|
|
02-28-2010
Registered User
26,240,
27
Federal Agencies Lack Proper Security-Related Risk Management Practices
In reviewing the final revision of NIST Special Publication (SP) 800-37, Rev. 1, the traditional Certification and Accreditation (C&A) process has been transformed into the Risk Management Framework (RMF). The RMF sets forth a good start for a consensus C&A model and will hopefully provide a change in the traditional approach to C&A; focusing on a more dynamic process that is stateful with the changes in the operational environment and threat vectors.
Given the emphasis in the RMF to promote the concept of near real-time risk management, Federal Agencies will need to become more effective on how to manage their information system-related security risks. In my observations over the past decade, there have been significant changes in the Federal Government's approach to integrating security into the SDLC. However, in most agencies there still remains a significant gap in proper use of Risk Management methodologies (i.e., applied at the top-level managing strategic risks and those used by individuals managing IT projects which seeks to manage tactical risks). Without bridging the gap, information security risks identified and prioritized by federal agencies at the various organizational-levels will vary differently, making it more difficult to fully integrate security into an Organization- or Enterprise-Wide Risk Management approach.
The lack of proper Risk Management knowledge (both top-down and bottom-up) prevents the true adoption of a cost-centric Risk Management approach. Organization must seek to integrate security at multiple organizational tiers (as depicted in NIST SP 800-37, Rev. 1 - Figure 2-1): Organizational Level Mission/Business Process Level, and Information System Level. The integration of security risk management is not just cataloging the types of risks (human, natural, or environmental) identified through a NIST 800-30 risk identification model, but instead requires a broader viewpoint of security-related risk to ensure the risk strategy established by the senior leadership can be used to manage the risks at the strategic level. Additionally, agencies need to have a mature process to prioritize security risks within each information system supporting the business/mission. A mature risk prioritization process starts with developing a consensus between the various levels of the organization, thereby using the risk prioritizes to drive investment in mitigations based on a mission-oriented and business-oriented focus.
Therefore, NIST should place emphasis on their Phase I FISMA Implementation Scheduled (http://csrc.nist.gov/groups/SMA/fism...hedule-v43.pdf) to make a change in the date of the Risk Assessment Guide (NIST 800-30, Rev. 1) to an earlier date that would coincide with the publication of NIST SP 800-39 (“Integrating Enterprise-Wide Risk Management: Organization, Mission, and Information System View”). Without an adequately skilled workforce that understands how to effectively identify, prioritize and communicate risks, agencies will not be able to determine which risks exceed the organization's threshold for risk acceptance.
There are several instances in NIST 800-53 that focus on risk as a tool for managing the implementation of security controls. However, most security professional supporting agencies are not properly trained to adequately present risk. Risk is not always used to make the decision of how to prioritize the mitigations associated with weaknesses or deficiencies. Information security professional tend to present a horizontal picture (or tactical viewpoint) to Authorizing Officials rather than from a holistic picture from a Risk Executive (a group or individual prioritizes risk based on the organizations strategic viewpoint). The lack of proper risk professionals that can bridge the gap will never allow organization's to fully satisfy the Risk Executive (Function) as defined in the NIST SP 800-37, Rev. 1 - Roles and Responsibilities. Until there are well-trained risk management professionals that can bridge the gap, organizations will continue to operate under two approaches to risk management (strategic and tactical).
More...
Given the emphasis in the RMF to promote the concept of near real-time risk management, Federal Agencies will need to become more effective on how to manage their information system-related security risks. In my observations over the past decade, there have been significant changes in the Federal Government's approach to integrating security into the SDLC. However, in most agencies there still remains a significant gap in proper use of Risk Management methodologies (i.e., applied at the top-level managing strategic risks and those used by individuals managing IT projects which seeks to manage tactical risks). Without bridging the gap, information security risks identified and prioritized by federal agencies at the various organizational-levels will vary differently, making it more difficult to fully integrate security into an Organization- or Enterprise-Wide Risk Management approach.
The lack of proper Risk Management knowledge (both top-down and bottom-up) prevents the true adoption of a cost-centric Risk Management approach. Organization must seek to integrate security at multiple organizational tiers (as depicted in NIST SP 800-37, Rev. 1 - Figure 2-1): Organizational Level Mission/Business Process Level, and Information System Level. The integration of security risk management is not just cataloging the types of risks (human, natural, or environmental) identified through a NIST 800-30 risk identification model, but instead requires a broader viewpoint of security-related risk to ensure the risk strategy established by the senior leadership can be used to manage the risks at the strategic level. Additionally, agencies need to have a mature process to prioritize security risks within each information system supporting the business/mission. A mature risk prioritization process starts with developing a consensus between the various levels of the organization, thereby using the risk prioritizes to drive investment in mitigations based on a mission-oriented and business-oriented focus.
Therefore, NIST should place emphasis on their Phase I FISMA Implementation Scheduled (http://csrc.nist.gov/groups/SMA/fism...hedule-v43.pdf) to make a change in the date of the Risk Assessment Guide (NIST 800-30, Rev. 1) to an earlier date that would coincide with the publication of NIST SP 800-39 (“Integrating Enterprise-Wide Risk Management: Organization, Mission, and Information System View”). Without an adequately skilled workforce that understands how to effectively identify, prioritize and communicate risks, agencies will not be able to determine which risks exceed the organization's threshold for risk acceptance.
There are several instances in NIST 800-53 that focus on risk as a tool for managing the implementation of security controls. However, most security professional supporting agencies are not properly trained to adequately present risk. Risk is not always used to make the decision of how to prioritize the mitigations associated with weaknesses or deficiencies. Information security professional tend to present a horizontal picture (or tactical viewpoint) to Authorizing Officials rather than from a holistic picture from a Risk Executive (a group or individual prioritizes risk based on the organizations strategic viewpoint). The lack of proper risk professionals that can bridge the gap will never allow organization's to fully satisfy the Risk Executive (Function) as defined in the NIST SP 800-37, Rev. 1 - Roles and Responsibilities. Until there are well-trained risk management professionals that can bridge the gap, organizations will continue to operate under two approaches to risk management (strategic and tactical).
More...