1. The process of risk management
In its most basic form, the risk management process is closed loop, or iterative, providing a feedback mechanism for continuous
process improvement. The current ISO17799-3 standard addresses the application of this process as an information security
technique. A process-based ISMS provides the framework within which to implement this technique.
2. Information Security Program
A comprehensive information security program
should address strategic, tactical, and operational
risk. An information security program is a
strategic risk initiative, managed by a tactical risk-
based ISMS. This structure allows ready
identification and mitigation of operational risk.
For example:
• The scope of strategic risk is enterprisewide
and focused on the risk-mitigating
servicesrequired by the enterprise.
• The scope of tactical risk is programwide and
focused on the risk-mitigating processes
required by the strategic services.
• The scope of operational risk is based upon a
discrete domain that stores, transmits, or
processes information in any form. This
domain-specific risk is focused on the people,
procedure, and products that integrate into the
risk-mitigating process.
3. Threat Forecasting
Threats are negative events that occur when a vulnerability or weakness is exploited. Threat forecasting is a proactive process to
predict future risk based upon identified or perceived vulnerability. Threats span the organization at all levels.
• Threats may be strategic, or enterprisewide, such as regulatory noncompliance.
• Threats may be tactical, based upon organizational vulnerabilities, such as ineffective programs.
• Threats may be operational, based upon technical vulnerabilities.
Threat forecasting examines multiple information sources or sensors. Threat sensors may include:
• Legal or regulatory analysts
• Program reviews
• Technical bulletins from vendors or analysts
The potential rate of change to the threat environment must be considered and may drive the frequency of triggering the threat
forecasting processes. For example, a strategic threat such as noncompliance with emerging regulations typically has a longer
tolerable reaction time than an operational threat such as emerging technical vulnerabilities.
4. Risk Assessment
The processes of threat forecasting and incident evaluation identify relevant threats and vulnerabilities. However, relevant
threats and vulnerabilities are not necessarily risks. Identified threats and vulnerabilities must be quantified to determine the
existence and magnitude of risk within the applicable environment. Quantified risk allows for defensible prioritization of
remediation efforts as well as informed-choice (defensible) decision making.
Assessment Scope
Strategic Assessment Tactical Assessment Operational Assessment
Strategic risk assessments look at Tactical risk assessments look at the Operational risk assessments look at
enterprise business processes that ability of the information security a domain’s ability to meet tactical
span multiple domains. Not all program to identify and mitigate control objectives in protecting
assessed business processes have relevant strategic risk to information. specific information assets. Technical
information risk. vulnerability assessments are an
example of a specifically focused
type of operational risk assessment.
5. Risk Tolerance
Having identified and evaluated the risks attached to specific vulnerabilities, the risks must be addressed. Decisions on risk are
based upon the organization’s risk tolerance thresholds and include the following options.
Avoid Risk Accept Risk Accept Risk
Risk may possibly be Risk may be accepted, although diligence requires care Risk may be transferred
avoided, for example, by regarding: to someone with a
relocating a data center. • Who is authorized to accept what level of risk higher risk tolerance, for
• How is risk acceptance based upon informed-choice example, an insurance
decision making company.
• Whether the aggregation of accepted risk remains
tolerable
6. Mitigate Risk Selection of Controls
Risk may be mitigated to an
acceptable level through the Discretionary Controls Mandatory Controls
application of compensating
controls. It is not practical to
eliminate risk completely, Discretionary controls are controls that can Mandatory controls differ from discretionary
only to reduce risk to an weigh cost versus benefits. In general, the controls in that cost has no bearing on the
acceptable level. cost of mitigating a risk needs to be balanced selection of mandatory controls. These are
Control Objectives by the benefits obtained. This is essentially a controls that must be implemented to
Control objectives serve as cost–benefit analysis on “at what cost” the mitigate specific risks. There may be no risk
the glue to bind specific risk is acceptable. It is important to consider acceptance option due to legal and regulatory
vulnerabilities to specific all direct and indirect costs and benefits, requirements, for example.
controls. Defining control whether tangible or intangible and measured
objectives is the first step in in financial or other terms. More than one
deriving the corresponding option can be considered and adopted either
control requirements to separately or in combination. For example,
mitigate the risk associated mitigating controls such as support contracts
with the vulnerability. may reduce risk to a certain degree, with
Control objectives give a residual risk transferred via appropriate
risk-based justification to insurance or risk financing.
allocation of resources.
7. Risk Metrics
Process Metrics Program Metrics Environmental Metrics
A process by definition has a CSF defining Program metrics typically measure Environmental metrics are of value when
the successful execution of the process. process effectiveness. These tactical trying to evaluate an organization’s risk
The CSF is evaluated via process key process effectiveness metrics require a profile and resultant risk strategy. For
performance indicators. Key performance “history” against which to measure, with example, a response process (reactive
indicators are evaluated via process value being enhanced by history length. control) may be triggered frequently,
metrics. Whereas process design deals This type of evaluation is synergistic with giving insight into the external
with process effectiveness, process maturity modeling, because maturity environment. This metric says nothing
execution deals with process efficiency. modeling is by nature history-based. about the efficiency or effectiveness of
For example, a risk-mitigating operational the information security program, but
“incident response” process (a reactive may add justification to its existence or
control) has been designed to be tactics.
tactically effective, but the performance
indicators look at operational efficiency
factors such as “time to respond.”