14.1 IntroductionAs indicated in Chapter 1, an information security risk evaluation provides a snapshot, or baseline, of the organization's current risks. However, this baseline is not static or frozen in time. After an evaluation has been completed, an organization will implement its protection strategy and risk mitigation plans; new threats and vulnerabilities will emerge; and the organization will identify new critical assets. New risks will emerge and old risks may go away or change their nature. To understand how its security risks change over time, an organization typically "resets" its baseline periodically by conducting another evaluation. The time between evaluations can be predetermined (e.g., yearly) or triggered by major events (e.g., corporate reorganization, redesign of an organization's computing infrastructure). We also indicated in Chapter 1 that an organization improves its security posture only after it implements its protection strategy and risk mitigation plans. Figure 14-1 illustrates the framework for managing information security risks as well as the "slice" provided by the evaluation. We derived the framework from previous work, in which we developed an approach to managing risks on software and system development projects [Dorofee 96]. Figure 14-1. Information Security Risk Evaluation and ManagementKey PrinciplesThink back to the principles presented in Chapter 2 (see Figure 14-2). To be effective, information security risk management must be consistent with these principles. Our discussion will focus on two of the principles: open communication and integrated management. Recall that information security risk management cannot succeed without a reasonable degree of open communication of security-related issues.[1] A culture that supports open communication of risk information is the basis for effective information security risk management. A process for managing your information security risks must ensure that the right people get the right information in a timely manner.
Figure 14-2. Information Security Risk Management PrinciplesIntegrated management requires that security policies and strategies be consistent with organizational policies and strategies. The organization's management must strike a balance between business and security goals. To accomplish this, an organization should integrate its information security risk management processes with its business processes. Figure 14-3 illustrates this concept. Notice that the information security risk management practices in the organizations must fulfill three requirements:
Figure 14-3. Information Security Risk Management Framework in ContextAn information security risk management framework must complement and support the organization's current business practices, not conflict with it or exist in isolation. Most organizations focus their information security risk management efforts on an evaluation. Conducting an organizationwide information security risk evaluation enables an organization to create a global perspective of risks within the larger context of the organization's mission and business objectives. The organization must then determine how to address those risks and improve its security posture. After OCTAVEThe key results of OCTAVE include a protection strategy for organizational improvement and mitigation plans to reduce the risks to the organization's critical assets. To manage information security risks effectively, you must develop detailed action plans and manage the implementation of those plans. The post-OCTAVE activities are nothing more than a plan-do-check-act cycle, ensuring that selected aspects of your organization's protection strategy and mitigation plans are implemented. To build on the results of OCTAVE, you must address the following operations from Figure 14-3:
The next section presents a framework for information security risk management—a "roadmap" for managing your risks. Following that, Section 14.3 examines an approach for implementing the framework. |