Domain 2 Risk Treatment: Risk Response Options - Risk Frameworks

Risk Frameworks

Purpose and Importance of Risk Frameworks

  • Definition: Risk frameworks are structured compendiums of best practices compiled by industry experts who have identified effective and ineffective strategies over years of experience.

  • Usefulness:

    • They provide guidance for establishing new risk management functions.

    • They are invaluable for assessing existing functions against established best practices.

  • Starting Point:

    • Creating a risk management function from scratch is challenging; utilizing a pre-existing framework is recommended to ensure comprehensive coverage of risks and mitigation strategies.

Steps to Establish a Risk Framework

  1. Understand Organizational Context

    • Assess the industry dynamics, external factors, and regulatory compliance requirements (e.g., HIPAA, GDPR).

    • Identify obligations to clients, including contractual requirements (e.g., certification like ISO 27001).

    • A clear understanding of the environment supports the selection of the appropriate framework.

  2. Evaluate Current Risk Management Activities

    • Determine if a risk management framework is already established or if new strategies need to be implemented.

    • Perform a gap assessment to identify any existing framework's strengths and weaknesses.

  3. Implement Framework and Controls

    • Follow a sequential process to implement the chosen framework and deploy the associated controls.

Overview of Risk Management Frameworks

Key Frameworks to Know

  • NIST 800-37

  • NIST 800-39

  • ISO 31000

  • COSO

  • ISACA Risk IT

  • Important Distinction:

    • NIST 800-37 focuses on tactical aspects (more detailed and operational).

    • NIST 800-39 provides a higher-level strategic view.

NIST 800-37 - Risk Management Framework (RMF)

Steps in the RMF

  1. Prepare

    • Develop policies and establish a risk management function prior to execution.

  2. Categorize

    • Identify risks associated with specific systems.

    • Note: This step might be misleadingly named; its primary focus is risk identification.

  3. Select

    • Choose appropriate controls to mitigate identified risks from the categorization step.

  4. Implement

    • Execute the selected mitigation controls in the organization.

  5. Assess

    • Evaluate the effectiveness of the implemented controls in mitigating risks.

  6. Authorize

    • The system owner makes the decision based on the assessment results whether to allow the system to go into production.

  7. Monitor

    • Continuous monitoring is essential to adapt to changing risks and environments.

    • Updating controls as necessary ensures ongoing protection against evolving threats.

Authorization Decision

  • Responsibility: It is crucial that the system owner, the individual accountable for the system, makes the authorization decision based on the risk assessment outcomes.

Risk Environments

Internal and External Risks:

  • The frameworks can be applied to evaluate both internal (e.g., insider threats) and external risks (e.g., legal compliance).

  • Example of Internal Risk: Insider threat.

    • Organizations such as Google, Facebook, and Apple establish teams focused on identifying and mitigating insider threats.

    • Real-world example: UBS incident involving an employee's dissatisfaction over a bonus led to significant organizational damage, costing millions in losses due to insider threats.

  • Example of External Risk: Regulatory frameworks such as GDPR have substantial implications.

    • Companies like Google and Facebook faced immediate legal challenges post-GDPR implementation, highlighting the importance of adapting risk frameworks to address regulatory compliance proactively.

Conclusion

  • Framework Selection: As the risk landscape evolves, continually engaging with various organizational teams (legal, compliance) and regularly updating risk assessments and frameworks becomes essential for effective risk management.