Enterprise risk management (ERM) is a disciplined, holistic way to identify, manage, and mitigate risk throughout your entire enterprise. IT risk management (ITRM) is one subset of that effort, focused on identifying and managing risks specific to IT functions.
An industry-accepted ITRM framework can help you implement an ITRM program quickly and with minimal disruption. It will provide guidance about the cybersecurity controls, processes, and policies that you should implement to mitigate threats to IT assets and to protect the confidentiality, integrity, and availability of data.
One of the best and most widely-accepted ITRM frameworks is the Risk Management Framework (RMF) published and maintained by the National Institute of Standards and Technology (NIST). This post will explore how the NIST RMF can help your organization set up an effective IT risk management program.
What is the NIST Risk Management Framework?
The NIST RMF provides a set of guidelines to streamline enterprise risk management. Although the framework was originally designed for U.S. federal information systems, it can be used by all kinds of organizations to protect their information systems. Moreover, companies can apply the RMF to any type of system or technology, and to both new and legacy systems.
The RMF provides a comprehensive, flexible, and risk-based approach to manage information privacy and security risks. Any company can use its seven-step process to:
- Manage and control organizational risk
- Connect risk management processes at the system and organization levels
- Maintain effective information security and privacy programs
- Integrate security, privacy, and cyber supply chain risk management activities into the system development life cycle (SDLC)
- Conduct real-time risk management through continuous monitoring processes
- Satisfy applicable regulatory requirements
Organizations that follow the RMF guidelines can reduce the security and privacy risks to their IT systems. That, in turen, allows them to minimize the probability of cyberattacks (and legal exposure that might follow) and maximize system efficiency and profitability.
The RMF can also help companies to establish accountability for the NIST controls implemented within their information systems. They can implement appropriate risk management metrics and take data-driven decisions about their business-critical IT systems and information security management.
Using automation can increase the speed and effectiveness of executing the RMF’s steps and facilitate real-time, risk-based decision-making. Automation is particularly useful for assessing and monitoring controls and for preparing authorization packages.
The Seven-Step Risk Management Framework
The RMF outlines a seven-step process to manage information security and privacy risk for enterprise IT systems. It also suggests best practices and procedures to implement effective security and privacy solutions.
In addition to the six main steps, the RMF includes a preliminary step to help organizations prepare for the risk management process. With proper preparation, they can better consolidate, optimize, and standardize their iIT infrastructure. They can also avoid inefficient, costly, and vulnerable systems, services, and applications.
The seven steps of the NIST RMF are described below. For each of these steps, the RMF defines a purpose statement, multiple outcomes, and a set of tasks to achieve those outcomes. Some of these outcomes apply to the entire organization, while others focus on systems or business units.
Step 1: Prepare
In this initial stage, the organization prepares to adopt a formal risk management strategy. It establishes a context to execute the RMF at the organization and system levels and sets priorities to manage its security and privacy risks. To this end, the company completes certain activities and aims to achieve the outcomes listed against each activity in the RMF.
The activities at the organizational level include:
- Determine key roles for executing the RMF.
- Determine the organization’s risk tolerance.
- Create a risk management strategy and complete an organization-wide risk assessment.
- Establish control baselines.
- Identify, document, and publish common controls for inheritance by organizational systems.
- Develop and implement an org-wide strategy to monitor control effectiveness.
Risk assessment is a crucial activity in this phase since it allows the organization to understand and quantify the total risk created by information systems
The RMF also includes a set of preparatory activities to be carried out at the system level, such as:
- Identify stakeholders,
- Determine the authorization boundary
- Conduct a system-level risk assessment
- Identify the lifecycle stage for each information type processed, stored, or transmitted by a system.
After completing this first step, organizations can carry out the remaining steps in sequential order. They can also carry out these activities out of order, either as required by the type of system or to allow for iterative cycles between tasks.
Reference documents: [SP 800-39] [SP 800-161]; [NISTIR 8062] [NIST CSF] [SP 800-137]
Step 2: Categorize
In this step, the organization assesses the identified risks and the impact of each, and prioritizes the risks that need to be addressed. The primary goal is to categorize the firm’s information and systems to:
- Determine the possible harm and loss of confidentiality, integrity, and availability.
- Understand what level of security is required based on the system category.
To achieve these business objectives, it’s important to describe and document the characteristics of all systems and the information processed by each. The results will reflect the organization’s risk management strategy.
Reference documents: [SP 800-53] [SP 800-39] [SP 800-161]; [SP 800-60] [NISTIR 8179]
Step 3: Select
This stage is when security and privacy controls are selected and documented to mitigate identified risks and to protect information systems. These controls (which may be system-specific, common, or hybrid) are tailored for each system and its operational environment.
To protect your systems wisely, select control baselines that are commensurate with the risk. Also be sure to:
- Allocate controls to the specific system elements.
- Document all controls in system security and privacy plans.
- Develop a continuous system monitoring strategy that reflects the organization’s risk management strategy.
Reference documents: [SP 800-53] [SP 800-161] [NISTIR 8062] [NIST CSF]
Step 4: Implement
After selecting the solutions as part of its risk mitigation strategy, the organization will implement them using systems security and privacy engineering methodologies. Numerous people are involved during this stage including:
- Security architect
- Systems security engineer
- System privacy officer
- System admin
- Information owner
The specific details of the control implementation will also be documented in a baseline configuration. Any information obtained during implementation will be used to update the security and privacy plans.
Reference documents: [SP 800-53] [SP 800-161] [SP 800-128]
Step 5: Assess
Once the selected controls are implemented, it’s vital to assure that they are operating correctly and delivering the desired result with respect to the system’s security and privacy requirements. Such assessments happen in this fifth stage. They help to assure that implemented mechanisms are able to reduce risks to operations and data without introducing new risks.
The assessment stage consists of multiple tasks and outcomes:
- Develop security and privacy assessment plans.
- Conduct control assessments (using automation to the maximum possible extent) in accordance with these plans.
- Report security and privacy assessments, findings, and recommendations.
- Prepare a plan of action with remediation actions to deal with unacceptable risks.
Reference documents: [SP 800-53] [SP 800-161] [SP 800-128] [NISTIR 8011]
Step 6: Authorize
Organizational accountability is vital for reliable IT risk management. That’s why this step is included in the NIST RMF. In this stage, a senior executive approves (or denies) the risk mitigation mechanisms implemented during the previous steps.
This official (perhaps a CISO, chief risk officer, or even the CEO) renders a risk determination that reflects the risk management strategy. The goal is to ensure that the strategy is working as expected and is aligned with the laws and policies applicable to the organization.
Reference documents: [SP 800-161] [OMB A-130] [SP 800-39] [NIST CSF]
Step 7: Monitor
The final phase of the NIST RMF provides ongoing situational awareness of the system’s privacy and security posture. This helps to assure the efficacy of implemented security controls. Organizations should continuously evaluate their risk mitigation strategies, conduct regular impact analysis, and perform ongoing assessments of control effectiveness in accordance with the continuous monitoring strategy.
In addition, they should develop a strategy for system disposal and implement a process to report the security and privacy posture to senior leadership.
Reference documents: [SP 800-128] [NISTIR 8062] [SP 800-137]
Implement Your Risk Management Framework with ZenRisk
When working with the NIST RMF framework, it can be useful to break the process into its key categories: risk identification, risk measurement and assessment, risk mitigation, risk reporting, and risk monitoring. This is a good way to identify the most critical risks affecting your organization and prepare a plan to mitigate them.
Another way to streamline the process is to leverage ZenRisk – an all-in-one platform for risk management, audits, governance, and compliance. ZenRisk will help you leverage the powerful NIST RMF framework effectively to boost your IT risk management program.
If you need a way to manage and streamline many of the recommendations and security requirements in the NIST RMF, try ZenRisk. To know how ZenRisk can help you implement a risk assessment and governance process in your organization, schedule a demo.