Information security risk management is a wide topic, with many notions, processes, and technologies that are often confused with each other.

In this series of articles, I explain notions and describe processes related to risk management. I also review NIST and ISO standards related to information security risk management.

In the previous article, I reviewed the high-level risk management cycle.

In this article, I will review the tiered risk management approach described in NIST Special Publication 800-39: “Managing Information Security Risk: Organization, Missions and Information System View”.

NIST SP 800-39

NIST Special Publication 800-39 is the guidance for an organization-wide program for information security risk management. It uses multi-tiered approach (see below) and describes the information security risk management cycle. The parts of this cycle are addressed in separate NIST documents.

Three tiers

The NIST SP 800-39 lists three tiers at which risk management should be addressed:

  1. organizational tier,
  2. business process tier;
  3. information systems tier.

This structural approach is very effective. Information systems are processing the information and it is there where the risks should finally be analyzed and addressed. But this should not be done without business process context, that is why we should consider business process tier first. And finally, business process tier cannot be considered without organizational tier.

Let’s look at the guidance of NIST SP 800-39 in these areas.

Tier 1 – organization

Tier one provides context for all activities related to information security risk management. (This relates to the first phase of ISO 31000 risk management cycle.) This tier is the basis of enumerating, defining and prioritizing the business processes that are needed to fulfill the organization’s mission. In general, this tier serves the purpose of buildig so-called governance structure for oversight of risk management. This governance structure have to be created in accordance both with organization’s mission and with legal/regulatory requirements that affect the organization.

The most important tasks realized in this tier are:

  1. establishment of top-level risk responsibility;
  2. establishment of risk management strategy.

The purpose of the first task is to ensure that risk-related activities are recognized and executed at all levels of the organization, top to bottom. The purpose of the second task is to align information security risk management activities with organization’s mission and legal/regulatory environment and to set criteria for the risk management cycle activities (e.g. so-called risk-tolerance levels). The risk management strategy should also address proper allocation of risk management resources and monitoring of risk management processes.

Tier 2 – business processes

The organization’s mission is realized by business processes that are designed to form a set of processes used to fulfill that mission. Proper information security risk management requires that such processes are clearly defined. It is not possible to effectively manage risks if one cannot associate these risks with the relevant business process (and in turn with the resources used to execute these processes, more on that below). Such set of business processes is sometimes called “enterprise architecture”. It is important to note that even if the organization is small, the process-based approach for information security risk management should be used.

As for Tier 1, the involvement of persons from diverse departments is needed. It is very important to remember that, although finally probably information security risk reduction activities will be executed in significant part by the IT department, the purpose of risk management is to reduce the risks for business processes and IT department is most probably unable to consider and discuss risks (and consequences of incidents) to various business processes. So it is a serious mistake to delegate risk management process in whole to the IT department. Unfortunately, such mistakes often happen.

After business processes (and related resources) are properly defined, the business process owner needs to consider (probably with help of the information security risk management personnel) possible threats to each such process and consequences of such threats. This is part of context establishment and part of the input to risk assessment activities.

The enterprise architecture concept allows for effective information security risk management, but this is not the only advantage. If business processes are clearly defined, two other goals can be set and achieved:

  1. separation of critical processes, so that in case of failure of one of such processes, the other ones are resilient to such failure;
  2. redundancy of critical process, so that if a critical process fails, the critical activity can be continued by the redundant process.

Tier 3 – information systems

Realization of all business processes is supported by information systems. The information processing happens on the level of information processing system. The vulnerabilities and threats related to information security risk management concern (mainly, more on that later) information processing systems. Also, security measures (called also security controls) are applied to elements of information processing system.

For any business process, all information processing resources needed to execute such process must be defined. This will become a part of the input to the risk assessment phase. And these resources will be a part of the output from risk assessment phase – the assessed (calculated) risks will be associated with the business process and with resources needed to execute such process.

Risk management activities should also be applied throughout the information system development lifecycle. Planning for new information processing systems (or upgrading existing ones) is the excellent time to apply risk assessment and implement security controls at the beginning of information system lifecycle (not as additional measures when such system is already running in the production environment). Such preemptive approach is often unfortunately overlooked.

Next article

In next article, I will start describing in more detail the context establishment phase of the information security risk management process.

References and further reading

Information Security Risk Management – Introduction
Information Security Risk Management Cycle – Overview
ISO 31000:2009: “Risk management — Principles and guidelines” (currently under review)
ISO/IEC 27005: “Information technology — Security techniques — Information security risk management”
NIST SP 800-39: “Managing Information Security Risk: Organization, Missions and Information System View”
NIST SP 800-30 Rev 1: “Guide for Conducting Risk Assessments”