Cyber Security Risk
Management
Risk Management
​
Cybersecurity is all about protecting business goals and assets. It means providing a set of business controls matched to business needs, which are actively managed by a Cyber Risk Management Framework. As widely known by the market and leaders across the industry, the cybersecurity risk framework adopted by most organizations is based on the NIST-800-53 version 1.1. Specifically, NIST Special Publication 800-53 covers the Risk Management Framework steps that address security control selection for federal information systems following the security requirements in the Federal Information Processing Standard (FIPS) 200. This includes selecting an initial set of baseline security controls based on a FIPS 199 worst-case impact analysis, tailoring the baseline security controls, and supplementing the security controls based on an organizational assessment of risk.
​
Organizations from all sizes may define specific security capabilities needed to satisfy security requirements and provide appropriate mission and business protection. Security capabilities are typically defined by bringing together a specific set of safeguards or countermeasures derived from the appropriately tailored baselines that together produce the needed capability.
A well-structured, enterprise-wide information security program must ensure that the core concepts of confidentiality, integrity, and availability are supported by adequate security controls designed to mitigate or reduce the risks of loss, disruption, or corruption of information.
​
The increasing frequency, creativity, and variety of cyber-attacks mean that all organizations must place a greater emphasis on managing cybersecurity risk as a part of their enterprise risk management programs to fulfill their mission and business objectives. By seamlessly integrating the Cybersecurity Framework and essential NIST cybersecurity risk management standards and guidelines already in extensive use at various organizational levels, agencies can develop, implement, and continuously improve agency-wide cybersecurity risk management processes that inform strategic, operational, and other enterprise risk decisions.
​
Threats to the industry include hacktivists, nation-states, organized crime groups, industrial spies, and insider threats. These threats and other processes, people, and technology risks are fundamentally essential to be managed at all organizations across the globe of all sizes.
​
Introduction Risk Management
​
The National Institute of Science and Technology (NIST) has developed several documents that guide the RMF. NIST Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach for Security and Privacy (NIST SP 800-37, Rev. 2, Ver. 2.8) provides the latest version of the RMF. The stages in the RMF are Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor, as seen in Figure 1.
At the time of this writing, the latest revision, Revision 2, is in draft form. The following sections provide a recap of each step in the RMF lifecycle per NIST SP 800-37. (2017).
​
Figure 1: Risk Management Framework (NIST, Sep. 2017)
​
Reflections
​
In order to provide an understanding of the RMF, each step in the RMF process has been discussed in a detailed manner in the white-paper available in this section. As shown in the continuous monitoring step, the RMF is not one cycle implementation, but rather a continuous loop of activities throughout the life cycle of the systems being protected.
Both governments and enterprises are grappling with how best to manage a vast array of risks facing their operations. Among those risks, cybersecurity is increasingly critical. Information and communications technology underpin the functioning of government and critical infrastructure, and the number and complexity of cyber risks continue to grow. Recognizing their need for secure and resilient, governments and enterprises, including critical infrastructure providers and other organizations of all sizes, are evaluating how to manage cybersecurity risks.
​
In addition to advancing efforts to secure their operations, governments and private-sector are creating public policies to improve enterprise cybersecurity. There are dozens of ongoing regional and national initiatives that aim to help enterprises manage operational cybersecurity risks by developing or evolving "security baselines." Encouraging, enabling, and, when appropriate, requiring enterprises to manage these risks better is a sensible government priority and has the potential to impact cybersecurity both within countries and internationally positively. However, there are also many challenges associated with developing security baselines, including determining the overall purpose of the security baseline, the scope of sectors or services that the baseline may apply to, and how to foster the implementation of it.
Risk Management Framework can guide organizations, and governments take in developing security baseline will have far-reaching impacts. Practical approaches will not only increase security, but also enable the continued innovation, productivity, and economic opportunity. Less effective approaches will create substantial operational and compliance costs without realizing the intended security benefits.
​
Security baselines are a set of standard security requirements intended to help manage cybersecurity risk. Requirements can include specific security controls, practices, activities, or outcomes, but generally cover a wide range of risk management goals, such as protecting against cyber threats and detecting and responding to incidents.
​
The term "baseline" is essential because "baselines" typically provide a foundation of requirements that apply universally across environments. Security baselines are particularly appropriate and useful in improving cybersecurity because the vast majority, upwards of 80 percent, of the cybersecurity risks facing any particular government or enterprise, are similar. Because the majority of cybersecurity risks are reasonably similar, the majority of security risk management and mitigation are similar. For example, all organizations need to think about managing access to prevent unauthorized users or behaviors, reviewing event logs to detect events in their infrastructure, and planning for and mitigating the impact of incidents.
​
While security baselines can address a significant majority of online risks, some risks are unique to different business functions within an enterprise or different sectors. For example, within an enterprise, risks facing payment processing are different from those targeting training systems. In the sectoral context, energy companies face some risks that differ from those facing financial services. As such, security baselines may need to be augmented with a narrow set of requirements to mitigate the unique risk scenarios of different business functions or sectors.
From the professionalism and ethical standpoint, the Risk Management Framework (RMF) is applicable daily at any organization. It helps quantify the risk correctly or tailor the framework to your organizations' needs and infrastructure deployment model via security baselines provided the Risk Management Framework. The RMF is the leading factor for leaders to behave ethically with senior leaders, shareholders, and customers. In my work, I have applied to define the targets for Red Team Operations, for instance.
​
The general purpose of security baselines is to help organizations manage broadly applicable cybersecurity risks. As noted above, baselines may include controls, practices, activities, and outcomes. Both controls-based and outcomes-based approaches to security baselines have value in cybersecurity risk management for any organization. Controls and outcomes-based approaches are not the same, but can and should be complementary. For example, outcomes-based approaches often also include guidance and on controls, but do not mandate requirements at that technical level.
​
Furthermore, controls are often useful for the unique risks that go above the baseline. Ultimately, however, controls based approaches alone have proven insufficient to the dynamic online risks facing organizations today. In isolation, controls are static and can establish a compliance-based mindset that sets an artificial and unhelpful “ceiling” of what should be done for security.
​
Controls based approaches for security baselines help to address specific technical risks that are common across environments. Controls are typically topic-specific and technical, providing prescriptive guidance for specific infrastructure and security roles, e.g., network operators or systems administrators. These approaches specify requirements to address the most rudimentary/primary cybersecurity risks and are particularly useful for organizations with little or no cybersecurity capabilities and seeking a simple checklist of things to do.
​
Outcomes-based approaches to security baselines help drive strategic risk management across environments, establishing the necessary processes, capabilities, investments, and continuous learning and improvement to address dynamic threats.
​
Security baselined focused on outcomes are more evolved and ultimately more effective because they enable organizations to be agile and adaptive in managing cybersecurity risks. Outcomes-based approaches enable that flexibility, setting a standard "floor" of the foundational processes needed to manage security over time.
​
By focusing on security outcomes, the government set security baselines can not only foster and enable, but also actively drive the necessary risk management processes, continuous improvement, and strategic investments that improve enterprises' risk profiles. By integrating cybersecurity within the broader enterprise risk management efforts, outcomes-focused security baselines create a common language across security roles and responsibilities, engaging executives that make investment decisions, and catalyzing and compelling continuous learning and improvement.
​
Course Artifacts
​
Risk Management Framework Overview
​
​
Risk Management Framework Final Project - Full Implementation
​
Resources
Books
​
Broad, James. Risk Management Framework: a Lab-Based Approach to Securing Information Systems. Elsevier/Syngress.
​
Girling, Philippa. Operational Risk Management: a Complete Guide to a Successful Operational Risk Framework. Wiley, 2013.
​
Parker, D. B. (2014). Toward a New Framework for Information Security. In S. Bosworth, M.E. Kabay & E. Whyne (Eds.), Computer Security Handbook (6th ed.) (pp. 3-1 – 3-23). Hoboken, NJ: John Wiley & Sons, Ltd.
Links
​
Gibson, D. (2011). Understanding The Security Triad (Confidentiality, Integrity, and Availability) Retrieved from: http://www.pearsonitcertification.com/articles/article.aspx?p=1708668.
​
National Institute of Standards and Technology. (Aug. 2017). Security and Privacy Controls for Information Systems and Organizations (NIST SP 800-53 Rev. 5 Draft). Retrieved from https://csrc.nist.gov/csrc/media/publications/sp/800-53/rev-5/draft/documents/sp800-53r5-draft.pdf.
​
National Institute of Standards and Technology. (Sep. 2017). Risk Management Framework for Systems and Organizations A System Life Cycle Approach for Security and Privacy (NIST SP 800-37 Rev. 2 Ver. 2.8). Retrieved from https://csrc.nist.gov/CSRC/media/Publications/sp/800-37/rev-2/draft/documents/sp800-37r2-draft-fpd.pdf.
​
National Institute of Standards and Technology. (2016). Systems Security Engineering An Integrated Approach to Building Trustworthy Resilient Systems (NIST SP 800-160). Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160.pdf.
​
National Institute of Standards and Technology. (2011). Managing Information Security Risk (NIST Special Publication 800-39). Retrieved from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf.
​
National Institute of Standards and Technology. (2006). Minimum Security Requirements for Federal Information and Information Systems (FIPS PUB 200). Retrieved from http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf.
​
National Institute of Standards and Technology. (2004). Standards for Security Categorization of Federal Information and Information Systems (FIPS PUB 199). Retrieved from http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf.
