In our previous article, we discussed the concept of risk management–what it is and why it’s important.
However, risk management in cybersecurity isn’t new, and many organizations are working towards normalizing risk as an approach for comprehensive cybersecurity and compliance efforts.
While this move is a good one, we also find that many organizations will over-rely on frameworks as an end-all, be-all approach to security, which can prove more confusing than helpful.
What Are Risk Management Frameworks?
Assessing risk is more than measuring gaps between existing infrastructure and business or technical priorities. In its most practical form, risk is a way to gain a comprehensive view of your systems so that your organization can make plans for the present and future.
More importantly, risk management helps your organization align its business and security goals with major priorities, whether spending and finance or compliance. It’s almost impossible to do so without understanding how these systems work with one another in real-time.
Finally, modern risk assessment is all about addressing modern security challenges. Cybersecurity threats are complex, leveraging cracks in your armor–especially those that arise from interconnected systems. Risk assessment allows you to see how those components interact with one another.
Actually, working with risk management as an organizational priority calls for a structured approach–which is why many professional and regulatory bodies provide risk management frameworks to support enterprises in multiple industries.
A risk management framework provides a structure for organizations to apply best practices and metrics to their existing systems and structure their assessments of those systems around front-to-back processes. Some of the most well-known risk management frameworks provide a process that enterprises with no experience in risk management can still implement.
Some of the most established and well-known frameworks include the following:
The NIST Risk Management Framework
The National Institute for Standards and Technology (NIST) governs the major requirements for almost every piece of cybersecurity regulation in the U.S. government. If a government agency or third-party vendor has cyberinfrastructure requirements, they are most likely working under NIST guidelines.
In a move to emphasize risk management as the foundation of cybersecurity, NIST is looking to require risk assessment as a primary activity for compliance. It has implemented the Risk Management Framework (RMF) as a blueprint for enterprise organizations working in or with the government.
The RMF is defined in the NIST Special Publication 800-37, “Risk Management Framework for Information Systems and Organizations, “supplemented by NIST Special Publication 800-30, “Guide for Conducting Risk Assessments.”
As a broad framework, the RMF divides the risk management journey into seven distinct steps:
- Prepare: Preparing your organization for adopting risk management principles, including identifying stakeholders, filling key management roles, codifying strategies and policies and identifying standard controls.
- Categorize: Taking inventoried controls and applying levels of risk based on impact on organization and owners of information based on questions of confidentiality, privacy, integrity and availability.
- Select: Selecting required security controls, based on existing infrastructure and security needs, from NIST SP 800-53, including any system-specific components and monitoring solutions.
- Implement: Implementing selected controls based on findings and levels of acceptable risk.
- Assess: Assessing the effectiveness and correctness of the control implementations, including their operability, configuration and success or failure within a given scope of application.
- Authorize: Authorizing key personnel to access information from controls, including strategy and policy documentation, to make decisions regarding risk and infrastructure.
- Monitor: Implement and leverage ongoing monitoring solutions to maintain control operations, including notifying administrators about suspicious activity, responding to and mitigating breaches and remediating security issues.
ISO 31000 Risk Management
The International Organization for Standardization (ISO) releases several standardization documents for technical processes, procedures and implementations with the idea that standard guidelines can benefit professionals and consumers.
One of these standards, ISO 31000, outlines the ISO risk management framework. This framework, much like its NIST counterpart, provides organizations with the scaffolding they can use to implement their risk management approach. Unlike NIST, however, it isn’t required as part of a regulation or governance standard. ISO provides standards to organizations that might not have mandatory requirements placed upon them, but want to make risk management part of their approach to security.
ISO 3100 breaks down risk management into eight core principles:
- Inclusivity: Risk management should include all of an organization’s relevant stakeholders.
- Dynamism: Risk management should change and evolve as the organization does, and as it faces new security threats, risk assessments should respond accordingly.
- Utilizing Best Available Information: Organizations should strive to gather and use the best, most up-to-date information available, understanding that no data is 100% complete.
- Incorporating Human and Cultural Factors: Risk assessments should never limit themselves to technology only, as human risk factors are the most relevant and dangerous to overall security.
- Continually Improving: ISO expects continuous improvement, particularly when applying mitigation and remediation efforts.
- Integrating: Risk should exist in all business processes, not simply technical ones.
- Comprehensively Structuring: Risk management strategies should comprehensively cover all potential risk factors and systems across the organization.
- Customizing: ISO 31000 standards should be implemented in ways meaningful to the organization, not as an ad hoc or rigid framework.
What Are the Challenges of Using a Risk Management Framework?
Risk management is the future of compliance and cybersecurity. As major standards creators and maintainers seek to address the challenges of modern security threats, they are increasingly moving to models where risk assessment is the first step in addressing these concerns.
And, on the one hand, that’s fantastic. In many ways, older forms of cybersecurity were over-dependent on checklists and spreadsheets–that is, in printing out system specs and completing a form.
This works great if security is limited to easy-to-understand and quantifiable gaps. However, most of us know that security rarely falls into these categories. Even in 2022, phishing and social engineering are one of the most dangerously effective forms of attack in the wild. Furthermore, the expansion of Advanced Persistent Threats (APTs) has come about precisely because attackers can leverage weaknesses in the connections between complex cloud apps, hybrid IT infrastructures and third-party vendors.
However, the drawback to risk management frameworks is that they are abstract. While the RMF or ISO 31000 can guide how to implement some best practices to manage risk, they can’t speak to the unique needs of your business, industry, or even client relationships. Reading through the RMF sometimes feels like a bird’s eye view of a football field, which can be frustrating when all you want to see is how you can best push the ball two yards for a first down.
That makes investigating and implementing risk that much more difficult. While checking down a checklist isn’t the best way to operate your cybersecurity, having a more concrete framework can streamline some of the more difficult parts of risk assessment, especially when it comes to rapidly changing infrastructure or edge cases where different technologies meet.
Are You Working Towards Your Risk Management Posture?
Then work with a company that knows risk assessment, compliance and real security implementation. Work with Lazarus Alliance and the Continuum GRC ITAMs platform.
Call Lazarus Alliance at 1-888-896-7580 or fill in this form.