF) Overview - Risk Management. Retrieved July 26, 2019, from https://csrc.nist.gov/Projects/Risk-Management/rmf-overview
- Joint Task Force. (2011, March 01). Managing Information Security Risk: Organization, Mission, and Information System View. Retrieved July 13, 2019, from https://csrc.nist.gov/publications/detail/sp/800-39/final
- Joint Task Force. (2012, September). Guide for Conducting Risk Assessments, NIST Special Publication 800-30 Revision 1. Retrieved August 11, 2019, from https://doi.org/10.6028/NIST.SP.800-30r1
- Joint Task Force. (2014, December). Assessing Security and Privacy Controls in Federal Information Systems and Organizations, NIST Special Publication 800-53A Revision 4. Retrieved August 10, 2019 from https://doi.org/10.6028/NIST.SP.800-53Ar4.
- Joint Task Force. (2018, December). Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, Special Publication 800-37 Revision 2. Retrieved August 1, 2019, from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
- Joint Task Force, & National Institute of Standards and Technology. (2017, August). Initial Public Draft (IPD), Special Publication 800-53 ... Retrieved July 26, 2019, from https://csrc.nist.gov/csrc/media/publications/sp/800-53/rev-5/draft/documents/sp800-53r5-draft.pdf
- National Institute of Standards and Technology. (2004, February). FIPS 199, Standards for Security Categorization of Federal ... Retrieved July 22, 2019, from https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf
- Stine, K., Kissel, R., Barker, W. C., Fahlsing, J., & Gulick, J. (2008, August). NIST SP 800-60 Volume 1 Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories (United States, National Institute of Standards and Technology, Department of Commerce). Retrieved July 22, 2019, from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf
- Stine, Kevin, Kissel, Richard, Barker, William, L., . . . Jim. (2008, August 01). NIST SP 800-60 Volume 2 Revision 1. Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. Retrieved July 22, 2019, from https://csrc.nist.gov/publications/detail/sp/800-60/vol-2-rev-1/final