Which of the following risk treatment strategies describes an organizations efforts to reduce damage caused by a realized incident or disaster?

Tier 3: Repeatable

•

Risk Management Process—The organization's risk management practices are formally approved and expressed as policy. Organizational security practices are regularly updated based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape.

Integrated Risk Management Program—There is an organization-wide approach to manage security risk. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Consistent methods are in place to respond effectively to changes in risk. Personnel possess the knowledge and skills to perform their appointed roles and responsibilities.

External Participation—The organization understands its dependencies and partners and receives information from these partners that enables collaboration and risk-based management decisions within the organization in response to events.

RISK MANAGEMENT

The risk management process is crucial to an InfoSec program to establish and maintain an InfoSec program at least cost while protecting the high technology. Risk decisions are based on

Threats—Man-made or natural occurrences that can cause adverse affects to systems and information when combined with specific vulnerabilities

Vulnerabilities—Weaknesses that allow specific threats to cause adverse affects to systems and information

Impacts—The effect that a threat exploiting a vulnerability would have

Risks—The chances that a specific threat can take advantage of a specific vulnerability to cause adverse affects to systems and information

The assessments can be qualitative, quantitative, or a combination of both. They often result in a formal report and include identifying costs and benefits.

“Passport ID Chips May Not Be Secure; Washington (AP)—The Bush administration opposed security measures for new microchip-equipped passports that privacy advocates contended were needed to prevent identity theft, government snooping, or a terror attack, according to State Department documents released Friday. The passports, scheduled to be issued by the end of 2005, could be read electronically from as far away as 30 feet, according to the American Civil Liberties Union, which obtained the documents under a Freedom of Information Act request. Though the passports wouldn't include transmitters of their own, they would have antennas to allow a reader to capture the data. The ability to read remotely, or “skim,” personal data raises the possibility that passport holders would be vulnerable to identity theft, the ACLU said. It also would allow government agents to find out covertly who was attending a political meeting or make it easier for terrorists to target Americans traveling abroad, the ACLU said.”3

Components of the NIST Risk Management Process

The risk management process (or cycle)19 consists of four components that provide a structured, process-oriented approach for managing risks. Each of the four components of the risk management process ensures that risk is managed in an integrated process that requires the involvement of the entire organization. Historically, the federal government included only two of the four components of risk management—risk assessment and risk response. In this approach to risk management, as illustrated in Fig. 6.1, two additional components have been added: risk framing and risk monitoring.

Risk Assessment

The assessment of risk is based on the organization’s risk context, and includes activities focused on supporting the identification and determination of risk, and monitoring risk factors.26 Risks are identified based on a characterization of threats27 (threat sources and events), vulnerabilities,28 and predisposing conditions.29 The risk determination is based on the impact that would result from an event and the likelihood the event would occur. Monitoring risk factors is the maintenance aspect, and includes an ongoing situational awareness of the changes to information used by the organization when making a risk-based decision.

A risk assessment is a tool that can be used organization-wide. Depending on the organizational structure, risk-related information captured at the strategic level (tier 1), as illustrated in Fig. 6.2, can be used at the tactical level (tier 3). By conducting risk assessments as a continual risk management activity, threats, vulnerability, likelihood, and impact information can be refined and updated with information at each of the three levels within the organization (governance, mission/business process, and information system). However, to effectively integrate risk assessments at the different levels within the organization, the involvement in the risk assessment activities must extend beyond those responsible for information security. By using an organizational approach to conduct risk assessments, information security risks become an integral part of the organization’s overall decision-making process.

Figure 6.2. Multitiered integration of the risk management process.

TIRM project kickoff

To implement the TIRM process in your organization, you need first to convince and educate other people about the usefulness of the TIRM process and explain at a basic level how it works. In particular, you need to establish senior management support. Therefore, a sensible tactic is to invite people who have expressed an interest in being involved to a presentation about the TIRM process (e.g., the one that you can find in the online book companion website). Then, organize, a two- to three-hour workshop with the interested parties during which you convince them to participate in step A1.

WHAT IF YOU DO NOT HAVE SENIOR LEADERSHIP COMMITMENT FOR TIRM?

Often, it is hard to convince senior leadership to engage, as they are preoccupied with too many things. It is usually easier to gain the support of the leadership of a smaller business unit rather than the support of top executives. Choose leaders of business units who show the most enthusiasm for data and information improvement projects. Restricting the scope of the TIRM process application to a particular, smaller business unit or segment can be a useful strategy; this is particularly appropriate if you have not been able to get the support of the executive leadership to the implementation of the TIRM process. If the implementation of the TIRM process in the small initial scope is successful, this might give you the opportunity to convince other business units to participate in the future, as you will have a success story to tell.

EXAMPLE: TIRM PROCESS APPLIED AT A CALL CENTER

We will illustrate all the steps in the following commentary, using a fictitious case study of a call center, which is under constant pressure to fully satisfy customers but suffers from decreasing profit margins. A data quality manager believes that higher customer satisfaction at a lower cost can be achieved if data and information is of higher quality and is used more effectively. He convinces the managing director of the call center to implement the TIRM process to identify optimal data and information quality improvement investments that promise the best benefit-to-cost ratio.

Risk Management Tools

Within the risk management process, and before a final decision is made on risk management measures, the practitioner should consider the following tools (also referred to as “risk treatment”) for dealing with risk:

Risk avoidance: This approach asks if the risk should be avoided. For example, the production of a proposed product is canceled because the danger inherent in the manufacturing process creates a risk that outweighs potential profits. Or, a bank avoids opening a branch in a country subject to political instability or terrorism.

Risk transfer: Risk can be transferred to insurance. The risk manager works with an insurance company to tailor a coverage program for the risk. This approach should not be used in lieu of loss prevention measures but rather to support them. Insurance should be last in a series of defenses. Another method of transferring risk is to lease equipment rather than own it. This transfers the risk of obsolescence.

Risk abatement: In abatement, a risk is decreased through a loss prevention measure. Risks are not eliminated, but the severity of loss is reduced. Sprinklers, for example, reduce losses from fire. Sand bags assist in decreasing erosion (Figure 12-1).

Risk spreading: Potential losses are reduced by spreading the risk among multiple locations. For example, a copy of vital records is stored at a remote, secure location. In another example, following the 9/11 attacks, companies have spread operations among multiple locations to facilitate business continuity.

Risk assumption: In the assumption approach, a company makes itself liable for losses. Not obtaining insurance is an example. This tool may be applied because the chance of loss is minute. Another path, self-insurance, provides for periodic payments to a reserve fund in case of loss. Risk assumption may be the only choice for a company if insurance cannot be obtained. With risk assumption, prevention strategies become essential.

Determining risk appetite for TIRM

Before starting with the TIRM process, the risk appetite should be determined. Once the risk appetite has been determined, the organization will be on its way to establishing a robust TIRM process. The risk appetite will be needed to set up risk criteria in step A4 of the TIRM process. Providing clarity about tolerance levels and who is responsible will:

Ensure that better-informed business decisions are made.

Provide clear communication channels, alerting senior levels of management to potential information risks at an early stage.

Alleviate the possibility of being exposed to unmanageable information risks.

Allow the organization to prioritize actions in those areas where risk is deemed to exceed the defined appetite.

Help to develop a culture where information risk awareness becomes embedded in day-to-day operations.

Establish the right balance between being bold and being cautious.

Risk appetite could be expressed on a scale—you can of course decide how to measure your risk appetite but you may wish to consider the following suggestion of a 1 to 4 scale, an example of which is shown in Table 5.2.

Table 5.2. Example Risk Appetite Scale

Communicating the tolerance level in this way should also be accompanied by guidance in terms of the discretion available. For example, who can take the decision to tolerate the risk? When does a decision need to be escalated to a higher level of management?

More tangible scales are set in the form of risk criteria for each business objective in step A4 during the establish the context stage.

Many experienced employees will have an intuitive feel for the risk level they may expose the organization to, but it is unwise to rely on this, and boundaries need to be established with clear guidelines put in place so that misunderstandings and bad risks are mitigated.

The level of risk appetite will vary; it will not remain static, not only in respect of specific issues but also over time.

EXAMPLE

As an example, with speculative projects you may be prepared to tolerate a higher level of risk appetite than that for mission-critical projects. Over time, an activity or project that may have been deemed to be a level 1 risk in year 1 may become level 3 in year 3 as expertise in managing that specific situation is developed.

5.3.1 Overview

As part of the risk management process, the Forensic Laboratory will have a risk management policy. This policy will include the objectives for, and management commitment to, information security risk management. It will be aligned with Forensic Laboratory goals and objectives. The Forensic Laboratory risk management policy is given in Appendix 10.

Top Management should set a clear direction and demonstrate their support for and commitment to the ISMS by issuing a formally agreed and documented ISMS policy across the Forensic Laboratory. The policy has been approved by Top Management and is reproduced in Chapter 4, Appendix 10.

However, before a policy can be prepared, the scope or context of the ISMS has to be defined. It may be the entire organization but could be a single site or a particular system or service. The Forensic Laboratory’s scope statement is given in Appendix 11.

The ISMS policy serves as the foundation of the ISMS program and the basis for adopting specific procedures and technical controls. It is the first step in establishing a security culture that strives to make everyone in the Forensic Laboratory aware of the need for information security and the role they personally have to play.

Responsibilities

The committee focuses on the risk management process with the following responsibilities:

approve methodologies and processes for risk management in the Forensic Laboratory, e.g., risk assessment, information classification;

identify significant threat changes and exposure of information and information-processing facilities to threats;

raise the level of management awareness and accountability for the business risks faced by the Forensic Laboratory;

develop risk management as part of the culture of Forensic Laboratory;

provide a mechanism for risk management issues to be discussed and disseminated to all areas of the Forensic Laboratory;

coordinate activities to obtain a more effective risk management process from existing resources;

prioritize and accelerate those risk management strategies that are critical to the achievement of corporate objectives;

assess the adequacy and coordinate the implementation of information security controls;

manage and oversee the management of the risk registers within the Forensic Laboratory.

In conjunction with the Audit Committee, to commission and/or review internal audit reports, results of other tests and exercises pertaining to risk-related issues within the Forensic Laboratory, and the management responses to the recommendations.

To approve the text of the section of the Forensic Laboratory annual review dealing with risk management issues and the Committee.

Premarket

A properly documented and followed risk management process is recommended uniformly to be the primary guiding factor for cybersecurity design decisions. By following standard cybersecurity risk management approaches (e.g., ISO 14971 [26] and AAMI TIR57 [27]), MDMs are encouraged to come to decisions as to whether to accept a specific kind of cybersecurity risk during product design and development or to remediate it through design controls. In case an unacceptable risk is accepted during product design, a risk–benefit analysis would be required as per ISO 14971.

The set of foreseeable cybersecurity should consider operational threats (i.e., threats to the device when it is performing its clinical function), supply chain threats (i.e., threats to the device from third-party components procured from suppliers), manufacturing threats (i.e., threats to the device during transferring design artifacts from development environment to production environment and threats during manufacturing), and deployment threats (i.e., threats to the device during distribution and set-up in its operational environment). These threat domains are explicitly identified by the FDA [4].

Regulatory authorities caution MDMs from imposing overtly restrictive cybersecurity measures that may have a detrimental safety impact on their products. For instance, mandating authentication before accessing a device being used in an emergency room may lead to increased patient safety risk, because an operator may forget their credentials. Following the principles laid down in AAMI TIR 57 of having two distinct but interrelated risk assessments, one for patient safety from noncybersecurity–related causes and another for patient safety from cybersecurity-related causes (i.e., threats), regulators expect MDMs to not only assess safety risk to the patient from threats but also assess the safety risk posed by cybersecurity controls themselves.

Risk Response Identification

For any risk identified and evaluated in the risk management process, risk managers need to consider potential responses to risk, alone or in combination, and identify the possible courses of action. The exact number and variety of alternatives considered for a risk response may be constrained by policies or guidance in the risk management strategy, but candidate responses typically include the following [53]:

Acceptance. When the risk determination falls within the organizational risk tolerance, accepting the risk may be justified. When risk tolerance includes cost-benefit considerations, risk acceptance may also be warranted when the cost of mitigation exceeds the anticipated loss to the organization if the risk is realized.

Mitigation. Risk mitigation includes remedial or corrective action taken to reduce the level of risk to the organization, with the goal of bringing the risk level within organizational risk tolerance so that any residual risk can be accepted. Mitigating actions chosen for a given risk may be implemented at multiple levels of the organization.

Sharing. Risk sharing occurs when responsibility for risk borne by one organization can be shared with another, in a manner that may not reduce the total risk, but reduces the risk faced by each sharing organization to an acceptable level. Organizations with different risk tolerance levels may be able to use risk sharing to align responsibility for different types of risk with commensurate risk tolerance levels, and to assign responsibility for specific types of risk to organizations with the appropriate expertise or resources to address them.

Transference. Organizations unwilling or unable to accept, mitigate, or share risk may choose to transfer the risk by shifting responsibility or liability for the consequences of an adverse event to another organization, such as by purchasing insurance against loss or harm. Risk transference does not reduce the likelihood, harm, or risk associated with an event, but typically compensates the organization for losses.

Avoidance. Risks determined to be unacceptable to the organization and infeasible to mitigate, share, or transfer may warrant changes to information systems or processes implemented by the organization to avoid incurring the risk associated with them. Avoiding information system-level risk often requires reducing the scope or functional capability to reduce the threats or vulnerabilities applicable to systems or business processes. Examples of risk avoidance methods include foregoing system interconnections in favor of manual processes or integration methods, or choosing to limit web-based access methods to intranet or VPN-based connections rather than allowing Internet connections.

Alternative courses of action to respond to risk may involve multiple steps or discrete actions taken at one or more levels of the organization. Risk managers at mission and business or organization tiers may evaluate multiple risk response decisions together to determine appropriate organizational responses, particularly when similar risk is identified in multiple risk assessments.

Warning

NIST guidance omits an additional response to risk that risk management practitioners may encounter: denial. Risk denial is a refusal to acknowledge a risk produced in an assessment, essentially making an assertion that the risk does not apply to the organization. Risk denial should not occur in organizations with accepted, established risk management procedures, and instances of risk denial often indicate a lack of awareness among risk management decision makers or poor communication between decision makers and business owners or system owners responsible for conducting risk assessments.