Risk Management

What is Risk Management?
  • Defined as a holistic process to:

    • Identify, assess, respond to, and monitor risks impacting organizational operations, assets, individuals, and the nation from information systems.

  • Reference: NIST SP 800-30

Key Steps in Risk Management
  • Framing Risk

    • Establish the context, assumptions, and risk tolerance; describe the environment for risk-based decisions.

  • Assessing Risk

    • Identify:

      • Threats to organizational operations, assets, or individuals.

      • Vulnerabilities (internal and external).

      • Harm and impacts of exploiting vulnerabilities.

      • Likelihood of harm occurring.

    • Final goal: Determine risk based on harm and likelihood.

  • Responding to Risk

    • Develop consistent organizational responses:

      • Create alternative courses of action.

      • Evaluate options.

      • Choose actions respecting organizational risk tolerance.

      • Implement selected risk responses.

  • Monitoring Risk

    • Purpose:

      • Assess the ongoing effectiveness of responses.

      • Identify changes in organizational systems affecting risk.

      • Ensure compliance with information security requirements and policies.

Importance of Risk Management
  • Purpose: Informed decision-making across three tiers:

  • Tier 1: Organization-wide governance and strategy.

  • Tier 2: Mission/business process operational priorities.

  • Tier 3: Information systems and technical controls.

  • Goal: Protect against threats such as cyberattacks, human errors, and natural disasters that can compromise confidentiality, integrity, and availability.

Example: CrowdStrike Incident
  • A problematic software update by CrowdStrike caused a global IT outage affecting various sectors like airlines, banks, and hospitals.

  • Risk Management Failure:

    • Inadequate testing led to vulnerabilities.

    • Lack of phased deployment worsened the impact.

  • Lesson Learned: Improve risk monitoring and response strategies to mitigate similar non-adversarial threats.

Risk Management Process in Action
  • Framing Risk: Define scope, assumptions, and acceptable risk tolerance (e.g., acceptable downtime).

  • Assessing Risk: Quantify threats like ransomware and vulnerabilities from unpatched systems.

  • Responding to Risk: Prioritize actions like patch management over backups.

  • Monitoring Risk: Regularly track changes to maintain awareness of new exploits.

Example: Healthcare Ransomware Attack
  • Event: ALPHV/BlackCat ransomware exploited vulnerabilities in Change Healthcare’s systems, leading to disruptions in U.S. healthcare billing.

  • Risk Management Insight: Poor vulnerability management and delayed responses increased impact.

  • Lesson: Emphasize proactive monitoring and quick responses to mitigate adversarial threats.