My thoughtful read on this topic is that risk management is a never ending cycle. Three processes make up this cycle; 1) Risk Assessment which includes system characterization, threat and vulnerability identification, risk analysis amongst others. 2) Risk Mitigation which involves prioritizing control actions, appointing control owners, developing and implementation of the control plan. 3) Risk Evaluation and Assessment- controls are analyzed and appraised to determine whether there are any threats and if the controls are still effective for the risks they were designed to address.
I really like that you pointed out the risk assessment is a never-ending cycle. I think that is an important item to note and be aware of, in order to be able to manage risk within an organization. The risks are constantly changing based on the environment.
I agree that risk management is a never ending cycle. Threats are not static, nor is the value of data or systems or the mechanisms for addressing risks. What is the highest priority risk today may not be in a few years. We have to constantly evaluate the risks and the ways that a risk is addressed to determine what risks are the most important to address and the best ways to address them.
Hi David! A contribution to your submission is software and hardware solutions have the potential to become obsolete. Hence, apart from regular updates and/or upgrades, they need to be continuously monitored to verify that their configurations are effectively preventing threats.
I would like to discuss about the risk mitigation process and its importance. While planning a risk mitigation process within the organization it is very important to understand the key factors that might affect the process like all risks cannot be eliminated, timelines to implement controls, resource planning and budgeting. To simply, NIST SP 800-100 has listed a seven-step approach used to guide the selection of security controls for risk mitigation:
1. Prioritize actions
2. Evaluate recommended control options
3. Conduct cost-benefit analyses
4. Select controls
5. Assign responsibility
6. Develop a safeguard implementation plan
7. Implement selected control
Well Summarized Aayush! In addition to understanding the key factors involved it is also important to know more about an asset and comprehend the effects on confidentiality, integrity, and availability if the asset is compromised, security experts must collaborate with business partners to aid prioritizing risks and ensuring that sufficient risk controls are implemented to minimize risks to an acceptable level.
Risk Mitigation: The second phase of risk management process. After the risk assessment, organization need to check the cost effectiveness of those assessed risk and based on it they should determine whether to accept the risk or to deal with it. In the figure 10-4: Risk Mitigation Strategy, figure shows the conditions of when to accept the risk and when the risk will be unacceptable. Once the organization makes the decision of which risk should be go through the risk mitigation process, it will be better to use the seven-step approach for the selection of security controls that includes action prioritization, evaluation of recommended control options, Cost benefit analysis (CBA), control selection, assign responsibility, development of safeguard implementation plan and implementation of selected control(s). When the organization select and implement the control for the unacceptable risk then they should evaluate and assess it which is the final phase of the risk management process.
I think your comment about cost effectiveness is an important key point. It’s important to know that just because a control can’t mitigate risk, doesn’t mean it’s cost effective and should be implemented. For example, you wouldn’t want to recommend a control that costs $100 to implement, just to save the company $10. That does however depend on if the control is related to compliance where there is no choice to implement.
Risk management should be tightly woven into the system development life cycle (SDLC) as a fundamental management function of the organization. The three processes of risk management are risk assessment, risk mitigation, and evaluation and assessment. Among them, risk assessment aims to identify and assess the risks of a given environment. Risk assessment helps organizations maximize their resources and not waste time and effort in low-risk areas. NIST SP 800-100 mentions that the risk assessment process includes system assessment, threat identification, vulnerability identification, risk analysis, control recommendations, and results documentation. The difference between threats and vulnerabilities is that most threats come from external or man-made sources, such as natural disasters and environmental factors. Vulnerability is the weakness that can be attacked in the system due to the design, operation, and other reasons.
It is indeed important to achieve close integration of risk management with the system development life cycle (SDLC). The security department should identify potential risks and assesses their likelihood and impact, and this information can then be used to inform system security plan development and resource allocation. Build security into the system from the beginning in accordance with established security standards and best practices (e.g., NIST). In addition, I think it would be a good idea to use threat modeling to identify potential threats to the system and design countermeasures.
Risk management is a process that involves assessing, mitigating and evaluating risks to information systems, as outlined in federal laws and guidelines such as FISMA, OMB Circular A-130, and NIST SP 800-30. It aims to provide appropriate security protections and integrate them with government agency planning processes.
Risk Assessment
The risk assessment process identifies and assesses risks to a given environment by evaluating the likelihood of a threat exploiting a vulnerability and the potential impact on confidentiality, integrity, and availability. It follows a six-step process as outlined in NIST SP 800-30 and OMB Circular A-130, and is typically repeated every three years for federal agencies, but should be integrated as a good practice in the systems development life cycle.
Risk Mitigation:
Options to reduce risk include assuming it, avoiding it, limiting it, planning and researching it, and transferring it.
seven-step approach is used to guide the selection of security
controls:
1. Prioritize actions;
2. Evaluate recommended control options;
3. Conduct cost-benefit analyses;
4. Select controls;
5. Assign responsibility;
6. Develop a safeguard implementation plan; and
7. Implement selected control(s).
Evaluation and Assessment:
The evaluation and assessment phase of risk management is ongoing, as IT environments are constantly changing. The Security Certification Phase provides input to finalize the risk assessment and is used to make a risk-based decision on whether to authorize the operation of the information system. It’s important to have a strong configuration management program and to track findings from security control assessment to address and prevent new risks. The process of managing risk is integrated throughout the Systems Development Life Cycle.
Hi Pranavi,
It’s important to note that risk management should be integrated into the systems development life cycle and not just done as a one-time event. The seven step approach for risk mitigation is very informative. and the fundamental step of risk mitigation is to prioritize actions without it organization’s won’t be able to implement proper controls in place. Your emphasis on the importance of ongoing evaluation and assessment is also very important.
One key point i took from the risk management process is Risk management should not be treated primarily as a technical function carried out by the information
security experts who operate and manage the information security system, but as an
essential management function of the organization that is tightly woven into the
system development life cycle (SDLC).
Risk management is a combination of three processes that have their roots in
several federal laws, regulations, and guidelines, including the Computer Security Act
of 1987.It is believed that if these rules are applied well they will provide information
security protections commensurate with the risk and magnitude of the harm
resulting from unauthorized access, use, disclosure, disruption, modification, or
destruction of…information…and…information systems” collected by and used by the
federal government
The three processes are risk assessment are :
risk mitigation
evaluation
assessment
I agree with you that risk management should not be treated as a technical function and left to only the information security department rather it should be a joint management effort that aligns risk policies with business objectives.
To your point about risk management process should never be treated primarily as a technical function. It is true for many reasons. Risk is not only IT related, because it can be found anywhere. Undertrained people can be a risk to a business considering that they are the ones operating the computers. So, organizations must ensure that there is that clarity for smooth workflow.
Risk Management is one of the major areas that every organization spent an enormous amount of time implementing a plan or structure to protect the organization and its ability to perform its mission, not just its information assets. Hence, there has to be a strategic connection between the overall business and IT.
There are three major processes included in the Risk Management plan and are; Risk Assessment, Risk Mitigation, Evaluation and Assessment in order. According to NIST, “their roots are drawn from several federal laws, regulations, and guidelines such as FISMA, NIST, and OMB. To me, I honestly believe that Risk Assessment which happens to be the first stage of risk management process is very critical. This is a stage whereby a risk is identified and assessed. However, in order to understand the risk assessment process, it is key to define the term risk. NIST SP 800-30 defines risk as “a function of the likelihood of a given threat source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization”. With that on mind, it becomes much easier to take proper countermeasures to mitigate the risk, because you now know how big of an impact can be caused by the risk, what systems, assets, value of the data stored in various platforms, and sensitivity. To add, NIST SP 800-30 has a six step process that maybe followed during Risk Assessment process and are;
-System Characterization
-Threat Identification
-Vulnerability Identification
-Control Analysis
-Control Recommendations
-Results Documentation
Hi Sheperd, you raised a good point about the six steps process that maybe followed during a risk assessment process and i think when followed by well it will become easier to take proper countermeasures to mitigate the risk.
Hi Shepherd ,
By following Risk Assessment process , organizations can better understand the potential impact of risks and take appropriate countermeasures to mitigate them. Overall, risk management is an essential part of any organization’s strategy to protect its ability to perform its mission and safeguard its information assets.
Hey Shepherd, Great input there, Risk Management is one of the major areas that every organization spent an enormous amount of time implementing a plan or structure to protect the organization.
In addition to that, Risk assessment is one of the major components of a risk analysis. Risk analysis is a process with multiple steps that intends to identify and analyze all of the potential risks and issues that are detrimental to the business. This is an ongoing process that gets updated when necessary. These concepts are interconnected and can be used individually.
A key takeaway for me is that risk management is a continuous process involving risk assessment, risk mitigation and risk evaluation and assessment. Risk cannot be eliminated so it is impractical to treat every risk. Therefore, risks are rated on their impact potential and the risks that have the highest impact potential need to be prioritized for treatment. Organizations may choose to accept risks with low impact as the cost of treating those risks may not be justified.
Nishant, the point you highlighted “risks that have the highest impact potential need to be prioritized for treatment”, I believe is of upmost importance in the risk management lifecycle. Organizations do realize the fact of prioritizing not only because of the high impact but due to resource and budget constraints as well. Therefore, NIST SP 800-100 recommends a seven-step approach used to guide the selection of security controls for risk mitigation.
I mentioned something similar to this which was how risk cannot be eliminated but mitigated. I think your point about impact ratings is great because it is a crucial step in mitigating risks and implementing controls. I agree with you on that the costs of treating low impact risks may not be justified as the higher impact ones are more important to attack first.
An interesting fact to me was that I was surprised that the OMB Circular A-130 mandate is for the risk assessment process to be repeated at least every three years for federal agencies. With changes in technology moving at such a fast past, I would expect the mandate to be annually. Many things in relation the risk profile in an environment can change within 3 years. If only required to assess every 3 years, there is a chance that new risks arise that don’t have mitigating controls.
Great question, Jill! I did not see that requirement in the revised OMB A-130. Regarding the continuous monitoring to support agency risk management decisions, the revised version says “The terms continuous and ongoing in this context mean that security controls and agency risks are assessed and analyzed at a frequency sufficient to support risk-based security decisions to adequately protect agency information.”
So, what I understand is that an organization may conduct an annual risk assessment if they determine it to be an appropriate frequency.
The process of detecting, monitoring, and managing possible risks in order to reduce any negative effects they may have on a company is known as risk management. Additionally, it can be divided into three parts: risk assessment, risk mitigation, and risk evaluation/assessment. The primary goal, according to NIST, is to systematically identify and analyze the various risk classes. A fundamental theme in Chapter 10 of NIST SP 800-100 was that risk might never be completely eliminated because technology is always evolving. Since technology is always changing, risk controls must also be evaluated and modified.
Hi Samuel,
Risk management is an important part of the system development life cycle. As you said, risks can not be completely eliminated. Whether it is the change of social environment or industry standards, risks are always changeable. Therefore, it is necessary to evaluate and revise risk management regularly.
The interesting key point I took out of this reading is actually a website. While the risk identification, mitigation, and analysis were all very interesting components. The reading mentions leveraging NVD formally known as I-CAT via https://cve.mitre.org for vulnerability lists, audit reports, and previous risk assessments. The only resource I was ever aware of for vulnerabilities was CVE via https://cve.mitre.org. I had to look up the difference between the two and while they are noted as two separate programs, I was surprised to find they work in tandem. Per NVD’s website:
“The National Vulnerability Database (NVD) is tasked with analyzing each CVE once it has been published to the CVE List, after which it is typically available in the NVD within an hour. Once a CVE is in the NVD, analysts can begin the analysis process. The processing time can vary depending on the CVE, the information available, and the quantity of CVEs published within a given timeframe. NVD analysts use the reference information provided with the CVE and any publicly available information at the time of analysis to associate Reference Tags, Common Vulnerability Scoring System (CVSS) v3.1, CWE, and CPE Applicability statements.”
A key point I took from this article is the need for Risk Management. I thought it was interesting how they stated that risk management cannot be eliminated entirely, this risk management process allows for information security program managers to balance the operational and economic costs of protected measures and achieve gains in mission capability. This stood out to me because I think people fail to forget that risks can never be fully solved and prevented but they can always be taken care of and reduced.
Great point Asha, I quite agree with you. Risk Management is a cycle. That means that it is not something that gets checked off a to-do list. Rather, it is a continuous activity. Having a risk management process means that your organization knows and understands the risks to which you are exposed. It also means that your organization has deliberately evaluated the risks and strategies in place to remove the risk altogether, reduce the likelihood of the risk happening, or minimize harm if something happens.
NIST SP 800-100, Chapter 10 “Risk Management” explains the importance of risk management and processes. The risk management process includes risk assessment, mitigation, and evaluation. The primary goal of a company or organization’s risk management process is to protect the company or organization and its ability to carry out its mission.
The second stage of the risk management process is risk mitigation, which involves monitoring the achievement of core objectives and strategies. System and organization managers can reduce the risk of the system through risk assumption; risk avoidance; risk limitation; risk planning, research, and acknowledgment; and risk transference. When the external environment changes, the overall risk mitigation strategy is allowed to adjust appropriately. In this step, the company or organization will create a risk mitigation strategy. And the company or organization adds risk treatment measures for the highest level or most severe risks to the company or organization’s project risk record. In addition, NIST SP 800-100 provides guidance to organizations on how to conduct safety controls: Prioritize actions; Evaluate recommended control options; Conduct cost-benefit analyses; Select controls; Assign responsibility; Develop a safeguard implementation plan; and Implement selected control(s).
Hi Mengqi ,
I like the fact that you included that organizations should Conduct cost-benefit analyses. Because without a cost-benefit analyses it will be difficult for them to know if they should accept the risk, transfer it or completely avoid it.
An interesting point i took from the reading is that Risk management process should not be seen as a technical function carried out by information security team rather it’s an essential management function of the organization. The fact that even after controls have been put in place there still exist residual risk therefore information security managers, management should continue to analyze residual risk to ensure that it is at an acceptable level. If the residual risk has not been reduced to an acceptable level, the risk management cycle must be repeated to identify a way of lowering the residual risk to an acceptable level.
Great point Abayomi. It’s not just an operational task, but requires all sort of planning, understanding the business requirement, and decision making. Hence, the need of frequent involvement of management.
This NIST document addresses two of the biggest misconceptions that I see from both inexperienced IT and InfoSec practitioners as well as senior and top management:
1 – Risk cannot be completely eliminated or “solved”.
2 – Risk must be continuously or regularly re-evaluated and re-assessed
The first point: risk cannot be completely removed from a system. In order for a system to function, there will always be threats. The only risk-free system is a system that is powered down and devoid of data. The way to approach risk is to identify the most important risks, those with the biggest threats and most problematic losses, and address those until the cost and effort of addressing the risk exceeds the value and threat of that risk.
The second point: risk must be continuously evaluated, today’s risks will not be the same risks as next year or 5 years from now. Over time, risks will change. Threats will change based on new systems, data, connections, software, etc. The ways risks can be addressed will change based on technologies, resources, and environments. Consider the risks to a system in the early 2000s to one today, it is almost incomparable because so much has changed.
Chapter 10 talks about the risk management process which involves three processes namely risk assessment, risk mitigation, and evaluation and assessment. My take is on the approach that system and organizational managers have adopted to reduce the risk to a system. The options are risk assumption; risk avoidance; risk limitation; risk planning, research, and acknowledgment; and risk transference.
Chapter 10 of NIST SP 800-100 discusses risk management, when organizations identify and deal with potential risks. One key point from this chapter is the importance of risk assessment, which is figuring out what risks an organization might face and how severe they could be. There are two methods of risk assessment: qualitative and quantitative. Qualitative risk assessment is a subjective approach that involves asking experts for their opinions on the most critical risks. Quantitative risk assessment is more objective and uses data and statistical analysis to measure the likelihood and impact of different risks. The main takeaway from this chapter is that risk assessment is crucial for organizations to identify and prioritize risks, allocate resources effectively, and comply with regulations. Therefore, organizations must establish a risk assessment process that aligns with their goals, risk tolerance, and available resources. For perspective, my company’s risk department is huge compared to the relative size of other business units. We even have a risk team dedicated to cybersecurity.
It is definitely important to know there are two risk assessments and it also involves the approach that in asking expert when it comes to the most sensitive risks. It is important to dedicate one team to cybersecurity I think that is very important for long term.
One key takeaway I had from chapter 10 is risk mitigation and how important it is to follow a strategy. It is impossible to drive risk down to zero. Therefore, there needs to be a plan in place to reduce risk to a system. You would want to start out by assessing if risk mitigation action is necessary, then it is important to understand which risk to target. After decision there is a seven step process prioritizing actions, evaluate recommendation control options, do a cost-benefit analysis, select controls, assign responsibility, develop a safeguard implementation plan. The company has to decide what risk is acceptable and make sure to determine which minimum baseline security controls are selected.
My thoughtful read on this topic is that risk management is a never ending cycle. Three processes make up this cycle; 1) Risk Assessment which includes system characterization, threat and vulnerability identification, risk analysis amongst others. 2) Risk Mitigation which involves prioritizing control actions, appointing control owners, developing and implementation of the control plan. 3) Risk Evaluation and Assessment- controls are analyzed and appraised to determine whether there are any threats and if the controls are still effective for the risks they were designed to address.
I really like that you pointed out the risk assessment is a never-ending cycle. I think that is an important item to note and be aware of, in order to be able to manage risk within an organization. The risks are constantly changing based on the environment.
I agree that risk management is a never ending cycle. Threats are not static, nor is the value of data or systems or the mechanisms for addressing risks. What is the highest priority risk today may not be in a few years. We have to constantly evaluate the risks and the ways that a risk is addressed to determine what risks are the most important to address and the best ways to address them.
Hi David! A contribution to your submission is software and hardware solutions have the potential to become obsolete. Hence, apart from regular updates and/or upgrades, they need to be continuously monitored to verify that their configurations are effectively preventing threats.
I would like to discuss about the risk mitigation process and its importance. While planning a risk mitigation process within the organization it is very important to understand the key factors that might affect the process like all risks cannot be eliminated, timelines to implement controls, resource planning and budgeting. To simply, NIST SP 800-100 has listed a seven-step approach used to guide the selection of security controls for risk mitigation:
1. Prioritize actions
2. Evaluate recommended control options
3. Conduct cost-benefit analyses
4. Select controls
5. Assign responsibility
6. Develop a safeguard implementation plan
7. Implement selected control
Well Summarized Aayush! In addition to understanding the key factors involved it is also important to know more about an asset and comprehend the effects on confidentiality, integrity, and availability if the asset is compromised, security experts must collaborate with business partners to aid prioritizing risks and ensuring that sufficient risk controls are implemented to minimize risks to an acceptable level.
Risk Mitigation: The second phase of risk management process. After the risk assessment, organization need to check the cost effectiveness of those assessed risk and based on it they should determine whether to accept the risk or to deal with it. In the figure 10-4: Risk Mitigation Strategy, figure shows the conditions of when to accept the risk and when the risk will be unacceptable. Once the organization makes the decision of which risk should be go through the risk mitigation process, it will be better to use the seven-step approach for the selection of security controls that includes action prioritization, evaluation of recommended control options, Cost benefit analysis (CBA), control selection, assign responsibility, development of safeguard implementation plan and implementation of selected control(s). When the organization select and implement the control for the unacceptable risk then they should evaluate and assess it which is the final phase of the risk management process.
I think your comment about cost effectiveness is an important key point. It’s important to know that just because a control can’t mitigate risk, doesn’t mean it’s cost effective and should be implemented. For example, you wouldn’t want to recommend a control that costs $100 to implement, just to save the company $10. That does however depend on if the control is related to compliance where there is no choice to implement.
Risk management should be tightly woven into the system development life cycle (SDLC) as a fundamental management function of the organization. The three processes of risk management are risk assessment, risk mitigation, and evaluation and assessment. Among them, risk assessment aims to identify and assess the risks of a given environment. Risk assessment helps organizations maximize their resources and not waste time and effort in low-risk areas. NIST SP 800-100 mentions that the risk assessment process includes system assessment, threat identification, vulnerability identification, risk analysis, control recommendations, and results documentation. The difference between threats and vulnerabilities is that most threats come from external or man-made sources, such as natural disasters and environmental factors. Vulnerability is the weakness that can be attacked in the system due to the design, operation, and other reasons.
Hi Wei,
It is indeed important to achieve close integration of risk management with the system development life cycle (SDLC). The security department should identify potential risks and assesses their likelihood and impact, and this information can then be used to inform system security plan development and resource allocation. Build security into the system from the beginning in accordance with established security standards and best practices (e.g., NIST). In addition, I think it would be a good idea to use threat modeling to identify potential threats to the system and design countermeasures.
Risk management is a process that involves assessing, mitigating and evaluating risks to information systems, as outlined in federal laws and guidelines such as FISMA, OMB Circular A-130, and NIST SP 800-30. It aims to provide appropriate security protections and integrate them with government agency planning processes.
Risk Assessment
The risk assessment process identifies and assesses risks to a given environment by evaluating the likelihood of a threat exploiting a vulnerability and the potential impact on confidentiality, integrity, and availability. It follows a six-step process as outlined in NIST SP 800-30 and OMB Circular A-130, and is typically repeated every three years for federal agencies, but should be integrated as a good practice in the systems development life cycle.
Risk Mitigation:
Options to reduce risk include assuming it, avoiding it, limiting it, planning and researching it, and transferring it.
seven-step approach is used to guide the selection of security
controls:
1. Prioritize actions;
2. Evaluate recommended control options;
3. Conduct cost-benefit analyses;
4. Select controls;
5. Assign responsibility;
6. Develop a safeguard implementation plan; and
7. Implement selected control(s).
Evaluation and Assessment:
The evaluation and assessment phase of risk management is ongoing, as IT environments are constantly changing. The Security Certification Phase provides input to finalize the risk assessment and is used to make a risk-based decision on whether to authorize the operation of the information system. It’s important to have a strong configuration management program and to track findings from security control assessment to address and prevent new risks. The process of managing risk is integrated throughout the Systems Development Life Cycle.
Hi Pranavi,
It’s important to note that risk management should be integrated into the systems development life cycle and not just done as a one-time event. The seven step approach for risk mitigation is very informative. and the fundamental step of risk mitigation is to prioritize actions without it organization’s won’t be able to implement proper controls in place. Your emphasis on the importance of ongoing evaluation and assessment is also very important.
One key point i took from the risk management process is Risk management should not be treated primarily as a technical function carried out by the information
security experts who operate and manage the information security system, but as an
essential management function of the organization that is tightly woven into the
system development life cycle (SDLC).
Risk management is a combination of three processes that have their roots in
several federal laws, regulations, and guidelines, including the Computer Security Act
of 1987.It is believed that if these rules are applied well they will provide information
security protections commensurate with the risk and magnitude of the harm
resulting from unauthorized access, use, disclosure, disruption, modification, or
destruction of…information…and…information systems” collected by and used by the
federal government
The three processes are risk assessment are :
risk mitigation
evaluation
assessment
Hi Frank,
I agree with you that risk management should not be treated as a technical function and left to only the information security department rather it should be a joint management effort that aligns risk policies with business objectives.
Hello Frank,
To your point about risk management process should never be treated primarily as a technical function. It is true for many reasons. Risk is not only IT related, because it can be found anywhere. Undertrained people can be a risk to a business considering that they are the ones operating the computers. So, organizations must ensure that there is that clarity for smooth workflow.
Risk Management is one of the major areas that every organization spent an enormous amount of time implementing a plan or structure to protect the organization and its ability to perform its mission, not just its information assets. Hence, there has to be a strategic connection between the overall business and IT.
There are three major processes included in the Risk Management plan and are; Risk Assessment, Risk Mitigation, Evaluation and Assessment in order. According to NIST, “their roots are drawn from several federal laws, regulations, and guidelines such as FISMA, NIST, and OMB. To me, I honestly believe that Risk Assessment which happens to be the first stage of risk management process is very critical. This is a stage whereby a risk is identified and assessed. However, in order to understand the risk assessment process, it is key to define the term risk. NIST SP 800-30 defines risk as “a function of the likelihood of a given threat source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization”. With that on mind, it becomes much easier to take proper countermeasures to mitigate the risk, because you now know how big of an impact can be caused by the risk, what systems, assets, value of the data stored in various platforms, and sensitivity. To add, NIST SP 800-30 has a six step process that maybe followed during Risk Assessment process and are;
-System Characterization
-Threat Identification
-Vulnerability Identification
-Control Analysis
-Control Recommendations
-Results Documentation
Hi Sheperd, you raised a good point about the six steps process that maybe followed during a risk assessment process and i think when followed by well it will become easier to take proper countermeasures to mitigate the risk.
Hi Shepherd ,
By following Risk Assessment process , organizations can better understand the potential impact of risks and take appropriate countermeasures to mitigate them. Overall, risk management is an essential part of any organization’s strategy to protect its ability to perform its mission and safeguard its information assets.
Hey Shepherd, Great input there, Risk Management is one of the major areas that every organization spent an enormous amount of time implementing a plan or structure to protect the organization.
In addition to that, Risk assessment is one of the major components of a risk analysis. Risk analysis is a process with multiple steps that intends to identify and analyze all of the potential risks and issues that are detrimental to the business. This is an ongoing process that gets updated when necessary. These concepts are interconnected and can be used individually.
A key takeaway for me is that risk management is a continuous process involving risk assessment, risk mitigation and risk evaluation and assessment. Risk cannot be eliminated so it is impractical to treat every risk. Therefore, risks are rated on their impact potential and the risks that have the highest impact potential need to be prioritized for treatment. Organizations may choose to accept risks with low impact as the cost of treating those risks may not be justified.
Nishant, the point you highlighted “risks that have the highest impact potential need to be prioritized for treatment”, I believe is of upmost importance in the risk management lifecycle. Organizations do realize the fact of prioritizing not only because of the high impact but due to resource and budget constraints as well. Therefore, NIST SP 800-100 recommends a seven-step approach used to guide the selection of security controls for risk mitigation.
HI Nishant,
I mentioned something similar to this which was how risk cannot be eliminated but mitigated. I think your point about impact ratings is great because it is a crucial step in mitigating risks and implementing controls. I agree with you on that the costs of treating low impact risks may not be justified as the higher impact ones are more important to attack first.
An interesting fact to me was that I was surprised that the OMB Circular A-130 mandate is for the risk assessment process to be repeated at least every three years for federal agencies. With changes in technology moving at such a fast past, I would expect the mandate to be annually. Many things in relation the risk profile in an environment can change within 3 years. If only required to assess every 3 years, there is a chance that new risks arise that don’t have mitigating controls.
Great question, Jill! I did not see that requirement in the revised OMB A-130. Regarding the continuous monitoring to support agency risk management decisions, the revised version says “The terms continuous and ongoing in this context mean that security controls and agency risks are assessed and analyzed at a frequency sufficient to support risk-based security decisions to adequately protect agency information.”
So, what I understand is that an organization may conduct an annual risk assessment if they determine it to be an appropriate frequency.
https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf
The process of detecting, monitoring, and managing possible risks in order to reduce any negative effects they may have on a company is known as risk management. Additionally, it can be divided into three parts: risk assessment, risk mitigation, and risk evaluation/assessment. The primary goal, according to NIST, is to systematically identify and analyze the various risk classes. A fundamental theme in Chapter 10 of NIST SP 800-100 was that risk might never be completely eliminated because technology is always evolving. Since technology is always changing, risk controls must also be evaluated and modified.
Hi Samuel,
Risk management is an important part of the system development life cycle. As you said, risks can not be completely eliminated. Whether it is the change of social environment or industry standards, risks are always changeable. Therefore, it is necessary to evaluate and revise risk management regularly.
The interesting key point I took out of this reading is actually a website. While the risk identification, mitigation, and analysis were all very interesting components. The reading mentions leveraging NVD formally known as I-CAT via https://cve.mitre.org for vulnerability lists, audit reports, and previous risk assessments. The only resource I was ever aware of for vulnerabilities was CVE via https://cve.mitre.org. I had to look up the difference between the two and while they are noted as two separate programs, I was surprised to find they work in tandem. Per NVD’s website:
“The National Vulnerability Database (NVD) is tasked with analyzing each CVE once it has been published to the CVE List, after which it is typically available in the NVD within an hour. Once a CVE is in the NVD, analysts can begin the analysis process. The processing time can vary depending on the CVE, the information available, and the quantity of CVEs published within a given timeframe. NVD analysts use the reference information provided with the CVE and any publicly available information at the time of analysis to associate Reference Tags, Common Vulnerability Scoring System (CVSS) v3.1, CWE, and CPE Applicability statements.”
Reference: https://nvd.nist.gov/general/cve-process
A key point I took from this article is the need for Risk Management. I thought it was interesting how they stated that risk management cannot be eliminated entirely, this risk management process allows for information security program managers to balance the operational and economic costs of protected measures and achieve gains in mission capability. This stood out to me because I think people fail to forget that risks can never be fully solved and prevented but they can always be taken care of and reduced.
Great point Asha, I quite agree with you. Risk Management is a cycle. That means that it is not something that gets checked off a to-do list. Rather, it is a continuous activity. Having a risk management process means that your organization knows and understands the risks to which you are exposed. It also means that your organization has deliberately evaluated the risks and strategies in place to remove the risk altogether, reduce the likelihood of the risk happening, or minimize harm if something happens.
NIST SP 800-100, Chapter 10 “Risk Management” explains the importance of risk management and processes. The risk management process includes risk assessment, mitigation, and evaluation. The primary goal of a company or organization’s risk management process is to protect the company or organization and its ability to carry out its mission.
The second stage of the risk management process is risk mitigation, which involves monitoring the achievement of core objectives and strategies. System and organization managers can reduce the risk of the system through risk assumption; risk avoidance; risk limitation; risk planning, research, and acknowledgment; and risk transference. When the external environment changes, the overall risk mitigation strategy is allowed to adjust appropriately. In this step, the company or organization will create a risk mitigation strategy. And the company or organization adds risk treatment measures for the highest level or most severe risks to the company or organization’s project risk record. In addition, NIST SP 800-100 provides guidance to organizations on how to conduct safety controls: Prioritize actions; Evaluate recommended control options; Conduct cost-benefit analyses; Select controls; Assign responsibility; Develop a safeguard implementation plan; and Implement selected control(s).
Hi Mengqi ,
I like the fact that you included that organizations should Conduct cost-benefit analyses. Because without a cost-benefit analyses it will be difficult for them to know if they should accept the risk, transfer it or completely avoid it.
An interesting point i took from the reading is that Risk management process should not be seen as a technical function carried out by information security team rather it’s an essential management function of the organization. The fact that even after controls have been put in place there still exist residual risk therefore information security managers, management should continue to analyze residual risk to ensure that it is at an acceptable level. If the residual risk has not been reduced to an acceptable level, the risk management cycle must be repeated to identify a way of lowering the residual risk to an acceptable level.
Great point Abayomi. It’s not just an operational task, but requires all sort of planning, understanding the business requirement, and decision making. Hence, the need of frequent involvement of management.
This NIST document addresses two of the biggest misconceptions that I see from both inexperienced IT and InfoSec practitioners as well as senior and top management:
1 – Risk cannot be completely eliminated or “solved”.
2 – Risk must be continuously or regularly re-evaluated and re-assessed
The first point: risk cannot be completely removed from a system. In order for a system to function, there will always be threats. The only risk-free system is a system that is powered down and devoid of data. The way to approach risk is to identify the most important risks, those with the biggest threats and most problematic losses, and address those until the cost and effort of addressing the risk exceeds the value and threat of that risk.
The second point: risk must be continuously evaluated, today’s risks will not be the same risks as next year or 5 years from now. Over time, risks will change. Threats will change based on new systems, data, connections, software, etc. The ways risks can be addressed will change based on technologies, resources, and environments. Consider the risks to a system in the early 2000s to one today, it is almost incomparable because so much has changed.
Chapter 10 talks about the risk management process which involves three processes namely risk assessment, risk mitigation, and evaluation and assessment. My take is on the approach that system and organizational managers have adopted to reduce the risk to a system. The options are risk assumption; risk avoidance; risk limitation; risk planning, research, and acknowledgment; and risk transference.
Chapter 10 of NIST SP 800-100 discusses risk management, when organizations identify and deal with potential risks. One key point from this chapter is the importance of risk assessment, which is figuring out what risks an organization might face and how severe they could be. There are two methods of risk assessment: qualitative and quantitative. Qualitative risk assessment is a subjective approach that involves asking experts for their opinions on the most critical risks. Quantitative risk assessment is more objective and uses data and statistical analysis to measure the likelihood and impact of different risks. The main takeaway from this chapter is that risk assessment is crucial for organizations to identify and prioritize risks, allocate resources effectively, and comply with regulations. Therefore, organizations must establish a risk assessment process that aligns with their goals, risk tolerance, and available resources. For perspective, my company’s risk department is huge compared to the relative size of other business units. We even have a risk team dedicated to cybersecurity.
Hey Kelly,
It is definitely important to know there are two risk assessments and it also involves the approach that in asking expert when it comes to the most sensitive risks. It is important to dedicate one team to cybersecurity I think that is very important for long term.
One key takeaway I had from chapter 10 is risk mitigation and how important it is to follow a strategy. It is impossible to drive risk down to zero. Therefore, there needs to be a plan in place to reduce risk to a system. You would want to start out by assessing if risk mitigation action is necessary, then it is important to understand which risk to target. After decision there is a seven step process prioritizing actions, evaluate recommendation control options, do a cost-benefit analysis, select controls, assign responsibility, develop a safeguard implementation plan. The company has to decide what risk is acceptable and make sure to determine which minimum baseline security controls are selected.