RISK MANAGEMENT: ASSESSING RISK

• Risk Management (RM) is the process of

identifying, assessing and controlling financial,
legal, strategic and security risks to an
organization's capital and earnings.
• RM is the entire program of planning for and
managing risk to information assets in the
organization.
• RM Framework The overall structure of the
strategic planning and design for the entirety of
the organization's RM efforts.
• RM process The identification, analysis,
evaluation, and treatment of risk to information
• Risk exists in every environment. From an
organization's perspective, the evaluation and
reaction to this risk, including financial risk,
competitive risk, and economic risk, is commonly
referred to as Enterprise Risk Management (ERM).
• The aspect directly related to InfoSec is commonly
referred to as IT risk management, or IT security risk
management. This discussion uses the term lnfoSec
risk management or simply Risk Management
(RM).
• Risk management is the process of discovering and
assessing the risks to an organization's operations and
determining how those risks can be controlled.
• 1. Where and what is the risk (risk
identification)?
• 2. How severe is the current level of risk (risk
analysis)?
• 3. Is the current level of risk acceptable (risk
evaluation)?
• 4. What do I need to do to bring the risk to an
acceptable level (risk treatment)?
• The RM framework is the overall structure of
the strategic planning and design for the sum of
the organization's RM efforts. The RM process
is the implementation of risk management, as
 RM Framework
• The RM framework consists of five key
stages:
• 1. Executive governance and support
• 2. Framework design
• 3. Framework implementation
• 4. Framework monitoring and review
• 5. Continuous improvement
Roles of Communities of Interest in
Managing Risk
• Each community of interest in an organization
bears responsibility for the management of risk.
The executive management of the organization
is ultimately accountable for the risk
management program that is implemented.
• The three communities of interest directly
linked to managing the risks to information
assets, each has a particular strategic role to
play:
• InfoSec- Because members of the InfoSec
community best understand the threats and
attacks that introduce risk, they often take a
leadership role in addressing risk.
• IT- This group is responsible for building
secure systems and ensuring their safe
operation. For example, IT builds and
operates information systems that are
mindful of operational risks and have
proper controls implemented to reduce
risk.
• General management and users - When
properly trained and kept aware of the
threats faced by the organization, this group
plays a part in the early detection and
response process. Users must be made
aware of threats to data and systems and
must be educated on practices that minimize
those threats. Members of this community
also ensure that sufficient resources (money
and personnel) are allocated to the InfoSec
and IT groups to meet the security needs of
the organization.
•
Executive Governance and Support
The entire RM program begins with a formal
acknowledgement by the organization's most senior
governance group that RM is invaluable and critical
to the organization's long-term sustainability
(supportable) and viability(capability).
• Governance group must demonstrate its
commitment to the RM effort by notifying the entire
organization that 1)A major RM project is
underway. 2)The project is of the utmost importance
to the strategic future of the organization, and
3)The participation and cooperation of all aspects of
the organization are mandated and are essential to
the project's success.
 Legal and Regulatory Compliance
• It is the governance group's responsibility to
ensure that the RM process is in complete
compliance with all applicable requirements. This
is commonly done by assigning a member of the
organization's legal team to the RM framework
team, or by requiring that all work products from
the team are reviewed and approved by
designated legal advice.
• Organizations must continually scan the legal
horizons to ensure they are prepared for
authorized compliance in the area of information
security and privacy
•
The RM Policy
For RM program development and implementation, the
project leader, in cooperation with the governance
group, drafts a risk management policy. This policy
converts the instructions and perspectives(views)
provided to the RM framework team by the governance
group into consistent guidance that structures and
directs all subsequent risk management efforts within
the organization.
• RM policy, much like the Enterprise Information
Security Policy (EISP), is a strategic document that
formalizes much of the intent of the governance group.
No two policies are identical.
• Purpose and scope- What is this policy for and to
whom does it apply?
• RM intent and objectives- What is the general view
of RM by the governance group and how will that be
translated into goals and objectives for RM for the
entire organization?
• Roles and responsibilities - A list of the assignments
and expectations for each essential responsible for the
RM program.
• The CISO will serve as project team leader for the RM
framework development team and is responsible for
ensuring completion of the framework and
implementation of the process within the timelines,
budgets, and other constraints specified.
 Assigning Key Responsibilities
• Who will be the project manager of the RM
framework team?
• Who will be assigned to the framework team?
• Who will be assigned to the process team? Who
will manage each of these teams?
• In most organizations, either the CIO, CISO, or
their equivalent leads the RM effort.
• The CIO serves as the champion and the CISO
as the project manager.
 Developing Priorities and Objectives
• The project leader will translate intent(purpose)
into set of goals and objectives for the RM effort.
• Goals & objectives could include the following:
• Develop a common understanding of risk across
multiple functions and business units so we can
manage risk cost-effectively on an enterprise-
wide basis.
• Achieve a better understanding of risk for
competitive (economical) advantage.
• Build safeguards against earnings-related
surprises.
• Complete initial RM framework
development by a defined date.
• Report RM program progress to the
governance group on a defined periodic
basis. Some goals and objectives could also
be directed toward the RM project itself.
• Implement the entire RM framework and
process based on a defined, allocated budget.
• Report RM process findings to the
governance group on a defined periodic
basis.
 Providing Resources
• Once a policy has been developed governance
group must allocate the resources needed to
support RM program development and
implementation. This is usually a multi-phase
effort, beginning with the allocation of enough
resources to support the framework design.
Once the framework design is approved by the
governance group, supplemental resources are
allocated to support the framework
implementation, followed by another review
phase and then resource allocation for RM
process implementation and execution.
 Framework Design
• The framework team begins designing the RM
process by which the organization will understand
its current levels of risk and determine what, if
anything, it needs to do to bring that level down
to an acceptable level in alignment with the risk
in the process. Designing the RM program means
not only defining and specifying the detailed tasks
to be performed by the framework team, but also
those to be performed by the process team.
• The framework team must also formally
document and define the organization's risk and
draft the RM plan.
 Risk Tolerance and Risk Appetite
• Governance group communicates its intent
(purpose) to the RM framework development team,
it also needs to communicate its general perspective
(view) on what level of risk is acceptable and what
risk must be reduced or resolved in some fashion.
• The amount of risk that remains after all current
controls are implemented is residual risk.
• Risk appetite can be defined as the willingness of
an investor to bear risk.
• The difficulty lies in the process of formalizing
exactly what the organization "can live with:' This
process is the heart of risk appetite.
• A well-defined risk appetite should have
the following characteristics:
• Reflective of strategy, including
organizational objectives, business plans,
and stakeholder expectations.
• Reflective of all key aspects of the
business.
• Acknowledges a willingness and capacity
to take on risk.
• Is documented as a formal risk appetite
statement.
• Considers the skills, resources, and
technology required to manage and
monitor risk exposures in the context of
risk appetite.
• Is inclusive of a tolerance for loss or
negative events that can be reasonably
measured.
• Is periodically reviewed and
reconsidered with reference to evolving
industry and market conditions.
• Has been approved by the board.
 The Risk Management Plan
• The document that contains specifications for the
implementation and conduct of the RM efforts is
referred to as the risk management plan. The RM
plan includes not only the specifications of the
RM process, but also of the RM framework.
• Plan is used to conduct the RM process, and is
used in conjunction with the RM policy to guide
the collection and evaluation of risk information.
• It contains a detailed set of the steps to perform
in the conduct of both the RM framework and the
RM process, along with supporting information
on who performs each step and how.
 Framework Implementation
• Once the framework team has finished designing
the RM program (framework and process), it
begins implementing the program.
• The implementation of the RM plan based on a
number of traditional IT implementation methods:
• • The organization may distribute the plan to all
mid- to upper-level managers for a desk check
prior to deployment.
• • The organization could pilot test it in a small
area to gauge initial issues and success prior to
deployment across the entire organization.
• • The organization may use a phased approach in
which only a portion of the RM program is
initially implemented, such as initial meetings
with key managers or initial inventory of
information assets.
• • The bold organization may simply choose a
direct cutover (rapid transition from one phase of
a business enterprise or project to another ) in
which the new RM project is launched in totality
across the entire organization.
• Whatever rollout method is selected, it is
important for the RM framework team to
carefully monitor, communicate, and review the
implementation
Framework Monitoring and Review
• After the initial implementation the
framework team continues to monitor the
conduct of the RM process while
simultaneously reviewing the utility and
relative success of the framework planning
function itself. In the first few iterations, the
framework team will examine how successful
it was in designing and implementing the RM
framework, plan, and RM process, and what
issues required adjustments of the plan.
 Continuous Improvement
• Is a maintenance process that implements a
formal program designed to continuously
review and improve any type of organizational
effort.
• The performance measures implemented in the
RM process provide the data used to assess the
performance outcome of the overall RM effort.
As the team continues to assess the
performance of the RM effort, it can adjust the
plans for future RM cycles to improve past
performance and increase the probability of
success of future iterations.
 The Risk Management Process
• Process uses the specific knowledge and
perspective of the team to complete the
following tasks:
• Establishing the context, which includes
understanding both the organization's internal
and external operating environments & other
factor that could impact the RM process.
• Identifying risk, which includes:
• • Creating an inventory of information assets
• •Classifying and organizing those assets
meaningfully
• • Assigning a value to each information asset
• • Identifying threats to the cataloged assets
• • Pinpointing weak assets by tying specific
threats to specific assets.
• Analyzing risk, which includes:
• • Determining the likelihood that weak systems
will be attacked by specific threats
• •Assessing the relative risk facing the
organization's information assets, so that risk
management and control activities can focus on
assets that require the most urgent and immediate
attention
• •Calculating the risks to which assets are exposed
in their current setting
• •Looking in a general way at controls that might
come into play for identified weaknesses and
ways to control the risks that the assets face
• •Documenting and reporting the findings of risk
identification and assessment
• Treating the unacceptable risk:
• • Determining which treatment/control strategy
is best considering the value of the information
asset and which control options are cost
effective
• • Acquiring or installing the appropriate controls
• • Overseeing processes to ensure that the
controls remain effective