In risk management, it is unrealistic to remove every single threat or vulnerability. A more reasonable approach in resolving that issue, whether high or low, is to apply the “assess, mitigate, and evaluate” procedure in order to reduce risk, and to operate safely and securely.
Hi Christopher, you made a great point in your post about it being unrealistic to remove all threats and vulnerabilities. Since threats, especially in IT, are so dynamic, setting a goal to remove all threats is impossible. Like you said, the best thing a company can do is to find ways to reduce risk.
Risk Management forms a core part of an entity’s information system security and since it is impossible to eliminate all risks, this process – by way of risk assessment, risk evaluation, risk mitigation helps establish an acceptable information system security risk. That is, the risk an entity is willing to undertake in achieving its objectives.
Hi Lakshmi, I agree that risk management is not designed to eliminate all risks. By its own nature some risks can have a low probability of occurrence or a low impact, so it would not be advisable from an economic point of view to expend resources eliminating these risks. Risk management also involves forecasting and evaluating the potential risks associated with day-to-day operations, while actively identifying ways to reduce them or minimize their impact on the business.
Risk management should be considered when designing a system in the systems development life cycle (SDLC) by understanding what type of hardware, software, and data are going to be included in the system. Using this and additional information the system can be used to establish scope of a risk assessment and ultimately be used to determine if any potential risks are acceptable or unacceptable and need to be mitigated. Lastly, the mitigations put in place can be used to determine any remaining residual risk.
In chapter 10 of NIST SP 800-100, Chapter 10 “Risk Management”, the risk management has been broken down into three phases and various of steps:
Phase 1 Risk Assessment
Step 1 System Characterization
Step 2 Threat Identification
Step 3 Vulnerability Identification
Step 4 Risk Analysis
Control Analysis
Likelihood Determination
Impact Analysis
Risk Determination
Step 5 Control Recommendations
Step 6 Result Documentation
Phase 2 Risk Mitigation
Phase 3 Evaluation and Assessment
What’s particularly helpful to organizations is the risk management in the system security life cycle. In today’s security landscape, the three phased process serves as a guideline for organizations that have to comply with regulatory compliance requirements. These 3 phases are easy to understand and easy to follow. This should be the foundation for any organization who wishes to protect the confidentiality, integrity and availability of data.
Hi Xiduo, I’d lke to expand on a concept you briefly touched on, which was that the three-phase structure of risk management provides an “easy to understand and easy to follow” structure. I think this is an especially important fact to highlight, as risk management processes should be as simple and intuitive as possible for those executing them. The more the professionals engaging in risk management processes understand the concepts, the greater the benefit the organization yields.
One of the key takeaways I had from this reading is that it helped to link together a lot of the key federal government resources I was already familiar with, such as FIPS 199, NIST 800-53, and NIST 800-30. I was familiar with these resources from my other classes but this was the first time they were linked together to show just how each serves as guidance for an important component of risk management and how they are dependent on each other. It made it clear how the criticality ranking affects the assessment of risk, and then the analysis of controls.
I agree Megan – this particular chapter of NIST SP 800-100 pulled the major points from various documents we rely on and created more of a big picture of risk management. I think it’s valuable to have an overview like this – it makes the overall risk management process easier to understand, and more palatable for management.
Risk management is broken down into three parts: risk assessment, risk mitigation, and evaluation and assessment. Just doing one or two of these processes does not constitute proper risk management. Risk assessments should be as in-depth as is needed depending on how critical or sensitive the system is. NIST 800-30 defines a 9-step process, but the goal is always identify and analyze the risks in an environment. Risk mitigation is about prioritizing, evaluating, and implementing proper controls inline with the outcomes of the risk assessment process. It is impossible and infeasible to eliminate all risk. Because systems and threats are constantly changing, risks and controls need to be monitored. Evaluation and assessment involves tracking and measuring your evolving risks and controls so that your risk mitigation stays effective.
The ultimate goal of risk management is the preservation of assets of the organization for the successful continuation of its operation. It consists of three parts: (1) Risk Assessment – evaluate an organization’s exposure to uncertain events that could impact its daily operation and estimates the damage of those events could have on the organization’s revenue and reputation. (2) Risk Mitigation – a process to reduce those risks to acceptable level if it is impossible to eliminate them from the system. (3) Evaluation and Assessment – examine the results of the risk analysis and compare them to established risk criteria to decide where additional controls may be needed.
What stood out to me in this reading, is the relationship/interdependencies between the risk assessment process, Plans of Actions and Milestones, the System Security Plan, and the a system’s security certification and accreditation. My takeaway is that it might be a best practice to perform these assessments in a coordinated effort where possible to make efficient use of resources, best information available at that point in time (comparing apples to apples versus apples to oranges) and to align the results.
It struck me that the implementation of security controls makes up a small fraction of the entire Information Security Risk Management process as defined by NIST SP 800-100. While the implementation of controls is probably the process the average person imagines when they hear “cybersecurity”, many more steps are required to successfully manage information security risk. Without the risk assessment process and associated subprocesses, implementing security controls would be wasted effort, because an organization wouldn’t know which risks need to be mitigated. Without evaluation and assessment after implementation, they would also never know if the controls were even doing their jobs. Even within the risk mitigation process, implementing controls is the culmination of many other activities that are necessary to determine which controls would be effective.
A risk management process should include three parts, which are risk assessment, risk mitigation, and evaluation and assessment. After the risk assessment process, risk mitigation is impractical to eliminate all the risk from the system. It prioritizes actions, evaluates recommended control options, conduct cost-benefit analyses, select controls, assign responsibility, develops a safeguard implementation plan, and implement selected controls. There are different implementation options to reduce risks: risk assumption, risk avoidance, risk limitation, risk planning, research, acknowledgment, and risk transference. There are remains some residual risk after doing all the actions which should be at an acceptable level. If not, the risk management cycle should repeat to reduce the residual risk to an allowable level.
Hi there To-Yin! I agree with you that risk management must be a continuous cycle. Especially, since technology is always involving and changing the dynamics of and threat landscape. I think that chapter 10, does a great job in providing an overview of the dynamics of the IT risk management process. For someone learning how to conduct an IT Audit, this chapter might be very useful in identifying, accessing, and mitigating risk.
One key takeaway I had from this reading its the admission that not all risk can be mitigated, and that residual risk will always be present. It may appear in a different line of the business, but every decision a business makes has some sort of tradeoff; whether it be monetary of avoidance of risk. An organization needs to consider the cost – benefit of a risk management program, and the level of residual risk. These expectations are very important, as they help companies make the more appropriate decisions the it comes to their risk. If the level of residual is too high, it gives leaders a good point of improvement.
Charlie this is a key point to remember. Residual risk will always be present. Thank you for mentioning this. Your statement is valuable because you are right, not all risk can be mitigated.
I’m not trying to argue semantics here, but I think all risk can be mitigated. Mitigation involves treating a risk and (ideally) reducing it to an acceptable level. Part of the mitigation process is risk avoidance, risk transference, risk limitation, risk acceptance, etc. Mitigation is it’s own phase of the Risk Management process.
I think what you meant is that all risk cannot be eliminated. I completely agree with that. My only thought is that individual risks can be eliminated by avoiding the activity. But of course all risk that an organization faces cannot be eliminated unless it just ceases to exist.
Risk management is defined as the process of identifying, monitoring, and managing potential risks in order to minimize the negative impact they may have on an organization. It can then be further broken down into three components, which are risk assessment, risk mitigation, and risk evaluation/assessment. According to NIST, the main objective is to consistently identify and analyze the different types of risks. Chapter 10 of NIST SP 800-100, a key point was that risk may never be fully removed since technology is consistently changing each day. Therefore, since technology is always evolving than risk controls must be also be reevaluated and adjusted.
Great point Elias! The threat landscape is so dynamic that risk management must be an ongoing process; threats faced by an entity today may not be the same threats they face in future, and the opposite is also true. New technology, processes, business model, etc., has the potential to change an entity’s information security risks in the blink of an eye and therefore should always be evaluated and modified as you noted.
One of the key points from the NIST SP 800-100, Chapter 10 “Risk Management” that stuck out to me was the second phase of the risk management process, risk mitigation. I particularly like this phase because I am interested in how we are supposed to reduce risk. Once the risks are determined to be addressed in the risk mitigation process, a seven-step approach is used to guide the selection of security controls:
1. Prioritize actions;
2. Evaluate recommended control options;
3. Conduct cost-benefit analyses;
4. Select controls;
5. Assign responsibility;
6. Develop a safeguard implementation plan; and
7. Implement selected control(s).
The FIPS 199 provides the basis for selecting controls to mitigate risks to an acceptable level The security categorization is used in 2 ways: it determines which minimum baseline security controls are selected from NIST SP800-53, and (2) aids in estimating the level of risk posed by a threat/vulnerability
The key point that stood out for me was evaluation and assessment, the third process of risk management. While each process is important and necessary for a successful risk management program, I like to emphasize the importance of an ongoing evaluation and assessment of the risk management program with clients. The reading states,” The art of risk management in today’s dynamic and constantly changing information technology (IT) environments must be ongoing and
continuously evolving. Systems are upgraded and expanded, components are improved, and architectures are constantly evolving.” This tells us that we cannot perform a risk assessment one time and never look at it again as this will open the door to numerous threats and vulnerabilities in the systems. While the technical functions of organizations usually understand this piece, the business functions sometime have a harder time adjusting, so during audits, I personally like to ensure each stakeholder is participating in risk evaluation and assessment.
It was interesting to see that the Risk Evaluation, Risk Analysis, Mitigation and assessment is also used in the business, not IT side of the business. it is valuable to have a strong risk environment in both the operations and IT side of the organization. The risk evaluation of a system, whether it be a new implementation of an upgrade could potentially be compared with changing a process such as, deciding that your business will do curbside pickup and not force the customer inside the store. Each of the examples provided can go through the Risk Management process, with evaluation, analysis, mitigation and assessment.
One key point I took away from this reading was the steps within the second phase of the risk management process: risk mitigation. Risk mitigation emphasizes controls that reduce risk rather than eliminate it, as that would be impractical. Using a standard risk mitigation strategy, risk is classified as unacceptable if the attacker’s cost is greater than gain and if the anticipated loss exceeds the set threshold. Once unacceptable risks are identified, a seven step approach is used to select the appropriate security controls. These steps are as follows: prioritize actions, evaluate recommended control options, conduct cost-benefit analyses, select controls, assign responsibility, develop a safeguard implementation plan, and implement selected controls. The text emphasized that, despite following this process, there will still be residual risk. This risk must be analyzed to determine if it is an acceptable level. If the residual risk is not acceptable, the risk management cycle is to be repeated.
In risk management, it is unrealistic to remove every single threat or vulnerability. A more reasonable approach in resolving that issue, whether high or low, is to apply the “assess, mitigate, and evaluate” procedure in order to reduce risk, and to operate safely and securely.
Hi Christopher, you made a great point in your post about it being unrealistic to remove all threats and vulnerabilities. Since threats, especially in IT, are so dynamic, setting a goal to remove all threats is impossible. Like you said, the best thing a company can do is to find ways to reduce risk.
Risk Management forms a core part of an entity’s information system security and since it is impossible to eliminate all risks, this process – by way of risk assessment, risk evaluation, risk mitigation helps establish an acceptable information system security risk. That is, the risk an entity is willing to undertake in achieving its objectives.
Hi Lakshmi, I agree that risk management is not designed to eliminate all risks. By its own nature some risks can have a low probability of occurrence or a low impact, so it would not be advisable from an economic point of view to expend resources eliminating these risks. Risk management also involves forecasting and evaluating the potential risks associated with day-to-day operations, while actively identifying ways to reduce them or minimize their impact on the business.
Risk management should be considered when designing a system in the systems development life cycle (SDLC) by understanding what type of hardware, software, and data are going to be included in the system. Using this and additional information the system can be used to establish scope of a risk assessment and ultimately be used to determine if any potential risks are acceptable or unacceptable and need to be mitigated. Lastly, the mitigations put in place can be used to determine any remaining residual risk.
In chapter 10 of NIST SP 800-100, Chapter 10 “Risk Management”, the risk management has been broken down into three phases and various of steps:
Phase 1 Risk Assessment
Step 1 System Characterization
Step 2 Threat Identification
Step 3 Vulnerability Identification
Step 4 Risk Analysis
Control Analysis
Likelihood Determination
Impact Analysis
Risk Determination
Step 5 Control Recommendations
Step 6 Result Documentation
Phase 2 Risk Mitigation
Phase 3 Evaluation and Assessment
What’s particularly helpful to organizations is the risk management in the system security life cycle. In today’s security landscape, the three phased process serves as a guideline for organizations that have to comply with regulatory compliance requirements. These 3 phases are easy to understand and easy to follow. This should be the foundation for any organization who wishes to protect the confidentiality, integrity and availability of data.
Hi Xiduo, I’d lke to expand on a concept you briefly touched on, which was that the three-phase structure of risk management provides an “easy to understand and easy to follow” structure. I think this is an especially important fact to highlight, as risk management processes should be as simple and intuitive as possible for those executing them. The more the professionals engaging in risk management processes understand the concepts, the greater the benefit the organization yields.
One of the key takeaways I had from this reading is that it helped to link together a lot of the key federal government resources I was already familiar with, such as FIPS 199, NIST 800-53, and NIST 800-30. I was familiar with these resources from my other classes but this was the first time they were linked together to show just how each serves as guidance for an important component of risk management and how they are dependent on each other. It made it clear how the criticality ranking affects the assessment of risk, and then the analysis of controls.
I agree Megan – this particular chapter of NIST SP 800-100 pulled the major points from various documents we rely on and created more of a big picture of risk management. I think it’s valuable to have an overview like this – it makes the overall risk management process easier to understand, and more palatable for management.
Risk management is broken down into three parts: risk assessment, risk mitigation, and evaluation and assessment. Just doing one or two of these processes does not constitute proper risk management. Risk assessments should be as in-depth as is needed depending on how critical or sensitive the system is. NIST 800-30 defines a 9-step process, but the goal is always identify and analyze the risks in an environment. Risk mitigation is about prioritizing, evaluating, and implementing proper controls inline with the outcomes of the risk assessment process. It is impossible and infeasible to eliminate all risk. Because systems and threats are constantly changing, risks and controls need to be monitored. Evaluation and assessment involves tracking and measuring your evolving risks and controls so that your risk mitigation stays effective.
The ultimate goal of risk management is the preservation of assets of the organization for the successful continuation of its operation. It consists of three parts: (1) Risk Assessment – evaluate an organization’s exposure to uncertain events that could impact its daily operation and estimates the damage of those events could have on the organization’s revenue and reputation. (2) Risk Mitigation – a process to reduce those risks to acceptable level if it is impossible to eliminate them from the system. (3) Evaluation and Assessment – examine the results of the risk analysis and compare them to established risk criteria to decide where additional controls may be needed.
What stood out to me in this reading, is the relationship/interdependencies between the risk assessment process, Plans of Actions and Milestones, the System Security Plan, and the a system’s security certification and accreditation. My takeaway is that it might be a best practice to perform these assessments in a coordinated effort where possible to make efficient use of resources, best information available at that point in time (comparing apples to apples versus apples to oranges) and to align the results.
It struck me that the implementation of security controls makes up a small fraction of the entire Information Security Risk Management process as defined by NIST SP 800-100. While the implementation of controls is probably the process the average person imagines when they hear “cybersecurity”, many more steps are required to successfully manage information security risk. Without the risk assessment process and associated subprocesses, implementing security controls would be wasted effort, because an organization wouldn’t know which risks need to be mitigated. Without evaluation and assessment after implementation, they would also never know if the controls were even doing their jobs. Even within the risk mitigation process, implementing controls is the culmination of many other activities that are necessary to determine which controls would be effective.
A risk management process should include three parts, which are risk assessment, risk mitigation, and evaluation and assessment. After the risk assessment process, risk mitigation is impractical to eliminate all the risk from the system. It prioritizes actions, evaluates recommended control options, conduct cost-benefit analyses, select controls, assign responsibility, develops a safeguard implementation plan, and implement selected controls. There are different implementation options to reduce risks: risk assumption, risk avoidance, risk limitation, risk planning, research, acknowledgment, and risk transference. There are remains some residual risk after doing all the actions which should be at an acceptable level. If not, the risk management cycle should repeat to reduce the residual risk to an allowable level.
Hi there To-Yin! I agree with you that risk management must be a continuous cycle. Especially, since technology is always involving and changing the dynamics of and threat landscape. I think that chapter 10, does a great job in providing an overview of the dynamics of the IT risk management process. For someone learning how to conduct an IT Audit, this chapter might be very useful in identifying, accessing, and mitigating risk.
One key takeaway I had from this reading its the admission that not all risk can be mitigated, and that residual risk will always be present. It may appear in a different line of the business, but every decision a business makes has some sort of tradeoff; whether it be monetary of avoidance of risk. An organization needs to consider the cost – benefit of a risk management program, and the level of residual risk. These expectations are very important, as they help companies make the more appropriate decisions the it comes to their risk. If the level of residual is too high, it gives leaders a good point of improvement.
Charlie this is a key point to remember. Residual risk will always be present. Thank you for mentioning this. Your statement is valuable because you are right, not all risk can be mitigated.
I’m not trying to argue semantics here, but I think all risk can be mitigated. Mitigation involves treating a risk and (ideally) reducing it to an acceptable level. Part of the mitigation process is risk avoidance, risk transference, risk limitation, risk acceptance, etc. Mitigation is it’s own phase of the Risk Management process.
I think what you meant is that all risk cannot be eliminated. I completely agree with that. My only thought is that individual risks can be eliminated by avoiding the activity. But of course all risk that an organization faces cannot be eliminated unless it just ceases to exist.
Risk management is defined as the process of identifying, monitoring, and managing potential risks in order to minimize the negative impact they may have on an organization. It can then be further broken down into three components, which are risk assessment, risk mitigation, and risk evaluation/assessment. According to NIST, the main objective is to consistently identify and analyze the different types of risks. Chapter 10 of NIST SP 800-100, a key point was that risk may never be fully removed since technology is consistently changing each day. Therefore, since technology is always evolving than risk controls must be also be reevaluated and adjusted.
Great point Elias! The threat landscape is so dynamic that risk management must be an ongoing process; threats faced by an entity today may not be the same threats they face in future, and the opposite is also true. New technology, processes, business model, etc., has the potential to change an entity’s information security risks in the blink of an eye and therefore should always be evaluated and modified as you noted.
One of the key points from the NIST SP 800-100, Chapter 10 “Risk Management” that stuck out to me was the second phase of the risk management process, risk mitigation. I particularly like this phase because I am interested in how we are supposed to reduce risk. Once the risks are determined to be addressed in the risk mitigation process, a seven-step approach is used to guide the selection of security controls:
1. Prioritize actions;
2. Evaluate recommended control options;
3. Conduct cost-benefit analyses;
4. Select controls;
5. Assign responsibility;
6. Develop a safeguard implementation plan; and
7. Implement selected control(s).
The FIPS 199 provides the basis for selecting controls to mitigate risks to an acceptable level The security categorization is used in 2 ways: it determines which minimum baseline security controls are selected from NIST SP800-53, and (2) aids in estimating the level of risk posed by a threat/vulnerability
The key point that stood out for me was evaluation and assessment, the third process of risk management. While each process is important and necessary for a successful risk management program, I like to emphasize the importance of an ongoing evaluation and assessment of the risk management program with clients. The reading states,” The art of risk management in today’s dynamic and constantly changing information technology (IT) environments must be ongoing and
continuously evolving. Systems are upgraded and expanded, components are improved, and architectures are constantly evolving.” This tells us that we cannot perform a risk assessment one time and never look at it again as this will open the door to numerous threats and vulnerabilities in the systems. While the technical functions of organizations usually understand this piece, the business functions sometime have a harder time adjusting, so during audits, I personally like to ensure each stakeholder is participating in risk evaluation and assessment.
It was interesting to see that the Risk Evaluation, Risk Analysis, Mitigation and assessment is also used in the business, not IT side of the business. it is valuable to have a strong risk environment in both the operations and IT side of the organization. The risk evaluation of a system, whether it be a new implementation of an upgrade could potentially be compared with changing a process such as, deciding that your business will do curbside pickup and not force the customer inside the store. Each of the examples provided can go through the Risk Management process, with evaluation, analysis, mitigation and assessment.
One key point I took away from this reading was the steps within the second phase of the risk management process: risk mitigation. Risk mitigation emphasizes controls that reduce risk rather than eliminate it, as that would be impractical. Using a standard risk mitigation strategy, risk is classified as unacceptable if the attacker’s cost is greater than gain and if the anticipated loss exceeds the set threshold. Once unacceptable risks are identified, a seven step approach is used to select the appropriate security controls. These steps are as follows: prioritize actions, evaluate recommended control options, conduct cost-benefit analyses, select controls, assign responsibility, develop a safeguard implementation plan, and implement selected controls. The text emphasized that, despite following this process, there will still be residual risk. This risk must be analyzed to determine if it is an acceptable level. If the residual risk is not acceptable, the risk management cycle is to be repeated.