As a continuation of the series focusing on “Demystifying the Risk Management Framework” (http://blog.isc2.org/isc2_blog/2010/03/demystifying-the-risk-management-framework.html), this posting will cover Risk Assessments, and how they play a role in the RMF (both as a tool for managing risk within individual information system and organization-wide).
In the absence of a mature Risk Assessment methodology, Federal Agencies are struggling with balancing the implementation of the baseline controls outlined within NIST SP 800-53 Security Controls. As a routine function of the traditional Certification and Accreditation (C&A) activity, there is a heavy reliance on the Assessor as part of the Security Testing (e.g., ST&E) to perform the due diligence to establish security requirements. Since most Assessors are independent of the information system (and more likely independent agents such as contractors) hired to provide assessment services, there is little attention to the supplementation (based on an organizational assessment of risk) in the controls selection process.
As highlighted in a previous posting, to reduce the focus on compliance, and instead develop capabilities for risk management and continuous monitoring to achieve an effective security- and risk-posture, organizations will need to have a skilled workforce that has a clear understanding of how to assess and communicate risk as an on-going function of the RMF. Risk Assessments, as an integrated function of the Risk Management Strategy, helps support the organization in the:
- Categorization of information systems;
- Selection of controls (including establishing a baseline that meeting the risk-based protective strategy);
- Implementation solutions to address the necessary protective measure within the information system and individual system components;
- Assessment effective of controls to ensure they are implemented effective, operating as intended, and produce the desired outcome;
- Authorization of information systems based on a clear understanding of the organizational acceptance of risk (including a determination of impact associated with the mission/business process that support the organization’s strategic goals); and
- Monitoring of changes to determine if on-going operations are impacted and the visibility of security impacts are properly allocated to the appropriate organizational official to manage risk at an acceptable level.
However, without a mature Risk Assessment capability built into the organization that enables the effective and accurate reflection of risks to information systems, the organization will not fully understand the risk exposure and the required security posture necessary to eliminate or reduce the risks.
Risk Assessments are not a new practice or concept, and under normal circumstance most of us know how to evaluate risks in our everyday lives. But when it comes to protecting information systems and information, federal agencies (although not alone) lack the functions to effectively identify, evaluate, and mitigate risks that lead to attacks. As technologies advance and federal agencies’ reliance on external services to generate, store, or exchange information become more commonplace, they need to become more skilled at managing risk.
The second presentation in the series focuses on providing an overview of Risk Management and the assessment of operational risk