.png){kind=small}
Today’s organizations find themselves conducting business in an increasingly complex threat environment, confronting risks from innumerable directions that can disrupt continuity of operations, and adversely affect financial stability, cybersecurity effectiveness/assurance, and regulatory compliance. Disruptions to normal operations are extremely costly, not only in terms of downtime and lost revenue, but also in terms of corporate image, customer/general public perceptions, and increased regulatory intervention and oversight. In this new threat ecosystem, with complex network, systems, and applications inter-connectivity, it is no longer sufficient to simply try to maintain an active awareness of the threat landscape. Companies must adopt risk management methodologies and processes to identify corporate risks and determine the appropriate response in terms of reducing, accepting, or transferring risk.
Risk management has evolved past the practice of relying upon individual business units within an organization to identify and quantify risk within their own areas of operation. Enterprise Risk Management (ERM) systems have become a key element in the risk management practice. By consolidating risk management practices into a corporate-wide repository, ERM systems provide the insights and tools necessary to identify, manage, minimize, and maintain a constant state of understanding about the risks that threaten your organization.
Risk Management is not a standalone process. It is embedded in many regulatory requirements and is key to other business processes such as Business Continuity/Disaster Recovery (especially in the Business Impact Assessment process), Vulnerability and Patch Management (by providing a quantitative approach to identifying critical resources and aiding in the patch management decision process). Furthermore, by providing key information for the development of a Risk Register, it helps provide critical information budgeting and funding purposes by helping leadership determine how to allocate monetary and human resources to maximum effectiveness.
Risk Assessment and Analysis
A key element within any ERM process is conducting a periodic risk assessment/risk analysis of the organization to identify and qualify/quantify risks that may adversely affect the organization as whole or one or more of its component parts. The risk assessment process consists of both the assessment and analysis components, and is designed to:
Identify risk (Risk Assessment): Risks can be cyber-related, environment related, nature related, or other threats that can disrupt normal operations.
Qualify/quantify risk (Risk Analysis): Once a risk has been identified, it must be evaluated to determine the potential effect it may have on the organization, as well as the likelihood of its occurrence. This process may be a “qualified evaluation”, in terms of high, medium, low threat/effect, and typically address threats as internal or external to the organization. Alternatively, it may be a “quantified evaluation”, utilizing statistical methods, actuarial tables, and other tools to provide a specific identification and possible financial loss outcome. Many companies choose to take a “qualified assessment” approach, which can usually be completed more quickly than the “quantified approach”. Qualified assessments rely more on each business unit’s interpretation of how it perceives the threats within its own infrastructure; in many cases this can be an acceptable level of evaluation. As an organization matures its risk program, however, the shift to a quantified assessment approach can provide additional levels of detail to provide executive team members with a more insight to how best to approach risk management efforts. However, both processes are useful in that they provide insight into the risk environment, albeit from somewhat different points of view.
Available Risk Management Standards and Guidelines
Several standards and guidelines exist to assist with the risk management process and can help you perform a risk assessment.
ISO 27005: Information Security Risk Management
ISO 27005 is a standard from the International Organization for Standardization (ISO) that provides a framework for risk management. It outlines what a risk assessment should contain but does not provide a specific approach or process for conducting on. Instead, it provides guidelines for defining how risk management relates to organizational business processes. This defines how to establish the criteria and deliverables for information security risk management, including identification of specific risks and their effect, estimation of acceptable risk levels, and determination of an organization’s overall management objectives for risk management.
NIST SP800-30 R1: Risk Management Guide for Information Technology Systems
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30 (currently Revision 1), identifies specific steps in the risk assessment process, as well as providing information about risk evaluation and mitigation processes.
SP 800-30 R1 establishes a framework for conducting a risk assessment: preparation for the assessment, performing the assessment, and maintaining the risk assessment report upon completion of the assessment. It also provides insights into complementary processes that exist in other regulatory areas such as HIPAA, PCI DSS, NERC, and others.
NIST SP 800-39: Managing Information Security Risk: Organization, Mission, and Information System View
SP800-39 addresses information security risk in particular, and seeks to broaden the narrow view that information security is only a technical matter or stovepipe independent of organizational risk by providing concepts that:
Establish a relationship between aggregated risk from information systems and mission/business success
Encourage senior leaders to recognize the importance of managing information security risk within the organization,
Foster a culture where risk from systems is automatically considered in the context of the EA and at all phases of the SDLC,
Help those with system level security responsibilities understand how system-level issues affect the organization/mission as a whole.
NIST Risk Management Framework (RMF)
The Risk Management Framework (RMF) defines a process to integrate security, privacy, and cyber supply chain risk management activities into an overall risk management ecosystem. Selection and specification of controls utilizes a risk-based approach that considers effectiveness, efficiency, and constraints posed by applicable laws, directives, Executive Orders, policies, standards, or regulations. As such, the RMF approach can be applied to new and legacy systems, any type of system or technology, and in any type of organization regardless of size or sector. This is referenced in the NIST SP800-37 R2 Risk Management Framework for Information Systems and Organizations.
Summary
While the full ERM is an extremely valuable tool for the overall management of risk within an organization, much of its value is driven by having a current an accurate measurement of risk and an approach that effectively addresses prioritization and management of identified risks. This is particularly important in today’s environment, due to the constantly changing threat landscape as well as the rapid development and deployment of new technologies and applications, which further serve to create an expanding and changing threat model.
Conducting regular risk assessments will provide significant advantages to any organization in identifying the threats that can adversely affect its continuity of operation, cause potentially significant adverse financial impact, as well as equally significant negative image creation in the minds of its suppliers, business partners, and customers.