Risk Management
Risk Management, as it pertains to organizational information security and privacy functions, constitutes the management of risks associated with information systems and assets that, if realized, could have an impact on the confidentiality, integrity, and/or availability of technology-related assets that are strategically key to an organization's ability to carry-out its mission and business objectives.
Applying this approach toward the protection of an organization's information assets facilitates the management of risk down to a level that is in alignment with the overall risk appetite of the organization...in other words, the amount of risk the organization is willing to assume.
As guardians of information security and privacy, we are professionally bound to ensure the organizations we represent are ethically carrying-out their due-diligence and due-care in protecting the information of all stakeholders.
Applying this approach toward the protection of an organization's information assets facilitates the management of risk down to a level that is in alignment with the overall risk appetite of the organization...in other words, the amount of risk the organization is willing to assume.
As guardians of information security and privacy, we are professionally bound to ensure the organizations we represent are ethically carrying-out their due-diligence and due-care in protecting the information of all stakeholders.
Risk Management Framework
The Risk Management Framework (RMF) provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categorization, control selection, implementation, and assessment; system and common control authorization; and continuous monitoring (NIST, 2018). It provides senior and executive leadership with the information necessary to make risk-based decisions on behalf of the organization.
The RMF incorporates security and privacy into the system development lifecycle (SDLC), and links essential risk management processes at the system level to risk management processes at the organization level (NIST, 2018).
The RMF is broken down into seven steps that coalesce to form the lifecycle of a system...the SDLC, if you will:
Prepare
Categorize
Select
Implement
Assess
Authorize
Monitor
The Risk Management Framework (RMF) provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categorization, control selection, implementation, and assessment; system and common control authorization; and continuous monitoring (NIST, 2018). It provides senior and executive leadership with the information necessary to make risk-based decisions on behalf of the organization.
The RMF incorporates security and privacy into the system development lifecycle (SDLC), and links essential risk management processes at the system level to risk management processes at the organization level (NIST, 2018).
The RMF is broken down into seven steps that coalesce to form the lifecycle of a system...the SDLC, if you will:
Prepare
- establish a context and priorities for managing security and privacy risk (NIST, 2018)
Categorize
- categorize the system and the information processed, stored and transmitted by the system based on an analysis of the impact of loss (NIST, 2018)
Select
- select an initial set of controls for the system to reduce risk to an acceptable level, based on an assessment of risk (NIST, 2018)
Implement
- implement the controls and describe how they are employed within the system and operational environment (NIST, 2018)
Assess
- assess the controls to determine effectiveness against desired outcomes (NIST, 2018)
Authorize
- authorize the system or common controls based on a determination that overall risk is at an acceptable level (NIST, 2018)
Monitor
- monitor the system and associated controls on an ongoing basis...this includes assessing control effectiveness, documenting changes to the system and operating environments, conducting risk assessments and impact analyses, and reporting the security and privacy posture of the system (NIST, 2018)
Documentation of a Risk Management Program |
|
|
|
|