Once the framework team has finished designing the RM program (framework and process), it begins implementing the program. As with any major project, this involves specifying the project manager for the process and laying out the detailed implementation methodology. The RM process, which is specified in the right half of Figure 4-1, provides general steps to follow in the conduct of risk evaluation and remediation and is designed to be intentionally vague so it can be adapted to any one of the methodologies available.
The implementation of the RM plan, specifically including the RM process, could be based on several traditional IT implementation methods and is likely to be influenced by the organization’s risk appetite:
The organization may distribute the plan to all mid- to upper-level managers for a desk check prior to deployment.
The organization could pilot-test the plan in a small area to gauge initial issues and success prior to deployment across the entire organization.
The organization may use a phased approach in which only a portion of the RM program is initially implemented, such as initial meetings with key managers or initial inventory of information assets.
The bold organization with a larger risk appetite may simply choose a direct cutover (also known as a cold-turkey conversion) in which the new RM project is launched in totality across the entire organization.
Whatever rollout method is selected, it is important for the RM framework team to carefully monitor, communicate, and review the implementation so it can detect and address issues before they become threatening to the viability of the program, as discussed in the next section.
After the initial implementation and as the RM effort proceeds, the framework team continues to monitor the conduct of the RM process while simultaneously reviewing the utility and relative success of the framework planning function itself. In the first few iterations, the framework team will examine how successful it was in designing and implementing the RM framework, plan, and RM process, and what issues required adjustments of the plan. The framework itself only exists as a methodology to design and implement the process, so once the framework is documented in the RM plan, the success of the process becomes the greatest concern. Success or failure in the framework’s planning process may be relatively simple to resolve if addressed early, but issues downstream in the actual RM process may require redesign all the way back up to the framework and then modification of the RM plan. Performance measures, which are described in detail in Module 12, are often used to collect data about the RM process and determine its relative success or failure. The results of these assessments are used in the continuous improvement stage, which is described next.
Once the RM process is implemented and operating, the framework team is primarily concerned with the monitoring and review of the RM process cycle. However, until the framework and plan are implemented and operational, the framework team is also concerned with oversight of the RM framework and plan. The governance group also expects regular feedback on the entire RM program, including information about the relative success and progress of both the framework and process activities.
During the implementation phase of the RM framework, the RM plan guides the implementation of the RM process, in which risk evaluation and remediation of key assets are conducted. The three communities of interest must work together to address every level of risk, ranging from full-scale disasters (whether natural or human-made) to the smallest mistake made by an employee. To do so, representatives from each community collaborate to be actively involved in RM process activities. This process uses the specific knowledge and perspective of the team to complete the following tasks:
Establishing the context, which includes understanding both the organization’s internal and external operating environments and other factors that could impact the RM process.
Identifying risk, which includes the following:
- Creating an inventory of information assets
- Classifying and organizing those assets meaningfully
- Assigning a value to each information asset
- Identifying threats to the cataloged assets
- Pinpointing vulnerable assets by tying specific threats to specific assets
Analyzing risk, which includes the following:
- Determining the likelihood that vulnerable systems will be attacked by specific threats
- Assessing the relative risk facing the organization’s information assets so that risk management and control activities can focus on assets that require the most urgent and immediate attention
- Calculating the risks to which assets are exposed in their current setting
- Looking in a general way at controls that might come into play for identified vulnerabilities and ways to control the risks that the assets face.
- Documenting and reporting the findings of risk identification and assessment
- Identifying individual risk tolerances for each information asset.
- Combining or synthesizing these individual risk tolerances into a coherent risk appetite statement.
Treating the unacceptable risk:
Determining which treatment/control strategy is best considering the value of the information asset and which control options are cost-effective.
- Acquiring or installing the appropriate controls
- Overseeing processes to ensure that the controls remain effective
Summarizing the findings, which involves stating the conclusions of the identification, analysis, and evaluation stages of risk assessment in preparation for moving into the stage of controlling risk by exploring methods to further mitigate risk where applicable or desired.
As the RM process team convenes, it is initially briefed by representatives of the framework team and possibly by the governance group. These groups seek to provide executive guidance for the work to be performed by the RM process team, and to ensure that the team’s efforts are in alignment with managerial intent, as documented in the RM policy and plan. The group is briefed on its responsibilities and set to its work. The plan is reviewed and individual assignments given.
The context in this phase is the understanding of the external and internal environments the RM team will be interacting with as it conducts the RM process. It also means understanding the RM process as defined by the framework team and having the internal knowledge and expertise to implement it. Finally, it means ensuring that all members of the RM process team understand the organization’s risk appetite statement and can use the risk appetite to translate that statement into the appropriate risk treatment when the time comes.
NIST’s Special Publication (SP) 800-30, Rev. 1, “Guide for Conducting Risk Assessments,” recommends preparing for the risk process by performing the following tasks:
- Identify the purpose of the assessment;
- Identify the scope of the assessment;
- Identify the assumptions and constraints associated with the assessment;
- Identify the sources of information to be used as inputs to the assessment; and
- Identify the risk model and analytic approaches (i.e., assessment and analysis approaches) to be employed during the assessment
Understanding the external context means understanding the impact the following external factors could have on the RM process, its goals, and its objectives:
- The business environment—Customers, suppliers, competitors
- The legal/regulatory/compliance environment—Laws, regulations, industry standards
- The threat environment—Threats, known vulnerabilities, attack vectors
- The support environment—Government agencies like NIST and DHS, professional associations like ISSA, and service agencies such as SecurityFocus
Perhaps other factors known to the subject-matter experts that make up the team.
These factors should influence the organization’s conduct of the RM process, its assessment methods, its findings, and most importantly, its decisions when treating risk.
Internal Context
The internal context is the understanding of internal factors that could impact or influence the RM process:
- The organization’s governance structure (or lack thereof).
- The organization’s internal stakeholders.
- The organization’s culture.
- The maturity of the organization’s information security program.
- The organization’s experience in policy, planning, and risk management in general.
0 comments:
Post a Comment