Selecting a Risk Management Framework for Your Organization

Why would you want a risk management framework, and how would your organization benefit from one? These questions can be answered in many ways. A risk management framework provides a road map of security controls that should be considered to reduce an organization's risk. It can help an organization evaluate the maturity of the security controls that they have implemented. Another benefit is the ability to demonstrate due diligence in securing your customer's data.

At its most basic, a framework can be defined as the underlying and supporting structure of something. Using that definition, it's simple enough to extend it by saying that a Risk Management Framework (RMF) is a specialized structure put in place to manage an organization's level of risk.

A core concept among frameworks is that they depict the interaction of people, processes, and technology within a specific environment. Along with those interactions comes the concept of oversight, which is the definition of roles, responsibilities, governance, and reporting.

RMFs define how people leverage processes to manage technology, ensure oversight, and reduce an organization's risk exposure.

Frameworks such as ISO, NIST, and RISK IT are three of the most common approaches for risk management.

It can be challenging for companies to identify which RMF approach is best for their organizations, and how to effectively implement one. Before trying to make a decision on which RMF to pursue, there are several steps that can be taken to improve your odds of a positive outcome.

Regardless of the framework you choose, a key influence on success is the strength of the organization's security culture. Before choosing a framework, spend some time getting people ready by helping them understand the importance of an RMF and the benefits. Investing in a strong security culture will ease the acceptance of the selected RMF. This is also a great time to get executive level buy-in and support.

Take an inventory of the processes you believe to be in place now for the management of risk. As a follow-up activity, rate what you perceive the maturity level of these processes to be: initial, repeatable, defined, capable, or efficient. Later, this will help you understand which framework you might already have some alignment with.

This includes platforms, development tools, software, databases, mobile technology, and architecture. Heading into the RMF evaluation and decision, work to reduce technical debt. These actions will help you manage the scope of what your RMF needs to cover.

Another key component that will influence your RMF decisions are compliance requirements that impact your specific line of business. Some regulatory areas to focus on are GDPR, GLBA, FISMA, HIPAA, and SOX. Many times, a company also needs to be aware of the contractually-based standards such as PCI, SOC1, SOC 2, and HITRUST.

There are many frameworks available, but this guide will focus on several of the more popular ones.

The International Organization for Standardization (ISO) RMF is intended to be a core part of a company's overall IT strategy and operations. Much like change control practices or business continuity planning are embedded within IT, so is the ISO RMF.

ISO addresses risk using the following model:

Context Establishment: Gather relevant information about the organization, purpose, and scope of RM activities

Risk Assessment: Evaluations at discrete time points designed to provide a view of risks

Risk Treatment: Prioritizing, evaluating, and implementing the appropriate controls

Risk Acceptance: Continue to add controls, transfer the remaining risk, or accept

Risk Communication: Establish a common understanding of the risk for all stakeholders

Risk Monitoring: Regularly monitor and review to ensure risk controls are operating as expected

The National Institutes of Standards and Technology (NIST) provides a series of risk management and control frameworks that can be used to your advantage.

Essentially, NIST divides controls into three categories: technical, operational, and management. All of these categories are then addressed using a model based on the key functions described below:

Identify: Establish processes to spot and classify risk and identify controls

Protect: Implementation of controls to reduce or minimize risk

Detect: Issue alerting and identification of control failures

Respond: Structured process for acting on detected issues

Recover: Defined process for bringing failed controls back to acceptable operating parameters

A relatively new entry in the RMF space is ISACA's Risk IT guidelines. Published in 2009, Risk IT aims to provide a comprehensive RMF that links IT risks to business risk.

As highlighted below, the key areas of focus for Risk IT are centered around processes for the governance, evaluation, and response to risk.

Risk Governance: Ensure RM practices are embedded in the enterprise

Risk Evaluation: Process for the identification and analysis of IT-related risks

Risk Response: Plan to ensure that IT-related risk issues and events are handled based on business priorities

Perhaps the best way to approach the decision of which RMF to use is not trying to determine the right framework, but rather the most appropriate one. During your decision-making process, there are some guiding principles that can be used to help answer the difficult questions you'll face.

There is no perfect match, but in each framework and model there will be areas where your organization will align to different degrees.

This includes regulatory and compliance concerns. Make sure that the framework you choose is sufficient to address the requirements you may face in these areas.

The decision made when selecting and implementing a RMF cuts across many organizational boundaries and silos. A coordinated effort is needed if the implementation is to be successful.

A standard is an accepted way of implementing something; it defines how something should be done. Frameworks provide an actionable guide on what to do, but they don't get into the details of how to do it. Think of it in terms of laying out the requirements that your organization will later execute on. As you evaluate a RMF, make sure you view it from the perspective of how the framework sets the objectives and defines the controls that should be in place.

Select a framework and then adjust it to fit your needs. Don't be afraid to consider using different frameworks for different areas of your business. Oftentimes, a parent company may align with one framework, while another framework makes more sense for a subsidiary company.

Selecting an RMF is a challenge, but one that can be overcome with the right level of planning, preparation, and analysis of options. There is no single correct answer regarding which framework is best for a given organization. Instead, each framework needs to be understood and the qualities of each framework compared against an organization's goal and objectives in implementing a RMF.