For an organization to truly develop an actionable risk assessment, it is critical to accurately define the scope during Step 1 – system characterization. As noted by NIST, failure to account in this step will result in diminished returns later on in the assessment. Improper or incomplete system characterization can lead to blind spots within an organization’s attack surface and can increase the potential for system compromise by an attacker. Furthermore, failing to determine which assets house mission-critical components may also result in weak security controls. Lastly, the recommended best practice of revisiting the risk assessment every 3 years can also assist with the increasing scope of a company’s assets and even help reduce the growth shadow IT that is inevitable within any organization.
I agree with you that the first step is important for developing an actionable risk assessment. Failure to clearly define the scope of the system characterization period will result in reduced valuation gains. Early preparation is very important. For security controls, the inclusion of mission-critical components requiring validation is also decisive. I also believe that an effective risk management process is an essential part of a successful information security program, and that these are also operations that require periodic revisiting of risk assessments.
My overall takeaway from this reading is that to successfully conduct risk management you have to define the risk assessment process and the risk mitigation process. System characterization is generally stated as the most important step in the risk assessment phase and I would have to agree, without proper identification of the organization’s assets, systems could be left vulnerable. The end goal is to have a risk level matrix designed to help management make risk-based decisions, such as what assets need to go through the risk mitigation phase. Once at the risk mitigation phase the goal here is to see if the risk is worth the cost and if or what controls should be applied.
Excellent concise statement on how to develop a successful risk management program: identify the risks and then mitigate the risks. You are absolutely correct here. What is the value of conducting a risk assessment if there is no follow through regarding mitigation assuming enough unacceptable risks have been identified. I find breaking something duantingly like risk management into plan phases helps ensure objectives are met. Thanks for a thoughtful post!
Dhaval,
excellent summary of the chapter, and I would have to agree regarding your statement on risk management; the risks which an organization faces may only be managed after a well-executed risk assessment process is completed, which may then be used to allot resources to mitigate the risks of the highest precedence and choose other options for lower level risks. For system characterization, this is of utmost precedence because if this step is poorly executed, it will likely result in far greater risks which may be extremely difficult to mitigate, and mitigation will be far more costly where possible for the organization.
By reading chapter 10, I have the following insights: Effective risk management processes are an important part of a successful information security program. The three processes are risk assessment, risk mitigation, and evaluation and assessment. Objectives of risk The assessment process is to identify and evaluate the risks of a given environment. On the other hand, the seven-step approach is commonly used to guide the selection of controls for security in the risk response risk mitigation process: 1. prioritize actions; 2. evaluate recommended control options; 3. conduct a cost-benefit analysis; 4. select controls; 5. assign responsibilities; 6. develop assurance implementation plans, and 7. implement selected controls. By mitigating the level of risk through this method, the creation of uncontrollable risks can be effectively avoided.
The process of managing risk extends throughout the system development lifecycle, from the early stages of project initiation to decommissioning the system and its data. From the beginning, organizations consider possible threats and risks to the system so that they are better prepared to operate safely and effectively in their intended environment, keeping the risks within manageable limits.
I endorse your focus on the seven steps of security control. This provides a detailed analysis of effectively avoiding risks that cannot be controlled and experiencing the importance of risk management.
Threat identification is the second of the six steps in the risk assessment process. Threat identification develops a “threat statement” or a comprehensive list of potential threat sources. The threat identification process examines IT vulnerabilities and determines their ability to compromise your systems. It is a crucial element of your organization’s risk management program. Identifying threats allows your organization to take pre-emptive action.
You make a great point. The threat identification process is a crucial step in the risk management process. Having an understanding of how certain vulnerabilities can impact your systems gives the organization a head start if they are breached.
Upon revisiting this risk management process in NIST SP 800-100, the 6 step process characterizes how to define and assess relevant risks, evaluate probability of a vulnerability being exploited by a threat and acting upon a risk, characterize systems, test against realized risks, observe, analyze, and document risk findings. The third step in the risk management process defined, vulnerability identification, is the most interesting to me as a penetration tester. The publication defines a vulnerability essentially as a weakness that has the capacity to be exploited, resulting in either a security breach or violation of a security policy. Outside of the standard previously completed risk assessments, an organization can assess risk as well through sources like NIST’s national vulnerability database for example. Next, vulnerability scanners and penetration testing are common methods of assessing and detecting vulnerabilities in systems, Lastly, a security requirements assessment can be made in comparison with the security requirements as defined in the design phase of the system in order to evaluate compliance for a given system; noncompliance may point to a vulnerability.
The Risk assessment is a 6 step process: Step 1 – System Characterization, Step 2 – Threat Identification, Step 3 – Vulnerability Identification, Step 4 – Risk Analysis, Step 5 – Control Recommendations, and Step 6 – Results Documentation
Step 1 System Characterization determines the systems criticality using the FIPS 199 system categorization. Step 2 Threat Identification determines the threat and weaknesses of the system. Step 3 Vulnerability Identification identifies the flaws and the weaknesses within the system. Step 4 Risk Analysis identifies the risks that the system has including the risk of any security controls that could fail or be ineffective from any threats. The goal of the Step 5 Control Recommendations is to identify the controls that would help lower the risk of the information system. Step 6 Results Documentation is the reporting mechanism that is used to report the risk assessment activities.
Hello Patel,
I agree with you in regard to your explanation about the chapter and it is in line with my reasoning. The fact of matter is the purpose of risk management is to identify potential problems before they occur so that risk-handling activities may be planned and invoked as needed across the life of the product or project to mitigate adverse impacts on achieving objectives. Risk management is a continuous, forward-looking process that is an important part of business and technical management processes. Risk management should address issues that could endanger achievement of critical objectives. A continuous risk management approach is applied to effectively anticipate and mitigate the risks that have critical impact on the project.
The Third step in the contingency planning process is to identify preventive controls. Implementing preventive controls might mitigate outage impacts identified by the BIA. Preventive controls are measures that detect, deter, and/or reduce impacts to the system. Detection controls are designed to detect errors and irregularities that have already occurred and to assure their prompt correction. An example of a Detection Control is an Intrusion Detection System. Preventative controls are designed to keep errors or irregularities from occurring in the first place. An example of preventative controls are Encryption and Intrusion Prevention Systems. Corrective controls include any measures taken to repair damage or restore resources and capabilities to their prior state following an unauthorized or unwanted activity. An example of a corrective control is creating a backup and quarantining a computer virus.
Great callout, preventative controls tied to a business impact analysis can help identify vulnerable areas that require minimal finanical investment to protect but have high ROI on prevention. As you have identified, if the organization is dealing with sensitive information we can enable encryption capabilities, enforce multi-factor authentication, enable anti-virus and configure firewalls to prevent outbound traffic from sensitive intranets. Nice post!
This chapter was greatly helpful in understanding the formalized Risk Management process:
1. Risk Assessment [System Characterization, Threat Identification, Vulnerability Identification, Risk Analysis (Control Analysis, Likelihood Determination, Impact Analysis, Risk Determination), Control Recommendations, Results Documentation
2. Risk Mitigation
3. Evaluation and Assessment
One key takeaway I had was that the goal of this process is to protect the organization’s mission, not just its information assets. As security professionals, we often want to focus on protecting data confidentiality even at the expense of its availability. We need to be able to balance these characteristics in a way that protects the data but still allows the business to function.
The Risk Mitigation Strategy diagram shows that sometimes risk can be accepted, such as in times where the attacker’s cost is greater than their gain or our anticipated loss is less than our acceptable amount. These guidelines can help a business function in an efficient way while protecting its most important assets.
I agree with you that the goal of the risk management process is to protect the mission of the organization and not just its information assets. While protecting data, we can also ensure that we improve the confidentiality of information. In the process of risk management, we can reduce high risk to medium risk, and try our best to control vulnerabilities and threats within a controllable range. This is a good operation for both social and business development.
HI Patrick, thanks for the post. I like your point regarding protection of information assets as well as an organization’s mission. This is important to consider when considering the effects of a breach being both impactful towards loss of life, finances, and reputational damage.
Overall, my biggest takeaway from this reading was the integration between developing an effective information security program and the importance of IT auditing. Throughout the entire risk management process (from risk assessment to final evaluation), NIST stresses the criticality of making risk management a continual process; risk management is not a “one and done” ordeal. It is key to constantly evaluate and audit information systems, and transform organizations into having an SDLC mindset with enterprise risk management. This same concept is seen with ISO 27001 standards mandating a continually-improving ISMS (information security management system).
I agree; in a field where the threat environment is constantly changing, we need to readily adapt and overcome these challenges. The best way to do that is to stay agile by continually updating frameworks and incident response plans. We should be testing and updating these plans regularly.
After reading the chapter, I was able to learn that the purpose of risk management is to ensure that the company’s operations are effective, that financial and other information is reliable, and that the company complies with the relevant regulations and operating principles. In that regard, a robust risk management process is deeply regarded as being essential to protect an organizations information asset from being hacked or destroyed. Security professionals must work in tandem with their business partners to gain sufficient information about an asset and understand the resultant repercussions on confidentiality, integrity, and availability if the asset is breached. And they must also understand that an effective implementation of any security measure within an organization is pivoting on protection of integrity, confidentiality and availability of all information assets. I was able to learn from the chapter that categorization of assets as being high, medium, and low scale, which certainly assists in prioritization of risks thereby making sure that adequate risk controls are in place to forestall any harmful risks to an acceptable level or optimum level. in order to ensure continuity in business operations.
Great points. I agree the goal of risk management is really to make sure the assets of the company are accounted for and that CIA is taken into consideration, and if they were to experience a breach they would be ready and know how to respond.
Hello Kofi,
That’s a great post. Risk management does ensures companies operations are effective. It also helps companies identify threats within their network and it also help identify the criticality level of that threat. Which could allow the companies to put appropriate safe guard to mitigate that threat.
The formalized Risk Management process are risk assessment, risk mitigation, and evaluation, and assessment. Step 1 is system characterization. Being able to have interviews, questionnaires, documentation reviews, and scanning tools can help collect the information needed to characterize hardware, software, data, and external tools. Step 2 is threat identification. We need to identify what weaknesses are in the system. What controls do they not have in place? What can they implement to strengthen those weaknesses? Can we prevent these threats by having more training?
Step 3 is Vulnerability Identification. This can be a flaw or weakness in the system security procedures, design, implantation, or internal controls. For example, there is a new vulnerability- Log4j.
Step 4 is Risk Analysis. As stated in Chapter 10, “the risk analysis is a determination or estimation of the risk to the system, an analysis that requires the consideration of closely interwoven factors, such as the security controls in place for the system under review, likelihood that those controls will be either insufficient or ineffective protection of the system, and the impact of that failure.”
One takeaway from this reading was the categorization of the three groups of security controls: management controls (which are implemented by management, such as the decision for a company to undergo a BCDR test), operational controls (which are security controls implemented by personnel, such as FOB/badge access to a building), and technical controls (which are security measures implemented by technology, such as automated logging and monitoring). Understanding the differences in these controls is important when developing an organizational security plan, and comprehending the overall company security posture.
One key point that I took from NIST SP 800-100, Chapter 10 “Risk Management” is that all organizations have some inherent amount of risk.
Although companies with information systems that contain intellectual property and government organizations face the most external threats, even organizations that seem like they would have no external threats face some level of risk due to natural and environmental threats. Natural threats, e.g. floods and earthquakes, exist at least in a small degree everywhere in world. For this reason, organizations with seemingly less important business processes and information systems still face the risk of property unavailability (IT, physical, or both), personnel loss, reputation loss due to poor response, and more. In some cases, natural disasters shutdown areas of the world for weeks to even months, and there are very few companies or groups who could do without their core locations, business processes, and/or information systems for that long of a period of time.
Another key point that I took from this reading is that there are many helpful government resources when it comes to identifying potential threats and vulnerabilities. Examples of these sources include, but are not limited to; the FBI’s National Infrastructure Protection Center, the US Computer Emergency Readiness Team (or US CERT), NIST National Vulnerability Database, and other mass media and web-based resources.
The reading walks through some common challenges. It talks about how there are many different governing bodies a company has to answer to. This includes the federal government, all the state governments for which they do business in, and any international governing bodies if they do business overseas. If you are in any contacts, then that company you’re contracting with may also require you attain a certain basic level of cybersecurity as well as cyber insurance.
Another challenge it talks about is prioritizing funding. Funding is often limited so you need to invest in the controls that will provide the largest benefit for the smallest cost.
NIST Special Publication 800-100, Information Security Handbook: This is a set of recommendations of the National Institute of Standards and Technology on managing information security in your company. It is written for managers.
Chapter 10 clarifies that to implement the risk management process, it would be essential first to define risk assessment leading to the risk mitigation process. It also stated the implementation and steps of the Risk management framework, which starts with categorization, Selection, Implementation, Assessment, Authorization, and Monitoring of processes with the overall goal of Risk management.
NIST SP 800-100 establishes the process of establishing and maintaining a framework and supporting management structure and processes to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all to manage risk. Provides managerial guidance for establishing and implementing of an information security program. Thirteen areas of information security management. Provide for specific monitoring activities for each task. Tasks should be done on an ongoing basis.
For an organization to truly develop an actionable risk assessment, it is critical to accurately define the scope during Step 1 – system characterization. As noted by NIST, failure to account in this step will result in diminished returns later on in the assessment. Improper or incomplete system characterization can lead to blind spots within an organization’s attack surface and can increase the potential for system compromise by an attacker. Furthermore, failing to determine which assets house mission-critical components may also result in weak security controls. Lastly, the recommended best practice of revisiting the risk assessment every 3 years can also assist with the increasing scope of a company’s assets and even help reduce the growth shadow IT that is inevitable within any organization.
Hi Kelly,
I agree with you that the first step is important for developing an actionable risk assessment. Failure to clearly define the scope of the system characterization period will result in reduced valuation gains. Early preparation is very important. For security controls, the inclusion of mission-critical components requiring validation is also decisive. I also believe that an effective risk management process is an essential part of a successful information security program, and that these are also operations that require periodic revisiting of risk assessments.
HI Kelly, great emphasis on the importance of making risk assessments a regular task for a company. I personally disagree with the reading in that 3 years is the right frequency for risk assessments, however. Between emerging threats and newfound vulnerabilities, I feel that annual risk assessments are the best course of action for any organization. In fact, ISO 27001: 2013 mandates annual risk assessments in order to maintain compliance: https://www.itgovernance.co.uk/blog/7-steps-to-a-successful-iso-27001-risk-assessment#:~:text=ISO%2027001%20requires%20your%20organisation,and%20the%20changing%20threat%20environment.
My overall takeaway from this reading is that to successfully conduct risk management you have to define the risk assessment process and the risk mitigation process. System characterization is generally stated as the most important step in the risk assessment phase and I would have to agree, without proper identification of the organization’s assets, systems could be left vulnerable. The end goal is to have a risk level matrix designed to help management make risk-based decisions, such as what assets need to go through the risk mitigation phase. Once at the risk mitigation phase the goal here is to see if the risk is worth the cost and if or what controls should be applied.
Hi Dhaval,
Excellent concise statement on how to develop a successful risk management program: identify the risks and then mitigate the risks. You are absolutely correct here. What is the value of conducting a risk assessment if there is no follow through regarding mitigation assuming enough unacceptable risks have been identified. I find breaking something duantingly like risk management into plan phases helps ensure objectives are met. Thanks for a thoughtful post!
Kelly
Dhaval,
excellent summary of the chapter, and I would have to agree regarding your statement on risk management; the risks which an organization faces may only be managed after a well-executed risk assessment process is completed, which may then be used to allot resources to mitigate the risks of the highest precedence and choose other options for lower level risks. For system characterization, this is of utmost precedence because if this step is poorly executed, it will likely result in far greater risks which may be extremely difficult to mitigate, and mitigation will be far more costly where possible for the organization.
By reading chapter 10, I have the following insights: Effective risk management processes are an important part of a successful information security program. The three processes are risk assessment, risk mitigation, and evaluation and assessment. Objectives of risk The assessment process is to identify and evaluate the risks of a given environment. On the other hand, the seven-step approach is commonly used to guide the selection of controls for security in the risk response risk mitigation process: 1. prioritize actions; 2. evaluate recommended control options; 3. conduct a cost-benefit analysis; 4. select controls; 5. assign responsibilities; 6. develop assurance implementation plans, and 7. implement selected controls. By mitigating the level of risk through this method, the creation of uncontrollable risks can be effectively avoided.
The process of managing risk extends throughout the system development lifecycle, from the early stages of project initiation to decommissioning the system and its data. From the beginning, organizations consider possible threats and risks to the system so that they are better prepared to operate safely and effectively in their intended environment, keeping the risks within manageable limits.
Hi Dan,
I endorse your focus on the seven steps of security control. This provides a detailed analysis of effectively avoiding risks that cannot be controlled and experiencing the importance of risk management.
Threat identification is the second of the six steps in the risk assessment process. Threat identification develops a “threat statement” or a comprehensive list of potential threat sources. The threat identification process examines IT vulnerabilities and determines their ability to compromise your systems. It is a crucial element of your organization’s risk management program. Identifying threats allows your organization to take pre-emptive action.
Hi, zijian ou,
You make a great point. The threat identification process is a crucial step in the risk management process. Having an understanding of how certain vulnerabilities can impact your systems gives the organization a head start if they are breached.
Upon revisiting this risk management process in NIST SP 800-100, the 6 step process characterizes how to define and assess relevant risks, evaluate probability of a vulnerability being exploited by a threat and acting upon a risk, characterize systems, test against realized risks, observe, analyze, and document risk findings. The third step in the risk management process defined, vulnerability identification, is the most interesting to me as a penetration tester. The publication defines a vulnerability essentially as a weakness that has the capacity to be exploited, resulting in either a security breach or violation of a security policy. Outside of the standard previously completed risk assessments, an organization can assess risk as well through sources like NIST’s national vulnerability database for example. Next, vulnerability scanners and penetration testing are common methods of assessing and detecting vulnerabilities in systems, Lastly, a security requirements assessment can be made in comparison with the security requirements as defined in the design phase of the system in order to evaluate compliance for a given system; noncompliance may point to a vulnerability.
The Risk assessment is a 6 step process: Step 1 – System Characterization, Step 2 – Threat Identification, Step 3 – Vulnerability Identification, Step 4 – Risk Analysis, Step 5 – Control Recommendations, and Step 6 – Results Documentation
Step 1 System Characterization determines the systems criticality using the FIPS 199 system categorization. Step 2 Threat Identification determines the threat and weaknesses of the system. Step 3 Vulnerability Identification identifies the flaws and the weaknesses within the system. Step 4 Risk Analysis identifies the risks that the system has including the risk of any security controls that could fail or be ineffective from any threats. The goal of the Step 5 Control Recommendations is to identify the controls that would help lower the risk of the information system. Step 6 Results Documentation is the reporting mechanism that is used to report the risk assessment activities.
Hello Patel,
I agree with you in regard to your explanation about the chapter and it is in line with my reasoning. The fact of matter is the purpose of risk management is to identify potential problems before they occur so that risk-handling activities may be planned and invoked as needed across the life of the product or project to mitigate adverse impacts on achieving objectives. Risk management is a continuous, forward-looking process that is an important part of business and technical management processes. Risk management should address issues that could endanger achievement of critical objectives. A continuous risk management approach is applied to effectively anticipate and mitigate the risks that have critical impact on the project.
The Third step in the contingency planning process is to identify preventive controls. Implementing preventive controls might mitigate outage impacts identified by the BIA. Preventive controls are measures that detect, deter, and/or reduce impacts to the system. Detection controls are designed to detect errors and irregularities that have already occurred and to assure their prompt correction. An example of a Detection Control is an Intrusion Detection System. Preventative controls are designed to keep errors or irregularities from occurring in the first place. An example of preventative controls are Encryption and Intrusion Prevention Systems. Corrective controls include any measures taken to repair damage or restore resources and capabilities to their prior state following an unauthorized or unwanted activity. An example of a corrective control is creating a backup and quarantining a computer virus.
Hi Kyuande,
Great callout, preventative controls tied to a business impact analysis can help identify vulnerable areas that require minimal finanical investment to protect but have high ROI on prevention. As you have identified, if the organization is dealing with sensitive information we can enable encryption capabilities, enforce multi-factor authentication, enable anti-virus and configure firewalls to prevent outbound traffic from sensitive intranets. Nice post!
Kelly
This chapter was greatly helpful in understanding the formalized Risk Management process:
1. Risk Assessment [System Characterization, Threat Identification, Vulnerability Identification, Risk Analysis (Control Analysis, Likelihood Determination, Impact Analysis, Risk Determination), Control Recommendations, Results Documentation
2. Risk Mitigation
3. Evaluation and Assessment
One key takeaway I had was that the goal of this process is to protect the organization’s mission, not just its information assets. As security professionals, we often want to focus on protecting data confidentiality even at the expense of its availability. We need to be able to balance these characteristics in a way that protects the data but still allows the business to function.
The Risk Mitigation Strategy diagram shows that sometimes risk can be accepted, such as in times where the attacker’s cost is greater than their gain or our anticipated loss is less than our acceptable amount. These guidelines can help a business function in an efficient way while protecting its most important assets.
Hi Patrick,
I agree with you that the goal of the risk management process is to protect the mission of the organization and not just its information assets. While protecting data, we can also ensure that we improve the confidentiality of information. In the process of risk management, we can reduce high risk to medium risk, and try our best to control vulnerabilities and threats within a controllable range. This is a good operation for both social and business development.
HI Patrick, thanks for the post. I like your point regarding protection of information assets as well as an organization’s mission. This is important to consider when considering the effects of a breach being both impactful towards loss of life, finances, and reputational damage.
Overall, my biggest takeaway from this reading was the integration between developing an effective information security program and the importance of IT auditing. Throughout the entire risk management process (from risk assessment to final evaluation), NIST stresses the criticality of making risk management a continual process; risk management is not a “one and done” ordeal. It is key to constantly evaluate and audit information systems, and transform organizations into having an SDLC mindset with enterprise risk management. This same concept is seen with ISO 27001 standards mandating a continually-improving ISMS (information security management system).
Hi Lauren,
I agree; in a field where the threat environment is constantly changing, we need to readily adapt and overcome these challenges. The best way to do that is to stay agile by continually updating frameworks and incident response plans. We should be testing and updating these plans regularly.
After reading the chapter, I was able to learn that the purpose of risk management is to ensure that the company’s operations are effective, that financial and other information is reliable, and that the company complies with the relevant regulations and operating principles. In that regard, a robust risk management process is deeply regarded as being essential to protect an organizations information asset from being hacked or destroyed. Security professionals must work in tandem with their business partners to gain sufficient information about an asset and understand the resultant repercussions on confidentiality, integrity, and availability if the asset is breached. And they must also understand that an effective implementation of any security measure within an organization is pivoting on protection of integrity, confidentiality and availability of all information assets. I was able to learn from the chapter that categorization of assets as being high, medium, and low scale, which certainly assists in prioritization of risks thereby making sure that adequate risk controls are in place to forestall any harmful risks to an acceptable level or optimum level. in order to ensure continuity in business operations.
Hi Kofi,
Great points. I agree the goal of risk management is really to make sure the assets of the company are accounted for and that CIA is taken into consideration, and if they were to experience a breach they would be ready and know how to respond.
Hello Kofi,
That’s a great post. Risk management does ensures companies operations are effective. It also helps companies identify threats within their network and it also help identify the criticality level of that threat. Which could allow the companies to put appropriate safe guard to mitigate that threat.
The formalized Risk Management process are risk assessment, risk mitigation, and evaluation, and assessment. Step 1 is system characterization. Being able to have interviews, questionnaires, documentation reviews, and scanning tools can help collect the information needed to characterize hardware, software, data, and external tools. Step 2 is threat identification. We need to identify what weaknesses are in the system. What controls do they not have in place? What can they implement to strengthen those weaknesses? Can we prevent these threats by having more training?
Step 3 is Vulnerability Identification. This can be a flaw or weakness in the system security procedures, design, implantation, or internal controls. For example, there is a new vulnerability- Log4j.
Step 4 is Risk Analysis. As stated in Chapter 10, “the risk analysis is a determination or estimation of the risk to the system, an analysis that requires the consideration of closely interwoven factors, such as the security controls in place for the system under review, likelihood that those controls will be either insufficient or ineffective protection of the system, and the impact of that failure.”
One takeaway from this reading was the categorization of the three groups of security controls: management controls (which are implemented by management, such as the decision for a company to undergo a BCDR test), operational controls (which are security controls implemented by personnel, such as FOB/badge access to a building), and technical controls (which are security measures implemented by technology, such as automated logging and monitoring). Understanding the differences in these controls is important when developing an organizational security plan, and comprehending the overall company security posture.
One key point that I took from NIST SP 800-100, Chapter 10 “Risk Management” is that all organizations have some inherent amount of risk.
Although companies with information systems that contain intellectual property and government organizations face the most external threats, even organizations that seem like they would have no external threats face some level of risk due to natural and environmental threats. Natural threats, e.g. floods and earthquakes, exist at least in a small degree everywhere in world. For this reason, organizations with seemingly less important business processes and information systems still face the risk of property unavailability (IT, physical, or both), personnel loss, reputation loss due to poor response, and more. In some cases, natural disasters shutdown areas of the world for weeks to even months, and there are very few companies or groups who could do without their core locations, business processes, and/or information systems for that long of a period of time.
Another key point that I took from this reading is that there are many helpful government resources when it comes to identifying potential threats and vulnerabilities. Examples of these sources include, but are not limited to; the FBI’s National Infrastructure Protection Center, the US Computer Emergency Readiness Team (or US CERT), NIST National Vulnerability Database, and other mass media and web-based resources.
The reading walks through some common challenges. It talks about how there are many different governing bodies a company has to answer to. This includes the federal government, all the state governments for which they do business in, and any international governing bodies if they do business overseas. If you are in any contacts, then that company you’re contracting with may also require you attain a certain basic level of cybersecurity as well as cyber insurance.
Another challenge it talks about is prioritizing funding. Funding is often limited so you need to invest in the controls that will provide the largest benefit for the smallest cost.
NIST Special Publication 800-100, Information Security Handbook: This is a set of recommendations of the National Institute of Standards and Technology on managing information security in your company. It is written for managers.
Chapter 10 clarifies that to implement the risk management process, it would be essential first to define risk assessment leading to the risk mitigation process. It also stated the implementation and steps of the Risk management framework, which starts with categorization, Selection, Implementation, Assessment, Authorization, and Monitoring of processes with the overall goal of Risk management.
NIST SP 800-100 establishes the process of establishing and maintaining a framework and supporting management structure and processes to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all to manage risk. Provides managerial guidance for establishing and implementing of an information security program. Thirteen areas of information security management. Provide for specific monitoring activities for each task. Tasks should be done on an ongoing basis.