Leighton Johnson, in
Security Controls Evaluation, Testing, and Assessment Handbook (Second Edition), 2020 • Risk Management Process—The organization's risk management practices are formally approved and expressed as policy. Organizational security practices are regularly updated based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape. Integrated Risk Management Program—There is an
organization-wide approach to manage security risk. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Consistent methods are in place to respond effectively to changes in risk. Personnel possess the knowledge and skills to perform their appointed roles and responsibilities. External Participation—The organization understands its dependencies and partners and receives information
from these partners that enables collaboration and risk-based management decisions within the organization in response to events. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780128184271000124 The Basic Information Systems Security Techniques Used to Defend Against High-Technology Crime MiscreantsDr.Gerald L. Kovacich, Dr.Andy Jones, in High-Technology Crime Investigator's Handbook (Second Edition), 2006 RISK MANAGEMENTThe risk management process is crucial to an InfoSec program to establish and maintain an InfoSec program at least cost while protecting the high technology. Risk decisions are based on •Threats—Man-made or natural occurrences that can cause adverse affects to systems and information when combined with specific vulnerabilities •Vulnerabilities—Weaknesses that allow specific threats to cause adverse affects to systems and information •Impacts—The effect that a threat exploiting a vulnerability would have •Risks—The chances that a specific threat can take advantage of a specific vulnerability to cause adverse affects to systems and information The assessments can be qualitative, quantitative, or a combination of both. They often result in a formal report and include identifying costs and benefits. “Passport ID Chips May Not Be Secure; Washington (AP)—The Bush administration opposed security measures for new microchip-equipped passports that privacy advocates contended were needed to prevent identity theft, government snooping, or a terror attack, according to State Department documents released Friday. The passports, scheduled to be issued by the end of 2005, could be read electronically from as far away as 30 feet, according to the American Civil Liberties Union, which obtained the documents under a Freedom of Information Act request. Though the passports wouldn't include transmitters of their own, they would have antennas to allow a reader to capture the data. The ability to read remotely, or “skim,” personal data raises the possibility that passport holders would be vulnerable to identity theft, the ACLU said. It also would allow government agents to find out covertly who was attending a political meeting or make it easier for terrorists to target Americans traveling abroad, the ACLU said.”3 Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780750679299500488 Risk managementMatthew Metheny, in Federal Cloud Computing (Second Edition), 2017 Components of the NIST Risk Management ProcessThe risk management process (or cycle)19 consists of four components that provide a structured, process-oriented approach for managing risks. Each of the four components of the risk management process ensures that risk is managed in an integrated process that requires the involvement of the entire organization. Historically, the federal government included only two of the four components of risk management—risk assessment and risk response. In this approach to risk management, as illustrated in Fig. 6.1, two additional components have been added: risk framing and risk monitoring. Figure 6.1. Components of the risk management process. Risk FramingEstablishing a risk context (or framing) is a critical first step in risk management that requires describing the risk environment. The environment includes risk assumptions,20 risk constraints,21 risk tolerance,22 priorities/trade-offs,23 and the trust model.24 Framing the risk can also include information about any tools or techniques that are used by the organization to support the risk management activities. The output of risk framing is a risk management strategy25 that provides the organization with a common perspective for managing risks (i.e., assessment, response, or monitoring). Risk AssessmentThe assessment of risk is based on the organization’s risk context, and includes activities focused on supporting the identification and determination of risk, and monitoring risk factors.26 Risks are identified based on a characterization of threats27 (threat sources and events), vulnerabilities,28 and predisposing conditions.29 The risk determination is based on the impact that would result from an event and the likelihood the event would occur. Monitoring risk factors is the maintenance aspect, and includes an ongoing situational awareness of the changes to information used by the organization when making a risk-based decision. A risk assessment is a tool that can be used organization-wide. Depending on the organizational structure, risk-related information captured at the strategic level (tier 1), as illustrated in Fig. 6.2, can be used at the tactical level (tier 3). By conducting risk assessments as a continual risk management activity, threats, vulnerability, likelihood, and impact information can be refined and updated with information at each of the three levels within the organization (governance, mission/business process, and information system). However, to effectively integrate risk assessments at the different levels within the organization, the involvement in the risk assessment activities must extend beyond those responsible for information security. By using an organizational approach to conduct risk assessments, information security risks become an integral part of the organization’s overall decision-making process. Figure 6.2. Multitiered integration of the risk management process. Risk ResponseAfter risks have been identified and analyzed, the organization focuses on developing responses30 to risk. When responding to risks, the organization needs to ensure that the response is consistent with the risk context defined in the risk framing component of risk management. Depending on the level of the organization, the risk response may be different due to the types of risk-related information being evaluated for impact and the specific interpretation of the risk management strategy. For example: •The focus of risk response at the strategic, organizational level might focus on the actions (e.g., accept risk, avoid risk, and transfer risk) that would be available to the organization based on the risk framing. •Risk responses from the perspective of the mission/business process owners might consider impacts on the ability of the specific organization to accomplish a specific business function that could result in changes to the information security architecture or processes that support the information security program. •Risk response at the tactical, information system level might focus on specific tasks (plans of action and milestones) that would be undertaken to correct any weaknesses or deficiencies found in security controls to ensure that the system-level risk can be mitigated to an acceptable level. A key part of risk response that cannot be overlooked is how the responses to risk are communicated outside of the organization such as with external service providers (or even between organizations) who may share some or all of the risks. This may require those service providers (or organizations) to be part of the risk response decision-making process, specifically if it relates to contractual or service-level obligations that have already been established and formalized prior to the risk response decisions. Risk MonitoringThe purpose of risk monitoring is to address how risk will be monitored. This includes verifying compliance with the risk response decisions by ensuring that the organization implements the risk response measures (and any information security requirements), determines the ongoing effectiveness of risk response measures, and identifies any changes that would impact the risk posture [1]. Risk monitoring activities at the various levels of the organization (or with other organizational entities) should be coordinated and communicated. This can include sharing risk assessment results that would have an organization-wide impact to risk responses being planned or implemented. The organization should also consider the tools and technologies that will be needed to facilitate monitoring and the frequency necessary for effectively monitoring risks, including the changes that would impact responses to risks. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780128097106000068 TIRM Process Stage AAlexander Borek, ... Philip Woodall, in Total Information Risk Management, 2014 TIRM project kickoffTo implement the TIRM process in your organization, you need first to convince and educate other people about the usefulness of the TIRM process and explain at a basic level how it works. In particular, you need to establish senior management support. Therefore, a sensible tactic is to invite people who have expressed an interest in being involved to a presentation about the TIRM process (e.g., the one that you can find in the online book companion website). Then, organize, a two- to three-hour workshop with the interested parties during which you convince them to participate in step A1. WHAT IF YOU DO NOT HAVE SENIOR LEADERSHIP COMMITMENT FOR TIRM?Often, it is hard to convince senior leadership to engage, as they are preoccupied with too many things. It is usually easier to gain the support of the leadership of a smaller business unit rather than the support of top executives. Choose leaders of business units who show the most enthusiasm for data and information improvement projects. Restricting the scope of the TIRM process application to a particular, smaller business unit or segment can be a useful strategy; this is particularly appropriate if you have not been able to get the support of the executive leadership to the implementation of the TIRM process. If the implementation of the TIRM process in the small initial scope is successful, this might give you the opportunity to convince other business units to participate in the future, as you will have a success story to tell. EXAMPLE: TIRM PROCESS APPLIED AT A CALL CENTERWe will illustrate all the steps in the following commentary, using a fictitious case study of a call center, which is under constant pressure to fully satisfy customers but suffers from decreasing profit margins. A data quality manager believes that higher customer satisfaction at a lower cost can be achieved if data and information is of higher quality and is used more effectively. He convinces the managing director of the call center to implement the TIRM process to identify optimal data and information quality improvement investments that promise the best benefit-to-cost ratio. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780124055476000067 Resilience, Risk Management, Business Continuity, and Emergency ManagementPhilip P. Purpura, in Security and Loss Prevention (Sixth Edition), 2013 Risk Management ToolsWithin the risk management process, and before a final decision is made on risk management measures, the practitioner should consider the following tools (also referred to as “risk treatment”) for dealing with risk: Risk avoidance: This approach asks if the risk should be avoided. For example, the production of a proposed product is canceled because the danger inherent in the manufacturing process creates a risk that outweighs potential profits. Or, a bank avoids opening a branch in a country subject to political instability or terrorism. •Risk transfer: Risk can be transferred to insurance. The risk manager works with an insurance company to tailor a coverage program for the risk. This approach should not be used in lieu of loss prevention measures but rather to support them. Insurance should be last in a series of defenses. Another method of transferring risk is to lease equipment rather than own it. This transfers the risk of obsolescence. •Risk abatement: In abatement, a risk is decreased through a loss prevention measure. Risks are not eliminated, but the severity of loss is reduced. Sprinklers, for example, reduce losses from fire. Sand bags assist in decreasing erosion (Figure 12-1). Figure 12-1. Florida hotel faces risk of beach erosion from Hurricane Irene. Courtesy: Ty Harrington/FEMA.•Risk spreading: Potential losses are reduced by spreading the risk among multiple locations. For example, a copy of vital records is stored at a remote, secure location. In another example, following the 9/11 attacks, companies have spread operations among multiple locations to facilitate business continuity. •Risk assumption: In the assumption approach, a company makes itself liable for losses. Not obtaining insurance is an example. This tool may be applied because the chance of loss is minute. Another path, self-insurance, provides for periodic payments to a reserve fund in case of loss. Risk assumption may be the only choice for a company if insurance cannot be obtained. With risk assumption, prevention strategies become essential. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780123878465000127 Overview of TIRM Process and ModelAlexander Borek, ... Philip Woodall, in Total Information Risk Management, 2014 Determining risk appetite for TIRMBefore starting with the TIRM process, the risk appetite should be determined. Once the risk appetite has been determined, the organization will be on its way to establishing a robust TIRM process. The risk appetite will be needed to set up risk criteria in step A4 of the TIRM process. Providing clarity about tolerance levels and who is responsible will: ▪Ensure that better-informed business decisions are made. ▪Provide clear communication channels, alerting senior levels of management to potential information risks at an early stage. ▪Alleviate the possibility of being exposed to unmanageable information risks. ▪Allow the organization to prioritize actions in those areas where risk is deemed to exceed the defined appetite. ▪Help to develop a culture where information risk awareness becomes embedded in day-to-day operations. ▪Establish the right balance between being bold and being cautious. Risk appetite could be expressed on a scale—you can of course decide how to measure your risk appetite but you may wish to consider the following suggestion of a 1 to 4 scale, an example of which is shown in Table 5.2. Table 5.2. Example Risk Appetite Scale
Communicating the tolerance level in this way should also be accompanied by guidance in terms of the discretion available. For example, who can take the decision to tolerate the risk? When does a decision need to be escalated to a higher level of management? More tangible scales are set in the form of risk criteria for each business objective in step A4 during the establish the context stage. Many experienced employees will have an intuitive feel for the risk level they may expose the organization to, but it is unwise to rely on this, and boundaries need to be established with clear guidelines put in place so that misunderstandings and bad risks are mitigated. The level of risk appetite will vary; it will not remain static, not only in respect of specific issues but also over time.
|