business risk

February 7, 2014 by Bruce Brown Leave a Comment

You should deal with business risk BEFORE disaster strikes.

Business risk deal with negative impacts to an organizations bottom line. If harm should strike exposed weaknesses, the business needs to know how they will deal with it and how do they adjust to the situation.

A Business Impact Analysis (BIA) is sometimes done to identify the threats, vulnerabilities, assess, the likelihood of threats acting on identified weakness and the impact if they do. DIARMF pulls for NIST and the NIST is robust enough to address address BIA / business risks. The main documents dealing with business risks are 800-39, 800-30, and 800-34.

NIST SP 800-39, Manage Information Security Risk deals with the process of business risks by way of explaining the risk management necessary for an organization.

NIST SP 800-30, Guide for Conducted Risk Assessment describe the tasks and steps of business impact assessments:

A Business Impact Analysis (BIA) identifies high-value assets and adverse impacts with respect to the loss of integrity or availability. DHS Federal Continuity Directive 2 provides guidance on BIAs at the organization and mission/business process levels of the risk management hierarchy, respectively.

NIST Special Publication 800-34 provides guidance on BIAs at the information system level of the risk management hierarchy.

One of the biggest business risks capture while doing business impact assessments is interruptions of service. After all, if the business is not DOING business then mission, work and revenue stop. So the business/organization and or department must have a contingency plan. NIST Special Publication 800-34, Contingency Planning Guide for Federal Information Systems covers what to do in case of interruptions.

A contingency plan covers what to do in the event of service disruptions including procedures, and technical measures that can get systems back quickly for a while until the disruption passes. NIST 800-34 covers information system contingency plans (ISCPs) who documents them and how. This is also a major part of the security controls addressed in 800-53/DIARMF.

security risk

February 6, 2014 by Bruce Brown Leave a Comment

NIST SP 800-39, Manage Information Security Risk

NIST SP 800-39 deals entirely with fixing the challenge of security risk in an organization. Chapter 2 of 800-39 discusses the basics of security risk management & chapter 3 goes into the process of applying security risk management across and organization.

The Fundamentals of Security Risk Management (Chapter 2, 800-39)
The philosophy security risks and how to manage information security at multiple levels of an organization are discussed in Chpt 2 of NIST SP 800-39. The three layers of security risk are:

Tier 1: Organization level
Tier 2: Mission/Business Process level
Tier 3: Information System level

Tier 1: Organization Level security risk management
Tier 1 addresses security risk from the organizations perspective. This include the implementation of the first component of security risk management which is called risk framing.

In tier 1 or security risk management, the management of the organization establishes governance structure that are in compliance with laws, regulations and policies. Tier 1 activities include establishment of the Risk Executive Function, establishment of the risk management strategy and determination of the risk tolerance.

Security Risk framing provides context for all the security risk activities within an organization, which affects the risk tasks of tier 1 & 2. The result of risk framing is Security Risk Management Strategy.

Security Risk Management Tier 2: Mission/Business Process

Tier 2 Security risk management tasks include: 1) defining the mission processes. 2) Prioritize the mission process with respect to the long term goals of the organization. 3) Define the type of information needed to successfully execute the mission/business processes, critical/sensitivity of the information and the information flows both internal and external of the information.

Tier 3: Information System Security Risk management

From the information system perspective, tier 3 addresses the following tasks:

Categorization of the information system
Allocating the organizational security control
Selection, implementation, assessment, authorization, and ongoing

Chapter 3 focuses on the step to have a comprehensive security risk management program. The tasks discussed include:

Risk Framing
Risk Assessing
Risk Response
Risk Monitoring

Risk Assessment

NIST 800-30 goes into Risk Assessment process. 800-39 covers from a high level. Risk assessment is threat & vulnerability identification and risk determination. Organizational risk framing is a prerequisite to risk assessments, because methods of risk assessment must be established by the contexts of the organizations risk.

Risk Response
Risk response identifies, evaluates, decides on, and implements appropriate courses of action to accept, avoid, mitigate, share, or transfer risk to organizational operations and assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems.

Risk identification is key to risk response. Risk types include:
Risk accept- is the appropriate risk response when the identified risk is within the organizational risk tolerance. Organizations can accept risk deemed to be low, moderate, or high depending on particular situations or conditions.

Risk avoidance– Organizations may conduct certain types of activities or employ certain types of information technologies that result in risk that is unacceptable. In such situations, risk avoidance involves taking specific actions to eliminate the activities or technologies that are the basis for the risk or to revise or reposition these activities or technologies in the organizational mission/business processes to avoid the potential for unacceptable risk.

Risk mitigation-adding management, technical, administrative safeguards to minimize identified risks to the system.
Risk share & transfer- Risk sharing or risk transfer is the appropriate risk response when organizations desire and have the means to shift risk liability and responsibility to other organizations. Risk transfer shifts the entire risk responsibility or liability from one organization to another organization (e.g., using insurance to transfer risk from particular organizations to insurance
companies).

Risk Monitoring Risk changes with each modification of the system. It’s important to monitor the changes of the risk of a system. Changes to threats can also change risk. This is where Continuous monitoring comes in.

risk management association

February 5, 2014 by Bruce Brown Leave a Comment

Security Analysis and Risk Management Association (SARMA) is one of many risk management associations. SARMA is a non-profit dedicated to security practitioners that are in the business of mitigating risks from man made threats.

ISACA is another risk management association with over 100,000 constituents in 180 countries. They are the creators and proprietors of Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM) and Certified in Risk and Information System Controls (CRISC) certifications. They also created an Risk IT Framework.

More than just a risk management association, the Information Systems Security Association (ISSA) is a non-profit international organization for information security practitioners an managers. I have been a member of this organization, and it has LOTS of great people involved in it. They have local chapters in most major cities in the U.S. They are great at bringing security professionals together to solve common issues in the industry, barter skill sets, teach new skills, train for IT certifications and promote products and services that involve risk management and/or security.

RIMS – Risk Management Society

The Risk Management Society has a vision of becoming the global leading in all aspects of risk management. A VERY tall order.

As the preeminent organization dedicated to advancing the practice of risk management, RIMS, the risk management society™, is a global not-for-profit organization representing more than 3,500 industrial, service, nonprofit, charitable and government entities throughout the world. Founded in 1950, RIMS brings networking, professional development and education opportunities to its membership of more than 11,000 risk management professionals who are located in more than 60 countries. For more information on RIMS, visit www.RIMS.org

risk manager job description

January 30, 2014 by Bruce Brown Leave a Comment

Risk manager job description can be pretty broad because it can cover the tasks of a financial risk manager, safety risk manager or physical security risk management.

In terms of DIARMF / Risk Management Framework and Information surety we will focus on risk manager job description for Information Technology.

IT Risk Management Professionals identify, analyze and document the risks associated with an organizations operations. Their job is much more effective if they have a continuous monitoring program to help them keep an eye on vulnerabilities and threats in real-time.

risk manager job description

Responsibilities for IT Risk Management Professionals include:

Continuously monitor emerging threats associated discovered vulnerabilities.
Be apart of the configuration management process as it applies to changes to the security posture of the information system and/or network.
Encourage and/or participate in implementation of security controls.
Create or analyse reports of significant risks and make recommendations
Make policies, procedures and control assessments for identified risks
Provide information assurance awareness training

The risk management function of a company can fall under many different titles, some of which include:

Risk Analyst

Risk Manager

Risk Management Consultant

Risk Control Supervisor

Director of Corporate Risk Management

Chief Risk Officer

More on risk management job descriptions: http://www.acfe.com/career-path-risk-management-professional.aspx

corporate risk

January 24, 2014 by Bruce Brown Leave a Comment

NIST 800-39, Manage Information Security Risk is one of the primary documents of DIARMF/Risk Management Framework.

This approach very effectively covers all the same “corporate risk” challenge you would see in major organizations. It addresses corporate risk, by introducing a tiered approach to risk.

The Fundamentals of Corporate Risk Management (covered in Chapter 2, of NIST SP 800-39)

800-39 covers corporate risk in three layers (or tiers) of risk management:

Tier 1: Organization level
Tier 2: Mission/Business Process level
Tier 3: Information System level

Tier 1: Corporate Organization Level risk management
NIST 800-39, Tier 1 addresses security from the entire organizations perspective. Corporate risk structure starts from the top down. The activities include the implementation of the first component of risk management, risk framing. Risk framing provides context of all the risk activities within an organization, which affects the risk activities of tier 1 & 2. The output of risk framing is Risk Management Strategy. In tier 1 the organization establishes and implements governance structure that are in compliance with laws, regulations and policies. Tier 1 activities include establishment of the Risk Executive Function, establishment of the risk management strategy and determination of the risk tolerance.

Tier 2: Corporate/Mission Process Level risk management

Tier 2 risk management activities include: 1) defining the mission/corporate processes to support the organization. 2) Prioritize the mission/corporate process with respect to the long term goals of the organization. 3) Define the type of information needed to successfully execute the mission/business processes, criticality/sensitivity of the information and the information flows both internal and external of the information.

Having a risk-aware process is an important part of tier 2.

To be risk-aware senior leaders/executives need to know:

types of threat sources and threat events that could have an adverse affect the ability of the organizations
potential impacts on the organizational operations and assets, individuals, the Nation if confidentiality, integrity, availability is compromised
Corporations resilience to such an attack that can be achieved with a given mission/business process

Tier 3: Information System risk management

From the information system perspective, tier 3 addresses the following tasks of the DIARMF/risk management framework steps:

Categorization of the information system
Allocating the organizational security control
Selection, implementation, assessment, authorization, and ongoing

Chapter 3 on NIST 800-39 focuses on the step to have a comprehensive risk management program. The tasks discussed include:

Risk Framing
Risk Assessing
Risk Response
Risk Monitoring

Risk Framing

Risk framing are the assumptions, constraints, risk tolerance and priorities that shape an organization’s managing risk. Risk framing is created based on organizational governance structure, how much money is available, regulations imposed, environment, culture and trust relationships.

Risk Assessment

Risk assessment is threat & vulnerability identification and risk determination. Organizational risk framing is a prerequisite to risk assessments, because methods of risk assessment must be established by the contexts of the organizations risk.

Risk Response

Risk response identifies, evaluates, decides on, and implements appropriate courses of action to accept, avoid, mitigate, share, or transfer risk to organizational operations and assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems.

Risk identification is key to risk response. Risk types include:
Risk accept- is the appropriate risk response when the identified risk is within the organizational risk tolerance. Organizations can accept risk deemed to be low, moderate, or high depending on particular situations or conditions.

Risk Monitoring

Risk changes with each modification of the system. It’s important to monitor the changes of the risk of a system. Changes to threats can also change risk.

risk register template

January 23, 2014 by Bruce Brown 1 Comment

As risk register is a tool in the form or spread sheet, application or database that you can use during risk assessments for risk identification. It allows the person conducting the risk assessment to log the threat, asset and impact and give some idea of the probability of the threat. It is used in DIARMF, DIACAP, project management and other risk management processes to help decision makers.

Its also known as a risk log.

Here is a risk register template I got from British Colombia gov site http://www.gov.bc.ca/fin/):

Risk Register Template

Here is another risk register template from the Israel Institute of Technology(webcourse.cs.technion.ac.il):

Risk Register Template

	http://Www.Finance.I… on SRG/STIG Applicability Guide a…
	Elsa7 on ConvoCourses podcast: Cyber Se…
	Tony on STIG Update – DISA has r…
	horloge on SCAP Compliance Checker SCC)
	218 Information assu… on Information Assurance Vulnerab…