14.2 A Framework for Managing Information Security Risks

Information security risk management is the ongoing process of identifying and addressing information security risks. This section explores the details of a structured approach for managing risks. Figure 14-4 illustrates the operations required by the information security risk management framework as well as the major tasks completed during each operation. This type of framework is common to risk management approaches in many domains, including information security [GAO 98].

Assigning Responsibility

To manage your information security risks effectively, you must clearly define roles and responsibilities for all of the operations and tasks in the framework. Effective risk management requires everyone in the organization to know his or her role in managing risks. During OCTAVE, an analysis team was responsible for identifying and analyzing risks and for completing high-level planning tasks. This team may not have a permanent existence in your organization, and new people might be assigned responsibility for managing the risks after the evaluation. As you consider the framework in this section and how it might apply to your organization, remember that you will eventually need to determine the appropriate set of roles and responsibilities and distribute them effectively. The remainder of this section examines each operation in Figure 14-4, starting with "Identify."

14.2.1 Identify

Identification is the process of transforming uncertainties and issues related to how well an organization's assets are being protected into distinct (tangible) risks. The objective of this activity is to anticipate risks before they become problems and to incorporate this information into the organization's information security risk management process. Table 14-1 illustrates the types of tasks that are conducted during risk identification and the key results produced by each task.

Table 14-1. Risk Identification Tasks

Task	Description	Key Results
Capture risk profile.	Capturing a risk profile requires gathering and recording information about the individual components of risk (asset, threat, vulnerability, and impact).	Critical assets Threats to critical assets Security requirements for critical assets Narrative description of the potential impact of the risks on the organization Key infrastructure components related to critical assets
Capture organizational information.	Capturing organizational information calls for gathering and recording contextual information that supports the risk profile.	Current security policies, practices, and procedures Current technology vulnerabilities Current organizational vulnerabilities

Overall, when implemented, risk identification should

• Enable staff members throughout the organization to identify and communicate risk-related information periodically or as needed

• Provide a means for documenting all risk-related information in a consistent format

At the end of identification, you will have documented a set of risks, including information about the organization's critical assets, the threats to those assets, and applicable vulnerabilities (both organizational and technological). You will also have collected sufficient supporting information, providing the overall organizational context for interpreting the organization's risks. In the next operation, you build on this information by setting priorities for addressing risks.

14.2.2 Analyze

Analysis is the process of projecting how extensive risks are and using those projections to set priorities. The objective of risk analysis is to gain a better understanding of risks by examining all risk-related data in relation to a set of organizational evaluation criteria. Table 14-2 illustrates the risk analysis tasks.

Risk analysis should include techniques for setting priorities based on established evaluation criteria. These criteria define those aspects of impact (and probability, if used) that are most important to the organization's business objectives. The analysis process should

• Enable staff members to evaluate or reevaluate risks for impact and probability (if used)

• Provide personnel who analyze risks with sufficient guidance to set or revise priorities

Table 14-2. Risk Analysis Tasks

Task	Description	Key Results
Evaluate risks.	Evaluating risks involves establishing the current values for impact and probability (if used).	Values for risk measures (impact, probability)
Prioritize risks.	Prioritizing risks requires determining which risks need to be addressed based on the nature of the risk and the organization's general tolerance for risk.	Mitigation approach (accept, mitigate)

When analyzing the risks to your critical assets, you establish the potential impact on the organization and review all risks in the context of organizational needs and objectives. You then use that information to determine which risks to mitigate actively and, after setting your priorities, to decide what your organization can do to address those risks.

14.2.3 Plan

Planning is the process of determining which actions to take to improve the organization's security posture and protect its critical assets. The objectives of planning are to develop and maintain the following three security enhancements:

Table 14-3 highlights the risk planning tasks.

Table 14-3. Risk Planning Tasks

Task	Description	Key Results
Develop a protection strategy.	Developing a protection strategy requires defining (or updating) a protection strategy for improving an organization's security-related practices.	Protection strategy
Develop risk mitigation plans.	Developing risk mitigation plans requires defining (or updating) plans to reduce risks to the organization's critical assets.	Risk mitigation plans
Develop action plans.	Developing (or updating) action plans involves specifying a set of actions for implementing key aspects of the protection strategy and risk mitigation plans. Action plans are defined based on an assessment of available resources as well as any organizational constraints. Each action plan includes a completion date, success criteria, and funding requirements. In addition, measures for monitoring plans against their schedules and success criteria are selected. Finally, personnel must be assigned to implement the action plans.	Action plans Budget Schedule Success criteria Measures to monitor action plans Personnel assigned to implement action plans

Remember, during OCTAVE, the analysis team completes all high-level planning tasks (i.e., developing a protection strategy and risk mitigation plans). The task of developing detailed action plans occurs after the evaluation. The planning process should include the following specifications:

• Require planners to review existing plans and strategies for common actions.

• Provide planners with established methods for incorporating return on investment, dealing with limited resources, and prioritizing corrective actions.

• Enable the use of both technological and organizational solutions.

• Require planners to select measures for monitoring plans against their schedules and success criteria.

• Afford planners the authority to allocate or reallocate resources.

• Incorporate all necessary reviews and approvals.

During the planning process, you develop a protection strategy and risk mitigation plans. First you want to understand the range of available options and next you develop detailed action plans. This second step initially involves selecting key aspects of the protection strategy and risk mitigation plans to implement, based on a cost-benefit analysis. You then formulate an action plan for each key aspect that includes the following elements:

• The budget required to support implementation of the action plan

• A schedule that defines all key milestones

• Success criteria that define the objectives of the action plan

• Measures to monitor the progress of the action plan relative to its schedule and success criteria

• Responsibility for implementing the action plan

After you finish planning, you have defined the direction for improving your organization's security posture. In the next operation you execute the action plans as designed.

14.2.4 Implement

Implementation is the process of taking planned action to improve an organization's security posture. The objective of risk implementation is to execute all action plans according to the schedules and success criteria that were defined during risk planning. Implementation is tightly linked to risk monitoring and control, during which you follow and correct implementation progress. Table 14-4 illustrates the risk implementation task.

Assign responsibility for implementing action plans during the planning process. People who are assigned responsibility for implementing action plans must follow through by ensuring that those plans are completed according to the plan's defined schedules and success criteria.

The implementation process should

• Communicate to organizational personnel that staff members are authorized to implement their assigned action plans

• Enable staff members to reprioritize existing work tasks to incorporate their action plan activities

• Provide staff members with sufficient funds, equipment, and other required resources to complete the action plans

As you implement action plans, you also need to monitor them to ensure that they are being implemented according to schedule and are meeting their defined success criteria.

14.2.5 Monitor

The monitoring process tracks action plans to determine their current status and reviews organizational data for indications of new risks or changes to existing risks. The objectives of monitoring risks are to collect accurate, timely, and relevant information about the progress of action plans being implemented and any major changes to the organization's operational environment that could indicate the existence of new risks or significant changes to existing risks.

Table 14-5 illustrates the tasks completed as risks are monitored.

Table 14-4. Risk Implementation Task

Task	Description	Key Results
Execute action plans.	Executing action plans requires successfully completing all actions in those plans according to their documented schedules.	Completed actions

Table 14-5. Tasks for Monitoring Risks

Task	Description	Key Results
Acquire data.	This task requires the collection of quantitative or information that measures the status of action plans with respect to their schedules and success criteria indicates the presence of new risks or significant changes to existing risks	Data tracking the progress of action plans Data about key risk indicators
Report progress and risk indicator data.	Reporting progress involves ensuring that key decision makers understand an action plan's current status. Reporting risk data requires passing on all indications of new risks to the appropriate personnel in the organization.	Communicated progress reports Communicated risk indicators

Typically, the people who are responsible for implementing action plans also monitor those plans. In addition, everyone in the organization needs to be empowered to look for and report information that might indicate the presence of new risks or significant changes to existing risks. For example, if there are major changes to the organization's operational environment (e.g., corporate reorganization, major redesign of the organization's computing infrastructure), management might decide to conduct another information security risk evaluation.

Risk monitoring should provide an organization with an efficient and effective way to track the progress of action plans, indications of new risks, and significant changes to existing risks. The monitoring process should both leverage current project management practices within the organization and enable effective and timely communication of status information and risk indicators.

As you monitor risks, you need to interpret the data that you collect. Controlling risks allows you to decide how to proceed with action plans, whether the organization needs to identify new risks, and how to address significant changes to existing risks.

14.2.6 Control

Controlling risks is a process whereby designated personnel adjust the course of action plans and determine whether changing organizational conditions indicate the presence of new risks. The objective of controlling risks is to make informed, timely, and effective decisions about corrective measures for action plans and about whether to identify new risks to the organization. Table 14-6 highlights the tasks required to control risks.

You can make two types of control decisions. The first type deals with adjusting the course of action plans. Part of the responsibility for making control decisions lies with the person who is monitoring an action plan. If action plans were being implemented according to their schedules and were meeting defined success criteria, the person monitoring the plans would simply continue tracking them. The decision in this case is to continue as planned. On the other hand, if the person monitoring the risk noticed a deviation or anomaly that was causing a delay in a plan's schedule or indicated that success criteria were not being met, that person would make sure that the issue was raised at the appropriate management level. It might be necessary to revise that action plan or execute predefined contingency actions.

The second type of control decision focuses on interpreting risk indicators. You are looking for major changes to the organization's operational environment, indicating the possible existence of new risks or significant changes to existing risks. As mentioned during our discussion about monitoring risks, anyone in the organization could look for and report information that might indicate the presence of new risks or changes to existing risks. Whoever believes that changes to the operational environment could significantly change the nature of the organization's information security risks should make sure that those issues are raised at the appropriate management level. If appropriate, new risks could be identified (e.g., by conducting another evaluation) or action plans could be revised based on changes to the underlying risks.

Table 14-6. Tasks for Controlling Risks

Task	Description	Key Results
Analyze data.	Analyzing data involves examining reported data for trends, deviations, and anomalies. The following types of information are reviewed: Data tracking the progress of action plans Data about key risk indicators	Analyzed progress reports Analyzed risk indicators
Make decisions.	Making decisions requires designated personnel to determine How to proceed with action plans Whether to identify new risks to the organization	Decisions about changes to action plans Decisions about identifying new risks
Execute decisions.	Executing decisions involves putting control decisions into practice.	Communicated decisions Implemented changes to action plans Start of risk identification activity

Continuous control of risks should be tightly integrated into the organization's management practices. The control process should

• Ensure that responsibility for making control decisions is formally assigned and accepted

• Provide personnel with guidance for weighing alternatives and making trade-offs

• Provide a mechanism for elevating sensitive issues to an appropriate organizational level

• Be integrated with general business risk planning, implementation, and identification activities in the organization

This concludes our presentation of the information security risk management framework. The next section looks at a common implementation of the framework.