If you’ve been reading our articles you will have read about vulnerabilities; don’t worry our series on Risk Assessments aren’t duplicates of our vulnerability article, rather they are a whole different view of cybersecurity. Vulnerabilities deal with the technological entry points for hackers; Risks are higher level and are based on If/Then statements. For instance, If our web server is compromised THEN our reputation will be damaged. Risk statements lead to a risk formula that provides you with priorities for funding and resource allocation. This formula looks at the probability of that risk coming to fruition as well as the impact on your business. This can be either a complex formula that yields a score from 1 – 10 or a simple 5×5 risk chart. When dealing with a multitude of risks it’s best to use a formula and basing your priorities on the scores, working to mitigate those areas of high risk before focusing on the lower risk. The more complex the formula the less it will fit with all risks.
Risk Management is best defined in NIST SP 800-39; the below are excerpted from this document.
“Tier 1 addresses risk from an organizational perspective by establishing and implementing governance structures that are consistent with the strategic goals and objectives of organizations and the requirements defined by federal laws, directives, policies, regulations, standards, and
missions/business functions. Governance structures provide oversight for the risk management activities conducted by organizations and include: (i) the establishment and implementation of a risk executive (function); (ii) the establishment of the organization’s risk management strategy including the determination of risk tolerance; and (iii) the development and execution of
organization-wide investment strategies for information resources and information security.”
“Tier 2 addresses risk from a mission/business process perspective by designing, developing, and implementing mission/business processes that support the missions/business functions defined at Tier 1. Organizational mission/business processes guide and inform the development of an enterprise architecture that provides a disciplined and structured methodology for managing the complexity of the organization’s information technology infrastructure. A key component of the
enterprise architecture is the embedded information security architecture that provides a roadmap to ensure that mission/business process-driven information security requirements and protection needs are defined and allocated to appropriate organizational information systems and the environments in which those systems operate.”
“All information systems, including operational systems, systems under development, and systems undergoing modification, are in some phase of the system development life cycle.42 In addition to the risk management activities carried out at Tier 1 and Tier 2 (e.g., reflecting the organization’s
risk management strategy within the enterprise architecture and embedded information security architecture), risk management activities are also integrated into the system development life cycle of organizational information systems at Tier 3. The risk management activities at Tier 3
reflect the organization’s risk management strategy and any risk related to the cost, schedule, and performance requirements for individual information systems supporting the mission/business functions of organizations. Risk management activities take place at every phase in the system development life cycle with the outputs at each phase having an effect on subsequent phases.”