According to ISO 31000, the family of standards relating to risk management codified by the International Organization for Standardization, risks can be defined as the effect of uncertainty on objectives. Taking into consideration the constant rise in the numbers and complexity of security threats, there is far more uncertainty in the landscape than what security specialists would like to admit.
Reducing the undesirable effects of uncertainty to acceptable levels is what risk management is all about. Using a risk-based approach for cybersecurity issues is one of the best strategies a company can embrace, but one question comes to mind: From the many standards and frameworks currently available, what is the most suitable option? That is a very important consideration, as using an inadequate option can lead to unexpected results and failure to protect corporate data or comply with mandatory regulation.
Here are four simple suggestions to help any security professional understand how to select and implement risk management standards and frameworks.
- Understand Risk Management Standards
This step may sound simplistic, however it is extremely necessary. Many risk management implementations fail due to a lack of understanding of standards and frameworks, and how they work in practice. Definitions of standards and frameworks are provided below:
- Standards: At its core, a standard is an acceptable way of doing something. It contains clearly defined and measurable rules and requirements that must be met to consider something compliant.
Standards are the condensed knowledge of professionals and organizations, with expertise in specific subject matter, who know the needs of the organizations they represent. They are often influenced or set by manufacturers, sellers, buyers, customers, trade associations, users or regulators.
- Frameworks: A framework is an outline of interlinked items used to achieve a specific objective. Contrary to a standard, frameworks are usually not compulsory. Instead, their purpose is to offer a working guide that can adapted as required, or adjusted in accordance to an organization’s needs.
In other words, frameworks function as guidelines on a specific subject. They outline what to do, but not necessarily how to do it.
By these definitions, a risk management standard would be a systematic approach to identifying, assessing and prioritizing risks, followed by coordinated efforts to minimize, monitor and control the probability or impact of undesired events.
There are several risk management standards available, including publications by the Project Management Institute, the National Institute of Standards and Technology (NIST), actuarial societies and ISO standards.
- Recognize the Diverse Types of Risk Management Standards
Different agencies from all around the world are responsible for the creation and development of risk management standards. What these organizations have in common is the goal of devising a systematic and efficient approach for carrying out a high-quality risk management process. In essence, this means enabling a common view on frameworks, processes and practices that are set by recognized international standards bodies or industry groups.
It is important to understand that, even with a common goal, many of these agencies tend to think and work independently. This results in diverse types of risk management standards.
However, this should not be seen as a problem, much on the contrary! Putting aside the many cases where a particular standard is enforced by regulators or by contract, having several options means each organization can decide on which standard is more appropriate for its context.
IT risk management is only a part of the wider, corporate risk management efforts. ISACA defines risk management as: the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level. Each risk management standard must be analyzed in terms of adequacy and its value to the company, but that requires context, what leads to the next step.
- Define What Criteria Should Be Used When Selecting a Standard
Not every standard will work for every organization. In reality, the defining criteria for choosing a standard should be entirely based on the organization’s context, taking into consideration several factors, such as the company’s size, nature, culture and the demands from stakeholders such as regulators or shareholders.
In general terms, risk management’s prime motivator is maximizing the likelihood that an organization will achieve its objectives. So, the key criteria for selecting a standard is making sure it will align with the organization’s strategic objectives, especially the needs of the stakeholders. For example, a client may require that private company obtains an ISO 27001 certification, in this case ISO 27005 would be the most suitable risk management standard. For U.S. government agencies seeking compliance with the Federal Information Security Management Act (FISMA), the Risk Management Framework (RMF) process defined in NIST 800-37 and DoD Information Assurance Certification and Accreditation Process (DIACAP) would be the right choice.
- Know How to Use the Risk Management Framework
For U.S. federal government organizations and their contractors, the RMF is a common information security framework. It is an integral part of the implementation of FISMA, and is based on publications of the National Institute of Standards and Technology (NIST) and the Committee on National Security Systems (CNSS).
RMF goals include improving information security, strengthening the risk management processes and encouraging reciprocity amongst federal agencies. The framework can be used to manage security and privacy risks to information systems, organizations and individuals. Even if the RMF was initially developed with government agencies in mind, its practical approach can be adapted and used by any type of business.
The RMF is commonly associated with NIST’s SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. This has been available for FISMA compliance since 2004. Basically, it describes a six-step process that must be followed to secure, authorize and manage IT systems of U.S. federal government agencies and its contractors.
RMF’s six-step process for risk management:
- Categorization of information systems: This step requires an impact analysis categorization of the system and any information that it processes, stores and transmits.
- Selection of security controls: Setting the initial baseline of security controls for each system must be based on the categorization completed at the first step. It is important to take into consideration this security control baseline needs to be based on the organization’s risk assessment and local conditions.
- Implementation of security controls: Once the baseline is defined, the next step is implementing the selected security controls, and documenting how the controls are deployed within the system and environment of operation.
- Assessment of security controls: The RMF requires the evaluation of security controls in order to determine if they are correctly implemented, operating as intended and producing the desired outcome with respect to meeting the security requirements for the system.
- Authorization of information systems: A systems operation can only be authorized if its risk to organizational operations and assets, individuals, other organizations and the Nation is considered acceptable.
- Monitoring of security controls: This step focuses on making sure security controls are continuously monitored and assessed, ensuring both their effectiveness, and documenting changes to the system or environment of operation. This also requires conducting security impact analyses of the associated changes, and reporting the security state of the system to appropriate organizational officials.
Tips for Implementing Risk Management Standards & Frameworks
As mentioned before, risk management’s prime motivator is maximizing the likelihood that an organization will achieve its objectives. To be effective, risk management needs a systematic approach, using an adequate framework and processes, but also taking into consideration necessary cultural changes.
Follow these tips to successfully implement risk management standards:
- Make it meaningful: The required behavior change for risk management will not happen unless it is perceived as meaningful for the organization. This includes gaining support from executive level by aligning risk management with corporate strategy.
- Define what standards and frameworks will be used before starting to manage risk: Without a systematic approach, any risk management effort may turn out to be a waste of time and resources. Choosing a standard adequate to the company’s context is one of the first steps a risk manager should take.
- Identify assets and risk owners early on: Based on the selected standard, there may be differences on how risks are identified and categorized. A good strategy is to assign risks to owners. This role must have sufficient power, ability, budget and resources to define how the risk will be treated.
Risk management standards, Institute of Risk Management
What is RMF?, BAI Risk Management Framework Resource Center
ISO/IEC 27005:2011, ISO
What is a standard? & What does it do?, BSI Group