NIST SP 800-39, Manage Information Security Risk
NIST SP 800-39 deals entirely with fixing the challenge of security risk in an organization. Chapter 2 of 800-39 discusses the basics of security risk management & chapter 3 goes into the process of applying security risk management across and organization.
The Fundamentals of Security Risk Management (Chapter 2, 800-39)
The philosophy security risks and how to manage information security at multiple levels of an organization are discussed in Chpt 2 of NIST SP 800-39. The three layers of security risk are:
- Tier 1: Organization level
- Tier 2: Mission/Business Process level
- Tier 3: Information System level
Tier 1: Organization Level security risk management
Tier 1 addresses security risk from the organizations perspective. This include the implementation of the first component of security risk management which is called risk framing.
In tier 1 or security risk management, the management of the organization establishes governance structure that are in compliance with laws, regulations and policies. Tier 1 activities include establishment of the Risk Executive Function, establishment of the risk management strategy and determination of the risk tolerance.
Security Risk framing provides context for all the security risk activities within an organization, which affects the risk tasks of tier 1 & 2. The result of risk framing is Security Risk Management Strategy.
Security Risk Management Tier 2: Mission/Business Process
Tier 2 Security risk management tasks include: 1) defining the mission processes. 2) Prioritize the mission process with respect to the long term goals of the organization. 3) Define the type of information needed to successfully execute the mission/business processes, critical/sensitivity of the information and the information flows both internal and external of the information.
Tier 3: Information System Security Risk management
From the information system perspective, tier 3 addresses the following tasks:
- Categorization of the information system
- Allocating the organizational security control
- Selection, implementation, assessment, authorization, and ongoing
Chapter 3 focuses on the step to have a comprehensive security risk management program. The tasks discussed include:
- Risk Framing
- Risk Assessing
- Risk Response
- Risk Monitoring
NIST 800-30 goes into Risk Assessment process. 800-39 covers from a high level. Risk assessment is threat & vulnerability identification and risk determination. Organizational risk framing is a prerequisite to risk assessments, because methods of risk assessment must be established by the contexts of the organizations risk.
Risk response identifies, evaluates, decides on, and implements appropriate courses of action to accept, avoid, mitigate, share, or transfer risk to organizational operations and assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems.
Risk identification is key to risk response. Risk types include:
Risk accept- is the appropriate risk response when the identified risk is within the organizational risk tolerance. Organizations can accept risk deemed to be low, moderate, or high depending on particular situations or conditions.
Risk avoidance– Organizations may conduct certain types of activities or employ certain types of information technologies that result in risk that is unacceptable. In such situations, risk avoidance involves taking specific actions to eliminate the activities or technologies that are the basis for the risk or to revise or reposition these activities or technologies in the organizational mission/business processes to avoid the potential for unacceptable risk.
Risk mitigation-adding management, technical, administrative safeguards to minimize identified risks to the system.
Risk share & transfer- Risk sharing or risk transfer is the appropriate risk response when organizations desire and have the means to shift risk liability and responsibility to other organizations. Risk transfer shifts the entire risk responsibility or liability from one organization to another organization (e.g., using insurance to transfer risk from particular organizations to insurance
Risk Monitoring Risk changes with each modification of the system. It’s important to monitor the changes of the risk of a system. Changes to threats can also change risk. This is where Continuous monitoring comes in.