6
170 CHAPTER 6 Risk Management
By recognizing that organizations5 are operating in highly complex, interconnected environments using state-of-the-art and legacy information systems [1], the application of the risk management process becomes more important to ensure the responsibility for information security risk management exists as an organization-wide activity. This organization-wide activity extends from those responsible for the strategic planning to those that operate the information systems in support of the mission and business operations. In Chapter 5, risk management was discussed from the perspective of the information system through the NIST Risk Management Framework (RMF)6 to inte-grate risk management activities into the NIST system development lifecycle (SDLC).7 Risk management in this chapter will examine risk management from a broader perspective. By discussing risk management as a holistic process which can include multiple perspectives (i.e., organization, mission and business process, and informa-tion system), we can obtain an understanding of how it would be applied across the entire organization or across multiple organizations.
Enterprise Risk Management (ERM)8 is facilitated through the organization’s risk management processes9 to ensure the management of risk is applied consistently
5From Joint Task Force Transformation Initiative Interagency Working Group. NIST Special Publication (SP) 800-39, Managing Information Security Risk: Organization, Mission, and Infor-mation System View. Maryland: National Institute of Standards and Technology; 2011. The term organization describes an entity of any size, complexity, or positioning within an organizational structure (e.g. a federal agency or, as appropriate, any of its operational elements) that is charged with carrying out assigned mission/business processes and that uses information systems in support of those processes.
6From Joint Task Force Transformation Initiative Interagency Working Group. NIST Special Publication (SP) 800-39, Managing Information Security Risk: Organization, Mission, and Information System View. Maryland: National Institute of Standards and Technology; 2011. The Risk Management Frame-work (RMF) provides a structured process that integrates risk management activities into the system development life cycle. The RMF operates primarily at tier 3 but also interacts with tier 1 and tier 2 (e.g. providing feedback from authorization decisions to the risk executive (function), disseminating updated risk information to authorizing officials, common control providers, and information system owners).
7The NIST SDLC process includes five phases: initiation, development/acquisition, implementation, operation/maintenance, and disposal.
8From Flaherty, J., Rittenberg, L., Anderson, A., Jessup, J., Cyprus, N., Minter, F., et al. Enterprise Risk Management—Integrated Framework: Executive Summary. Washington, DC: Committee of Sponsor-ing Organizations of the Treadway Commission; 2011. “Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
9From Joint Task Force Transformation Initiative Interagency Working Group. NIST Special Publication (SP) 800-39, Managing Information Security Risk: Organization, Mission, and Information System View. Maryland: National Institute of Standards and Technology; 2011. “The NIST risk management process is complementary to and should be used as part of a more comprehensive Enterprise Risk Management (ERM) program.”
171 Introduction to Risk Management
across the enterprise. An ERM program is integrated across the organization through a comprehensive set of processes and practices that focus on managing organizational risk.10 For risk management to be effective in managing security risks, it is essential that those with the responsibility for executing the mission and business operations have a clear understanding of their associated roles and responsibilities within the information security program.
An effective risk management program is driven from a “top-down” approach where the commitment and support for the program is enabled through the prioritization and allocation of resources needed for the program. In addition to resourcing risk management, the risk management strategy needs to be developed and communicated by the organization’s senior management to ensure the risk management processes and practices are supported by the governance structure which links information system security risks to organizational impacts.11 The organization’s senior management/executives play a critical role to ensure infor-mation security risks are considered from an organizational perspective. Their role includes [1]:
• Assigning risk management responsibilities;
• Recognition and understanding that management of information security risks is an ongoing activity;
• Establishing and communicating the risk tolerance12 throughout the organiza-tion; and
• Ensuring accountability for risk management decisions and effective, organization-wide risk management programs.
10From Joint Task Force Transformation Initiative Interagency Working Group. NIST Special Publication (SP) 800-39, Managing Information Security Risk: Organization, Mission, and Informa-tion System View. Maryland: NaInforma-tional Institute of Standards and Technology; 2011. “OrganizaInforma-tional risk can include many types of risk (e.g. program management risk, investment risk, budgetary risk, legal liability risk, safety risk, inventory risk, supply chain risk, and security risk).”
11From Joint Task Force Transformation Initiative Interagency Working Group. NIST Special Publication (SP) 800-39, Managing Information Security Risk: Organization, Mission, and Informa-tion System View. Maryland: NaInforma-tional Institute of Standards and Technology; 2011. “InformaInforma-tion systems are subject to serious threats that can have adverse effects on organizational operations (i.e. missions, functions, image, or reputation), organizational assets, individuals, other organiza-tions, and the Nation by exploiting both known and unknown vulnerabilities to compromise the confidentiality, integrity, or availability of the information being processed, stored, or transmitted by those systems.”
12From Joint Task Force Transformation Initiative Interagency Working Group. NIST Special Publication (SP) 800-39, Managing Information Security Risk: Organization, Mission, and Informa-tion System View. Maryland: NaInforma-tional Institute of Standards and Technology; 2011. Risk tolerance is the level of risk or degree of uncertainty that is acceptable to organizations and is a key element of the organizational risk frame.
172 CHAPTER 6 Risk Management