NIST 800-39, Manage Information Security Risk is one of the primary documents of DIARMF/Risk Management Framework.
This approach very effectively covers all the same “corporate risk” challenge you would see in major organizations. It addresses corporate risk, by introducing a tiered approach to risk.
The Fundamentals of Corporate Risk Management (covered in Chapter 2, of NIST SP 800-39)
800-39 covers corporate risk in three layers (or tiers) of risk management:
- Tier 1: Organization level
- Tier 2: Mission/Business Process level
- Tier 3: Information System level
Tier 1: Corporate Organization Level risk management
NIST 800-39, Tier 1 addresses security from the entire organizations perspective. Corporate risk structure starts from the top down. The activities include the implementation of the first component of risk management, risk framing. Risk framing provides context of all the risk activities within an organization, which affects the risk activities of tier 1 & 2. The output of risk framing is Risk Management Strategy. In tier 1 the organization establishes and implements governance structure that are in compliance with laws, regulations and policies. Tier 1 activities include establishment of the Risk Executive Function, establishment of the risk management strategy and determination of the risk tolerance.
Tier 2: Corporate/Mission Process Level risk management
Tier 2 risk management activities include: 1) defining the mission/corporate processes to support the organization. 2) Prioritize the mission/corporate process with respect to the long term goals of the organization. 3) Define the type of information needed to successfully execute the mission/business processes, criticality/sensitivity of the information and the information flows both internal and external of the information.
Having a risk-aware process is an important part of tier 2.
To be risk-aware senior leaders/executives need to know:
- types of threat sources and threat events that could have an adverse affect the ability of the organizations
- potential impacts on the organizational operations and assets, individuals, the Nation if confidentiality, integrity, availability is compromised
- Corporations resilience to such an attack that can be achieved with a given mission/business process
Tier 3: Information System risk management
From the information system perspective, tier 3 addresses the following tasks of the DIARMF/risk management framework steps:
Categorization of the information system
Allocating the organizational security control
Selection, implementation, assessment, authorization, and ongoing
Chapter 3 on NIST 800-39 focuses on the step to have a comprehensive risk management program. The tasks discussed include:
- Risk Framing
- Risk Assessing
- Risk Response
- Risk Monitoring
Risk framing are the assumptions, constraints, risk tolerance and priorities that shape an organization’s managing risk. Risk framing is created based on organizational governance structure, how much money is available, regulations imposed, environment, culture and trust relationships.
Risk assessment is threat & vulnerability identification and risk determination. Organizational risk framing is a prerequisite to risk assessments, because methods of risk assessment must be established by the contexts of the organizations risk.
Risk response identifies, evaluates, decides on, and implements appropriate courses of action to accept, avoid, mitigate, share, or transfer risk to organizational operations and assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems.
Risk identification is key to risk response. Risk types include:
Risk accept- is the appropriate risk response when the identified risk is within the organizational risk tolerance. Organizations can accept risk deemed to be low, moderate, or high depending on particular situations or conditions.
Risk changes with each modification of the system. It’s important to monitor the changes of the risk of a system. Changes to threats can also change risk.