800-39, Managing Information Security Risk

Managing risk is a complex, multifaceted activity that requires the involvement of the entire organization—from senior leaders/executives providing the strategic vision and top-level goals and objectives for the organization; to mid-level leaders planning, executing, and managing projects; to individuals on the front lines operating the information systems supporting the organization’s missions/business functions.

The first component of risk management addresses how organizations frame risk or establish a risk context—that is, describing the environment in which risk-based decisions are made. The purpose of the risk framing component is to produce a risk management strategy that addresses how organizations intend to assess risk, respond to risk, and monitor risk—making explicit and transparent the risk perceptions that organizations routinely use in making both investment and operational decisions.

Establishing a realistic and credible risk frame requires that organizations identify: (i) risk assumptions (e.g., assumptions about the threats, vulnerabilities, consequences/impact, and likelihood of occurrence; (ii) risk constraints (e.g., constraints on the risk assessment, response, and monitoring alternatives under consideration); (iii) risk tolerance (e.g., levels of risk, types of risk, and degree of risk uncertainty that are acceptable); and (iv) priorities and trade-offs.

The second component of risk management addresses how organizations assess risk within the context of the organizational risk frame. The purpose of the risk assessment component is to identify: (i) threats to organizations (i.e., assets, or individuals); (ii) vulnerabilities internal and external to organizations; (iii) the harm (i.e., consequences/impact) to organizations that may occur given the potential for threats exploiting vulnerabilities; and (iv) the likelihood that harm will occur. The end result is a determination of risk (i.e., the degree of harm and likelihood of harm occurring).

To support the risk assessment component, organizations identify:

• (i) the tools, techniques, and methodologies that are used to assess risk;

• (ii) the assumptions related to risk assessments;

• (iii) the constraints that may affect risk assessments;

• (iv) roles and responsibilities;

• (v) how risk assessment information is collected, processed, and communicated throughout organizations;

• (vi) how risk assessments are conducted within organizations;

• (vii) the frequency of risk assessments;

• (viii) how threat information is obtained (i.e., sources and methods).

The third component of risk management addresses how organizations respond to risk once that risk is determined based on the results of risk assessments. The purpose of the risk response component is to provide a consistent, organization-wide, response to risk. To support the risk response component, organizations describe the types of risk responses that can be implemented (i.e., accepting, avoiding, mitigating, sharing, or transferring risk).

The fourth component of risk management addresses how organizations monitor risk over time. The purpose of the risk monitoring component is to: (i) verify that planned risk response measures are implemented; (ii) determine the ongoing effectiveness of risk response measures following implementation; and (iii) identify risk-impacting changes to organizational information systems.

For organizations dealing with advanced persistent threats (i.e., a long-term pattern of targeted, sophisticated attacks) the risk posed by external partners (especially suppliers in the supply chain) may become more pronounced.

To integrate the risk management process throughout the organization, a three-tiered approach is employed that addresses risk at the: (i) organization level; (ii) mission/business process level; and (iii) information system level.

Tier 1 addresses risk from an organizational perspective. Tier 1 implements the first component of risk management (i.e., risk framing), providing the context for all risk management activities carried out by organizations. Tier 1 risk management activities directly affect the activities carried out at Tiers 2 and 3.

Tier 1 provides a prioritization of missions/business functions which in turn drives investment strategies and funding decisions, thus, affecting the development of enterprise architecture (including embedded information security architecture) at Tier 2 and the allocations and deployment of management, operational, and technical security controls at

Tier 3.

Tier 3 addresses risk from an information system perspective and is guided by the risk context, risk decisions and risk activities at Tiers 1 and 2. Tier 3 risk management activities include: (i) categorizing organizational information systems; (ii) allocating security to organizational information systems; (iii) managing the selection, implementation, assessment, authorization, and ongoing monitoring of allocated security controls

At Tier 3, information system owners, common control providers, and security engineers, and information system security officers make risk-based decisions regarding the implementation, operation, and monitoring of organizational information systems.

Governance structures provide oversight for the risk management activities conducted by organizations and include: (i) the establishment and implementation of a risk executive (function); (ii) the establishment of the organization’s risk management strategy including the determination of risk tolerance; and (iii) the development and execution of organizationwide investment strategies for information resources and information security.

In general, governance is the set of responsibilities and practices exercised by those responsible for an organization (e.g., the board of directors and executive management in a corporation, the head of a federal agency) with the express goal of: (i) providing strategic direction; (ii) ensuring that organizational mission and business objectives are achieved; (iii) ascertaining that risks are managed appropriately; and (iv) verifying that the organization’s resources are used responsibly. Regardless of the governance model(s) employed, clear assignment and accountability for accepting risk is essential for effective risk management.

The risk executive (function) coordinates with senior executives to:

• Establish risk management roles and responsibilities;

• Develop and implement an organization-wide risk management strategy

• Manage threat and vulnerability information

• Establish organization-wide forums to consider all types and sources of risk

• Provide oversight for the risk management activities carried out by organizations

• Ensure that security authorization decisions consider all factors necessary for mission success

An organizational risk management strategy, one of the key outputs of risk framing, addresses how organizations intend to assess, respond to, and monitor risk. The risk management strategy makes explicit the specific assumptions, constraints, risk tolerances, and priorities/trade-offs used within organizations for making investment and operational decisions.

Risk tolerance is the level of risk or degree of uncertainty that is acceptable to organizations. Risk tolerance affects the nature and extent of risk management oversight implemented in organizations, the extent and rigor of risk assessments performed, and the content of organizational strategies for responding to risk.

It is important that organizations exercise due diligence in determining risk tolerance— recognizing how fundamental this decision is to the effectiveness of the risk management program.

When organizations need to address advanced threats, it is likely that adequately addressing related risks at Tier 3 is not feasible because necessary security solutions are not currently available in the commercial marketplace. In those instances, organizations must purposefully invest beyond Tier 3 for significant response capabilities at Tier 2, and to some extent at Tier 1.

The risk management activities at Tier 2 begin with the identification and establishment of risk-aware mission/business processes to support the organizational missions and business functions. A risk-aware mission/business process is one that explicitly takes into account the likely risk such a process would cause if implemented.

Enterprise architecture is a management practice employed by organizations to maximize the effectiveness of mission/business processes and information resources. Enterprise architecture establishes a clear and unambiguous connection from investments (including information investments) to measurable performance improvements whether for an entire organization or portion of an organization. These activities ultimately information systems that are more transparent and therefore, easier to understand and protect.

A well-designed enterprise architecture implemented organization-wide, promotes more efficient, cost-effective, consistent, and interoperable information security capabilities to help organizations better protect missions and business functions— and ultimately more effectively manage risk.

Enterprise architecture also promotes the concepts of segmentation, redundancy, and elimination of single points of failure— all concepts that can help organizations more effectively manage risk. Segmentation helps to define more manageable components and to potentially reduce the degree of harm from a successful threat exploitation of a vulnerability.

The concept of redundancy is also very important in enterprise architecture. To enhance information system resilience as part of risk response, organizational information systems provide a failover mode that helps to ensure that failed components trigger appropriate backup components with similar capability.

Having the visibility and transparency provided in the architectural design at the organization level exposes potential single points of failure early in the development process. Failure to address potential single points of failure early in the architectural design can result in severe or catastrophic effects when those failure points are propagated to information systems and the actual failure causes a loss of mission/business capability.

The information security architecture is an integral part of the organization’s enterprise architecture. It represents that portion of the enterprise architecture specifically addressing information system resilience and providing architectural information for the implementation of security capabilities. The primary purpose of the information security architecture is to ensure that mission/business process-driven information security requirements are consistently and cost-effectively achieved.

Risk management activities take place at every phase in the system development life cycle with the outputs at each phase having an effect on subsequent phases. For example, requirements definition is a critical part of any system development process and begins very early in the life cycle, typically in the initiation phase. The latest threat information that is available to organizations may significantly influence information system requirements and the types of solutions that are deemed by organizations to be acceptable in the face of such threats.

Organizations also address risk management issues during the development/acquisition phase of the system development life cycle (e.g., system design, system development/integration, and demonstration). Whether in response to specific and credible threat information or assumptions about the threat, potential design-related vulnerabilities in organizational information systems can be mitigated during this phase by choosing less susceptible alternatives. Supply chain risk during the acquisition phase of the information system is also an area of concern for organizations.

Subsequent to initiation, development, and acquisition, the implementation phase of the system development life cycle provides an opportunity for the organization to determine the effectiveness of the selected security controls. Given the information discovered during effectiveness assessments, and the potential adverse impacts on organizational missions/business functions, it may be necessary to modify or change the planned implementation of the information system. Risk-related information can be developed to justify the proposed changes.

Once approved for operation, information systems move into the operations/maintenance phase of the system development life cycle. Ongoing monitoring is paramount to maintaining situational awareness of risk to organizational missions and business functions—an awareness that is critical to making the necessary course corrections when risk exceeds organizational risk tolerance.

Early integration of information security into the system development life cycle is the most cost-effective method for implementing the organizational risk management strategy at Tier

3.

Trust is a belief that an entity will behave in a predictable manner in specified circumstances. The entity may be a person, process, object or any combination of such components. Trust, while inherently a subjective determination, can be based on objective evidence and subjective elements. The objective grounds for trust can for example, the results of information technology product testing and evaluation.

Trustworthiness is an attribute of a person or organization that provides confidence to others of the qualifications, capabilities, and reliability of entity to perform specific tasks and fulfill assigned responsibilities. Trustworthiness is also a characteristic of information technology products and systems.

Organizations are becoming increasingly reliant on information system services and information provided by external organizations as well as partnerships to accomplish missions and business functions. This reliance results in the need for trust relationships among organizations.

Trustworthiness expresses the degree to which information systems (including the information technology products from which the systems are built) can be expected to preserve the confidentiality, integrity, and availability of the information being processed, stored, or transmitted by the systems across the full range of threats.

Organizational culture refers to the values, beliefs, and norms that influence the behaviors and actions of the senior leaders/executives and individual members of organizations. Culture describes the way things are done in organizations and can explain why certain things occur.

The organization’s culture informs and even, to perhaps a large degree, defines that organization’s risk management strategy. At a minimum, when an expressed risk management strategy is not consistent with that organization’s culture, then it is likely that the strategy will be difficult if not impossible to implement. Culture also impacts the degree of risk being incurred. Culture is reflected in an organization’s willingness to adopt new and leading edge information technologies.

The differences in focus and emphasis resulting from organizational culture can generate different priorities and expectations regarding what security services to procure, because the organizations perceive the nature of the threat differently. Such culture-related disconnects do not occur solely between organizations but can occur within organizations, where different organizational components (e.g., information technology components, operational components) have different values and perhaps risk tolerances.

Risk framing, as its principal output, produces a risk management strategy that addresses how organizations intend to assess risk, respond to risk, and monitor risk. At Tier 3, program managers, information system owners, and common control providers apply their understanding of the organizational risk frame based on how decision makers at Tiers 1 and 2 choose to manage risk.

The Risk Management Framework is the primary means for addressing risk at Tier 3. The RMF addresses concerns specific to the design, development, implementation, operation, and disposal of organizational information systems and the environments in which those systems operate.

STEP 1: RISK FRAMING

Risk framing is the set of assumptions, constraints, risk tolerances, and priorities/trade-offs that shape an organization’s approach for managing risk. Risk framing is informed by the organizational governance structure, financial posture, legal/regulatory environment, investment strategy, culture, and trust relationships established within and among organizations.

The key precondition for risk framing is senior leadership commitment to defining an explicit risk management strategy and holding mission/business owners responsible and accountable for implementing the strategy. The risk environment has the potential to change over time. Thus, the risk management process allows for feedback to the risk framing step from the other steps in the process, as follows:

Risk assessment: Information generated during the risk assessment may influence the original assumptions, change the constraints regarding appropriate risk responses, additional tradeoffs, or shift priorities.

Risk response: Information uncovered during the development of alternative courses of action could reveal that risk framing has removed or failed to uncover some potentially highpayoff alternatives from consideration.

Risk monitoring: Security control monitoring by organizations could indicate that a class of controls, or a specific implementation of a control, is relatively ineffective, given investments in people, processes, or technology. This situation could lead to changes in assumptions about which types of risk responses are preferred by organizations.

TASK 1-1: Identify assumptions that affect how risk is assessed, responded to, and monitored within the organization.

TASK 1-2: Identify constraints on the conduct of risk assessment, risk response, and risk monitoring activities within the organization.

TASK 1-3: Identify the level of risk tolerance for the organization.

TASK 1-4: Identify priorities and trade-offs considered by the organization in managing risk.

Risk assessments use the results of threat and vulnerability assessments to identify and evaluate risk in terms of likelihood of occurrence and potential adverse impact (i.e., magnitude of harm) to organizations, assets, and individuals.

Incremental risk assessments consider only new information (e.g., the effects of using a new information system on mission/business risk), whereas differential risk assessments consider how affect the overall risk determination. Incremental or differential risk assessments are useful if organizations require a more targeted review of risk, seek an expanded understanding of risk, or desire an expanded understanding of the risk in relation to missions/business functions.

STEP 2: RISK ASSESSMENT

Inputs to the risk assessment step from the risk framing step include, for example: (i) acceptable risk assessment methodologies; (ii) the breadth and depth of analysis employed during risk assessments; (iii) the level of granularity required for describing threats; (iv) whether/ how to assess external service providers; and (v) whether/how to aggregate risk assessment results from different organizational entities.

TASK 2-1: Identify threats to and vulnerabilities in organizational information systems and the environments in which the systems operate.

TASK 2-2: Determine the risk to organizational operations and assets, individuals, other organizations, and the Nation if identified threats exploit identified vulnerabilities. STEP 3: RISK RESPONSE

Inputs from the risk assessment and risk framing steps include: (i) identification of threat sources and threat events; (ii) identification of vulnerabilities that are subject to exploitation; (iii) estimates of potential consequences and/or impact if

threats exploit vulnerabilities; (iv) likelihood estimates that threats exploit vulnerabilities; (v) a determination of risk to organizational operations (i. mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; (vi) risk response guidance from the organizational risk management strategy; and (vii) the general organizational directions and guidance on appropriate responses to risk.

TASK 3-1: Identify alternative courses of action to respond to risk determined during the risk assessment.

Organizations can respond to risk in a variety of ways. These (i) risk acceptance; (ii) risk avoidance; (iii) risk mitigation; (iv) risk sharing; (v) risk transfer; or (vi) a combination of the above.

Risk acceptance is the appropriate risk response when the identified risk is within the organizational risk tolerance. Organizations accept the fact that earthquakes are possible, but given the infrequency of major earthquakes in that region of the country, believe it is not cost-effective to address such risk—that is, the organizations have determined that risk associated with earthquakes is low. Conversely, organizations may accept substantially greater risk (in the moderate/high range) due to compelling mission, business, or operational needs.

Risk avoidance may be the appropriate risk response when the identified risk exceeds the organizational risk tolerance. For example, organizations planning to employ networked connections between two domains, may determine through risk assessments that there is unacceptable risk in establishing such connections. Organizations may also determine that implementing effective safeguards and countermeasures (e.g., cross-domain solutions) is not practical in the given circumstances.

Risk mitigation, or risk reduction, is the appropriate risk response for that portion of risk that cannot be accepted, avoided, shared, or transferred. For example, risk mitigation can include common security controls at Tier 1, process re-engineering at Tier 2, and/or new or enhanced management, or technical safeguards or countermeasures (or some combination of all three) at Tier 3.

Risk sharing or risk transfer is the appropriate risk response when organizations desire and have the means to shift risk liability and responsibility to other organizations. The concept of risk is less applicable in the public sector (e.g., federal, state, local governments) than the private sector, as liability of organizations is generally established by legislation or policy. Risk sharing often occurs when organizations determine that addressing risk requires expertise or resources that are better provided by other organizations.

TASK 3-2: Evaluate alternative courses of action for responding to risk.

TASK 3-3: Decide on the appropriate course of action for responding to risk.

TASK 3-4: Implement the course of action selected to respond to risk.

STEP 4: RISK MONITORING

Risk monitoring provides organizations with the means to: (i) verify compliance; (ii) determine the ongoing effectiveness of risk response measures; and (iii) identify riskimpacting changes to organizational information systems and environments of operation. Organizations employ risk monitoring tools, techniques, and procedures to increase risk awareness, helping senior leaders/executives develop a better understanding of the ongoing risk.

TASK 4-1: Develop a risk monitoring strategy for the organization that includes the purpose, type, and frequency of monitoring activities.

TASK 4-2: Monitor organizational information systems and environments of operation on an ongoing basis to verify compliance, determine effectiveness of risk response measures, and identify changes.

The information system security engineer is an individual, group, or organization responsible for conducting information system security engineering activities. Information system security engineering is a process that captures and refines information security requirements and ensures that the requirements are effectively integrated into information technology component products and information systems through purposeful security architecting, design, development, and configuration.

The security control assessor is an individual, group, or organization responsible for conducting a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by an information system to determine the overall effectiveness of the controls (i.e., the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system).

Security control assessors also provide an assessment of the severity of weaknesses or deficiencies discovered in the information system and its environment of operation and recommend corrective actions to address identified vulnerabilities. In addition to the above responsibilities, security control assessors prepare the final security assessment report containing the results and findings from the assessment. Prior to initiating the security control assessment, an assessor conducts an assessment of the security plan to help ensure that the plan provides a set of security controls for the information system that meet the stated security requirements.

The information system owner and common control provider rely on the security expertise and the technical judgment of the assessor to: (i) assess the security controls employed within and inherited by the information system using assessment procedures specified in the security assessment plan; and (ii) provide specific recommendations on how to correct weaknesses or deficiencies in the and address identified vulnerabilities.

Wise use of the information technologies that compose organizational information systems is fundamentally a form of risk avoidance—that is, organizations modify how information technologies are used to change the nature of the risk being incurred (avoid the risk). Yet such approaches can be in great tension with organizational desires and in some cases, the mandate to fully automate mission/business processes.

Traditional risk mitigation strategies with regard to threats from cyber attacks at first relied almost exclusively on monolithic boundary protection. These strategies assumed adversaries were outside of some established defensive perimeter, and the objective of organizations was to repel the attack. The primary focus of static boundary protection was penetration resistance.

Recognition that information system boundaries were permeable or porous led to defensein-depth as part of the mitigation strategy, relying on detection and response mechanisms to address the threats within the protection perimeter. In today’s world characterized by advanced persistent threats, a more comprehensive risk mitigation strategy is needed—a strategy that combines traditional boundary protection with agile defense.

Agile defense employs the concept of information system resilience— that is, the ability of systems to operate while under attack, even in a degraded or debilitated state, and to rapidly recover operational capabilities for essential functions after a successful attack.

The most effective risk mitigation strategies employ a combination of boundary protection and agile defenses depending on the characteristics of the threat. This dual protection strategy illustrates two important information security concepts known as defense-in-depth and defense-in-breadth.

Defense-in-depth is an information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization.

Defense-in-breadth is a planned, systematic set of multidisciplinary activities that seek to identify, manage, and reduce risk of exploitable vulnerabilities at every stage of the system, network, or subcomponent life cycle (system, network, or product design and development; manufacturing; packaging; assembly; system integration; distribution; operations; maintenance; and retirement).