NIST 800-39 Managing Information Security Risk Publication Overview

This blog will provide an overview of the NIST 800-30: Managing Information Security Risk  process broken down into the various Enterprise Risk Management Framework (ERM) Tiers. 

Link: https://csrc.nist.gov/publications/detail/sp/800-39/final

The current iteration of NIST 800-39: Managing Information Security Risk: Organization, Mission, and Information Systems View   was published in March 2011. This publication places information security into the broader organizational context of achieving mission/business success. The objective is to:

§  Ensure that senior leaders/executives recognize the importance of managing information security risk and establish appropriate governance structures for managing such risk;

§  Ensure that the organization’s risk management process is being effectively conducted across the three tiers of organization, mission/business processes, and information systems;

§  Foster an organizational climate where information security risk is considered within the context of the design of mission/business processes, the definition of an overarching enterprise architecture, and system development life cycle processes; and

§  Help individuals with responsibilities for information system implementation or operation better understand how information security risk associated with their systems translates into organization-wide risk that may ultimately affect the mission/business success.

To successfully execute organizational missions and business functions with information system dependent processes, senior leaders/executives must be committed to making risk management a fundamental mission/business requirement. This top-level, executive commitment ensures that sufficient resources are available to develop and implement effective, organization-wide risk management programs. Understanding and addressing risk is a strategic capability and an enabler of missions and business functions across organizations.

Effectively managing information security risk organization-wide requires the following key elements:

§  Assignment of risk management responsibilities to senior leaders/executives;

§  Ongoing recognition and understanding by senior leaders/executives of the information security risks to organizational operations and assets, individuals, other organizations, and the Nation arising from the operation and use of information systems;

§  Establishing the organizational tolerance for risk and communicating the risk tolerance throughout the organization including guidance on how risk tolerance impacts ongoing decision-making activities; and

§  Accountability by senior leaders/executives for their risk management decisions and for the implementation of effective, organization-wide risk management programs

The steps in the risk management process are not inherently sequential in nature. The steps are performed in different ways, depending on the particular tier where the step is applied and on prior activities related to each of the steps. What is consistent is that the outputs or post conditions from a particular risk management step directly impact one or more of the other risk management steps in the risk management process. Organizations have significant flexibility in how the risk management steps are performed (e.g., sequence, degree of rigor, formality, and thoroughness of application) and in how the results of each step are captured and shared—both internally and externally. Ultimately, the objective of applying the risk management process and associated risk related concepts is to develop a better understanding of information security risk in the context of the broader actions and decisions of organizations and in particular, with respect to organizational operations and assets, individuals, other organizations, and Nation.

Risk Management Applied Across Tiers

The Risk Management Framework is the primary means for addressing risk at Tier 3. The RMF addresses concerns specific to the design, development, implementation, operation, and disposal of organizational information systems and the environments in which those systems operate. The risk frame can be adapted at Tier 3 based on the current phase of the system development life cycle, which further constrains potential risk responses. However, implementing the Risk Management Framework at Tier 3 only without assessing its impact from Tier 1 and Tier 2 can be highly detrimental to the organization and its consumers.

Most organizational risk frameworks do not follow a tiers approach. In the absence of explicit risk frames (describing assumptions, constraints, risk tolerance, and priorities/trade-offs), mission/business owners can have divergent perspectives on risk or how to manage it. This impedes a common understanding at Tier 1 of how information security risk contributes to organizational risk, and at Tier 2, of how risk accepted for one mission or business function potentially affects risk with respect to other missions/business functions.

This blog will summarize how the Risk Management Framework would function when key components are applied across the various tiers with an emphasis on Tier 1 & Tie 2, which is CyberAdeptness focus prior to implementing the risk management at Tier 3.

 

FRAME

Risk framing establishes the context and provides a common perspective on how organizations manage risk. Risk framing, as its principal output, produces a risk management strategy that addresses how organizations intend to assess risk, respond to risk, and monitor risk. The risk management strategy makes explicit the specific assumptions, constraints, risk tolerances, and priorities/trade-offs used within organizations for making investment and operational decisions. The risk management strategy also includes any strategic-level decisions and considerations on how risk to organizational operations and assets, individuals, other organizations, and the Nation, is to be managed by senior leaders/executives.

§  At Tier 1, senior leaders/executives, in consultation and collaboration with the risk executive (function), define the organizational risk frame including the types of risk decisions (e.g., risk responses) supported, how and under what conditions risk is assessed to support those risk decisions, and how risk is monitored (e.g., to what level of detail, in what form, and with what frequency).

§  At Tier 2, mission/business owners apply their understanding of the organizational risk frame to address concerns specific to the organization’s missions/business functions (e.g., additional assumptions, constraints, priorities, and trade-offs).

§  At Tier 3, program managers, information system owners, and common control providers apply their understanding of the organizational risk frame based on how decision makers at Tiers 1 and 2 choose to manage risk.

ASSESS

Organizations benefit significantly from conducting risk assessments as part of an organization wide risk management process. However, once risk assessments are complete, it is prudent for organizations to invest some time in keeping the assessments current. Maintaining currency of risk assessments requires support from the risk monitoring step (e.g., observing changes in organizational information systems and environments of operation or analyzing monitoring results to maintain awareness of the risk). Keeping risk assessments up to date provides many potential benefits such as timely, relevant information that enables senior leaders/executives to perform near real-time risk management. Maintaining risk assessments also reduces future assessment costs and supports ongoing risk monitoring efforts.

Risk assessments conducted at Tier 1 or Tier 2 focus on organizational operations, assets, and individuals—whether comprehensive across mission/business lines or only on those assessments that are cross-cutting to the particular mission/business line.

Organization-wide assessments of risk can be based solely on the assumptions, constraints, risk tolerances, priorities, and trade-offs established in the risk framing step (derived primarily from Tier 1 activities) or can be based on risk assessments conducted across multiple mission/business lines (derived primarily from Tier 2 activities).

Risk assessments conducted at one tier can be used to refine/enhance threat, vulnerability, likelihood, and impact information used in assessments conducted in other tiers. The degree that information from risk assessments can be reused is shaped by the similarity of missions/business functions and the degree of autonomy that organizational entities or subcomponents have with respect to parent organizations. Organizations that are decentralized can expect to conduct more risk assessment activities at Tier 2 and, as a result, may have a greater need to communicate within Tier 2 to identify cross-cutting threats and vulnerabilities. Decentralized organizations can still benefit from Tier 1 risk assessments and, in particular, the identification of an initial set of threat and vulnerability sources. Organization-wide risk assessments provide some initial prioritization of risks for decision makers to consider when entering the risk response step.

RESPOND

Risk response identifies, evaluates, decides on, and implements appropriate courses of action to accept, avoid, mitigate, share, or transfer risk to organizational operations  and assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems.

Identifying and analyzing alternative courses of action typically occurs at Tier 1 or Tier 2. This is due to the fact that alternative courses of action (i.e., potential risk responses) are evaluated in terms of anticipated organization-wide impacts and the ability of organizations to continue to successfully carry out organizational missions and business functions. Decisions to employ risk response measures organization-wide are typically made at Tier 1, although the decisions are informed by risk-related information from the lower tiers.

At Tier 2, alternative courses of action are evaluated in terms of anticipated impacts on organizational missions/business functions, the associated mission/business processes supporting the missions/business functions, and resource requirements.

At Tier 3, alternative courses of action tend to be evaluated in terms of the system development life cycle or the maximum amount of time available for implementing the selected course(s) of action. The breadth of potential risk responses is a major factor for whether the activity is carried out at Tier 1, Tier 2, or Tier 3. Risk decisions are influenced by organizational risk tolerance developed as part of risk framing activities at Tier 1. Organizations can implement risk decisions at any of the risk management tiers with different objectives and utility of information produced.

MONITOR

Risk monitoring provides organizations with the means to:

         i.            verify compliance;

       ii.            determine the ongoing effectiveness of risk response measures; and

      iii.            identify risk-impacting changes to organizational information systems and environments of operation.

Analyzing monitoring results gives organizations the capability to maintain awareness of the risk being incurred, highlight the need to revisit other steps in the risk management process, and initiate process improvement activities as needed. Organizations employ risk monitoring tools, techniques, and procedures to increase risk awareness, helping senior leaders/executives develop a better understanding of the ongoing risk to organizational operations and assets, individuals, other organizations, and the Nation. Organizations can implement risk monitoring at any of the risk management tiers with different objectives and utility of information produced.

§  Tier 1 monitoring activities might include ongoing threat assessments and how changes in the threat space may affect Tier 2 and Tier 3 activities, including enterprise architectures (with embedded information security architectures) and organizational information systems.

§  Tier 2 monitoring activities might include, for example, analyses of new or current technologies either in use or considered for future use by organizations to identify exploitable weaknesses and/or deficiencies in those technologies that may affect mission/business success.

§  Tier 3 monitoring activities focus on information systems and might include, for example, automated monitoring of standard configuration settings for information technology products, vulnerability scanning, and ongoing assessments of security controls.

In addition to deciding on appropriate monitoring activities across the risk management tiers, organizations also decide how monitoring is to be conducted (e.g., automated or manual approaches) and the frequency of monitoring activities based on, for example, the frequency with which deployed security controls change, critical items on plans of action and milestones, and risk tolerance.

 

CONCLUSION

As noted within this blog, the importance of an enterprise-wide risk assessment is essential. Organizations that are serious about limiting cyber-attacks and protecting their data to avoid hefty fines should consider undergoing a Tier 1 & Tier 2 Risk Assessment process to determine the state of their current security program and what steps should be taken to prioritize the process. When an organization-wide assessment is performed, risk can be easily tracked and the appropriate resources and funding can be prioritized accordingly.

CyberAdeptness has a set methodology to address Tier 1 & Tier 2 Risk Assessments in order to identify and prioritize organizational resources and lower cost across the board. If your organization is interested on learning more, use our Contact Us Form to submit a request for a 30 min consultation.  

By Karen Baez | on Tuesday, February 18, 2020 4:09