Selecting a Risk Management Framework for Your Organization
Nov 24, 2020 • 8 Minute Read
Introduction
Why would you want a risk management framework, and how would your organization benefit from one? These questions can be answered in many ways. A risk management framework provides a road map of security controls that should be considered to reduce an organization's risk. It can help an organization evaluate the maturity of the security controls that they have implemented. Another benefit is the ability to demonstrate due diligence in securing your customer's data.
Fundamental Concepts
At its most basic, a framework can be defined as the underlying and supporting structure of something. Using that definition, it's simple enough to extend it by saying that a Risk Management Framework (RMF) is a specialized structure put in place to manage an organization's level of risk.
A core concept among frameworks is that they depict the interaction of people, processes, and technology within a specific environment. Along with those interactions comes the concept of oversight, which is the definition of roles, responsibilities, governance, and reporting.
RMFs define how people leverage processes to manage technology, ensure oversight, and reduce an organization's risk exposure.
Frameworks such as ISO, NIST, and RISK IT are three of the most common approaches for risk management.
Preparing to Make the RMF Decision
It can be challenging for companies to identify which RMF approach is best for their organizations, and how to effectively implement one. Before trying to make a decision on which RMF to pursue, there are several steps that can be taken to improve your odds of a positive outcome.
Consider people and the existing security culture
Regardless of the framework you choose, a key influence on success is the strength of the organization's security culture. Before choosing a framework, spend some time getting people ready by helping them understand the importance of an RMF and the benefits. Investing in a strong security culture will ease the acceptance of the selected RMF. This is also a great time to get executive level buy-in and support.
Know your existing processes
Take an inventory of the processes you believe to be in place now for the management of risk. As a follow-up activity, rate what you perceive the maturity level of these processes to be: initial, repeatable, defined, capable, or efficient. Later, this will help you understand which framework you might already have some alignment with.
Understand your technology landscape
This includes platforms, development tools, software, databases, mobile technology, and architecture. Heading into the RMF evaluation and decision, work to reduce technical debt. These actions will help you manage the scope of what your RMF needs to cover.
Account for the regulatory environment your business operates in
Another key component that will influence your RMF decisions are compliance requirements that impact your specific line of business. Some regulatory areas to focus on are GDPR, GLBA, FISMA, HIPAA, and SOX. Many times, a company also needs to be aware of the contractually-based standards such as PCI, SOC1, SOC 2, and HITRUST.
Understanding Popular Frameworks
There are many frameworks available, but this guide will focus on several of the more popular ones.
ISO 27005
The International Organization for Standardization (ISO) RMF is intended to be a core part of a company's overall IT strategy and operations. Much like change control practices or business continuity planning are embedded within IT, so is the ISO RMF.
ISO addresses risk using the following model:
Context Establishment: Gather relevant information about the organization, purpose, and scope of RM activities
Risk Assessment: Evaluations at discrete time points designed to provide a view of risks
Risk Treatment: Prioritizing, evaluating, and implementing the appropriate controls
Risk Acceptance: Continue to add controls, transfer the remaining risk, or accept
Risk Communication: Establish a common understanding of the risk for all stakeholders
Risk Monitoring: Regularly monitor and review to ensure risk controls are operating as expected
NIST SP 800-30/39/53
The National Institutes of Standards and Technology (NIST) provides a series of risk management and control frameworks that can be used to your advantage.
Essentially, NIST divides controls into three categories: technical, operational, and management. All of these categories are then addressed using a model based on the key functions described below:
Identify: Establish processes to spot and classify risk and identify controls
Protect: Implementation of controls to reduce or minimize risk
Detect: Issue alerting and identification of control failures
Respond: Structured process for acting on detected issues
Recover: Defined process for bringing failed controls back to acceptable operating parameters
Risk IT
A relatively new entry in the RMF space is ISACA's Risk IT guidelines. Published in 2009, Risk IT aims to provide a comprehensive RMF that links IT risks to business risk.
As highlighted below, the key areas of focus for Risk IT are centered around processes for the governance, evaluation, and response to risk.
Risk Governance: Ensure RM practices are embedded in the enterprise
Risk Evaluation: Process for the identification and analysis of IT-related risks
Risk Response: Plan to ensure that IT-related risk issues and events are handled based on business priorities
Making the Decision
Perhaps the best way to approach the decision of which RMF to use is not trying to determine the right framework, but rather the most appropriate one. During your decision-making process, there are some guiding principles that can be used to help answer the difficult questions you'll face.
Look for alignments, not direct matches
There is no perfect match, but in each framework and model there will be areas where your organization will align to different degrees.
Identify external pressures early and keep them in focus
This includes regulatory and compliance concerns. Make sure that the framework you choose is sufficient to address the requirements you may face in these areas.
Operate at a program level, not at a project level
The decision made when selecting and implementing a RMF cuts across many organizational boundaries and silos. A coordinated effort is needed if the implementation is to be successful.
Maintain discipline in separating standards from frameworks
A standard is an accepted way of implementing something; it defines how something should be done. Frameworks provide an actionable guide on what to do, but they don't get into the details of how to do it. Think of it in terms of laying out the requirements that your organization will later execute on. As you evaluate a RMF, make sure you view it from the perspective of how the framework sets the objectives and defines the controls that should be in place.
Be prepared to be adaptive
Select a framework and then adjust it to fit your needs. Don't be afraid to consider using different frameworks for different areas of your business. Oftentimes, a parent company may align with one framework, while another framework makes more sense for a subsidiary company.
Conclusion
Selecting an RMF is a challenge, but one that can be overcome with the right level of planning, preparation, and analysis of options. There is no single correct answer regarding which framework is best for a given organization. Instead, each framework needs to be understood and the qualities of each framework compared against an organization's goal and objectives in implementing a RMF.