Risk Assessment

Frameworks
Rodney Petersen
Government Relations Officer
Security Task Force Coordinator
EDUCAUSE

Overview
Definition(s) of Risk Management & Risk
Impact(s) of Risk
Enterprise Risk Management
ERM Frameworks
DHS Risk Management Framework
NIST Risk Assessment Framework
STF Risk Assessment Framework

Definition of Risk Management

Risk management is a scientific approach
to dealing with pure risks by anticipating
possible accidental losses and designing
and implementing procedures that
minimize the occurrence of loss or the
financial impact of the losses that do
occur. (Fundamentals of Risk and
Insurance, Vaughan and Vaughan)
Meaning: Risk as uncertainty concerning
the occurrence of a loss.

Risk Equation
Risk = Vulnerability x Threat x Impact
*Probability
Vulnerability = An error or a weakness in the design,
implementation, or operation of a system.
Threat = An adversary that is motivated to exploit a
system vulnerability and is capable of doing so
Impact = the likelihood that a vulnerability will be
exploited or that a threat may become harmful.
*Probability = likelihood already factored into impact.

Types of Risk
Strategic Goals of the Organization
Operational Processes that Achieve Goals
Financial Safeguarding Assets
Compliance Laws and Regulations
Reputational Public Image

Responses to Risk
Severity

High

Transfer

Avoid

Low

Accept

Accept/Transfer

Low

High
Frequency

Enterprise Risk Management (ERM)

A process, effected by an entitys board of directors,
management and other personnel, applied in strategy
setting and across the enterprise, designed to identify
potential events that may affect the entity, and manage
risks to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity
objectives. (COSO)
A rigorous approach to assessing and addressing the
risks from all sources that threatent he achievement of
an organizations strategic objectives. In addition, ERM
identifies those risks that represent corresponding
opportunities to exploit for competitive advantage.
(Tillinghast-Towers Perrin consultancy group)
Any issue that impact an organizations ability to meet its
objectives. (Developing A Strategy to Manage
Enterprisewide Risk in Higher Education, NACUBO)

ERM Frameworks
COSOs ERM Integrated Framework
Australia/New Zealand Standard Risk
Management
ISO Risk Management - Draft Standard
The Combined Code and Turnbull
Guidance
A Risk Management Standard by the
Federation of European Risk Management
Associations (FERMA)

COSO Integrated
Control Framework

Committee of Sponsoring Organizations of the Treadway Commission (COSO)

COSOs ERM
Integrated Framework
Entity objectives can be viewed in the
context of four categories:
Strategic
Operations
Reporting
Compliance
ERM considers activities at
all levels of the organization:
Enterprise-level
Division or subsidiary
Business unit processes
Committee of Sponsoring Organizations of the Treadway Commission (COSO)

Australia/New Zealand Standard

(ASS/NZS 4360:2004) Risk Management

ISO Risk Management Draft Standard

The Combined Code and

Turnbull Guidance
Risk assessment
Does the company have clear objectives and have they
been communicated so as to provide effective direction
to employees on risk assessment and control issues?
For example, do objectives and related plans include
measurable performance targets and indicators?
Are the significant internal and external operational,
financial, compliance and other risks identified and
assessed on an ongoing basis? These are likely to
include the principal risks identified in the Operating and
Financial Review.
Is there a clear understanding by management and
others within the company of what risks are acceptable
to the board?

A Risk Management Standard

by the Federation of European
Risk Management Associations (FERMA)

Risk Management Framework for

Critical Infrastructure Protection

National Infrastructure Protection Plan, 2006

NIST Risk Management Framework

Starting Point
FIPS 199 / SP 800-60
SP 800-37 / SP 800-53A

MONITOR
Security Controls
Continuously track changes to the information
system that may affect security controls and
reassess control effectiveness

CATEGORIZE
Information System
Define criticality /sensitivity of
information system according to
potential impact of loss

FIPS 200 / SP 800-53

SELECT
Security Controls
Select baseline (minimum) security controls to
protect the information system; apply tailoring
guidance as appropriate

SP 800-37

SP 800-53 / SP 800-30

AUTHORIZE

SUPPLEMENT

Information System

Security Controls

Determine risk to agency operations, agency

assets, or individuals and, if acceptable,
authorize information system operation

Use risk assessment results to supplement the

tailored security control baseline as needed to
ensure adequate security and due diligence

SP 800-53A

ASSESS
Security Controls
Determine security control effectiveness (i.e.,
controls implemented correctly, operating as
intended, meeting security requirements)

SP 800-70

IMPLEMENT
Security Controls
Implement security controls; apply
security configuration settings

SP 800-18

DOCUMENT
Security Controls
Document in the security plan, the security
requirements for the information system and
the security controls planned or in place

Risk Assessment Framework

Security Task Force
Purpose of Framework: to provide a high-level overview
on the subject of conducting a risk assessment of
information systems within higher education.
Points to Consider:
Risk Assessment (RA) is an ongoing process
RA requires strong commitment from senior administration and
collaboration between cross-functional units
RA is part of strategic and continuity planning
RA requires planning and strategy that systematically increases
the scope
RA needs to become a part of the culture of the university
community
Effective Risk Management (RM) practices require a "risk aware"
culture
Effective RM can provide the basis for prioritizing and resolving
possible funding conflicts
policy supporting ongoing risk assessment should be developed

Phases of
Risk Assessment
Phase 0: Establish Risk Assessment Criteria for
the Identification and Prioritization of Critical
Assets (a one-time process)
Phase 1: Develop Initial Security Strategies
Phase 2: Technological View - Identify
Infrastructure Vulnerabilities
Phase 3: Risk Analysis - Develop Security
Strategy and Plans

Phase 0: Establish Risk

Assessment Criteria
Goal: to quickly establish the overall criteria for
the identification of critical data assets and their
appropriate priority level and to obtain senior
management's perspective on issues of strategic
importance.
Process 1: Establish Risk Assessment Criteria
Process 2: Apply the Critical Asset Criteria to
Classify Data Collections and Related
Resources

Phase 1: Develop Initial

Security Strategies
Goal: Once the information assets have been classified,
strategic planning for the rest of the risk management
process can begin. Vulnerabilities can be identified, and
the process of mitigating the threats that can exploit
those vulnerabilities can begin. An institution can decide
to specifically focus on the very highest risks, or it may
decide to focus first on mitigating risks broadly (or both).
The mere process of bringing management together to
discuss the organization's strategy about risk mitigation
can be extremely fruitful.
Process 1: Strategic Perspective - Senior Management
Process 2: Operational Perspective - Departmental
Management
Process 3: Practice Perspective Staff
Process 4: Consolidated View of Security Requirements

Phase 2: Identify
Infrastructure Vulnerabilities
Goal: To identify areas of potential
exposure associated with the systems
architecture.
Process 1: Evaluation of Key Technology
Components
Process 2: Evaluation of Selected
Technology Components

Phase 3: Develop Security

Strategy and Plans
Goal: After identifying key information systems resources and
evaluating the degree of vulnerability with the systems,
quantitatively determine the level of risk associated with each
system and system component. This information may then be used
to prioritize the allocation of resources to ensure appropriate
mitigation of the highest risks and to make appropriate management
decisions about the degree of risk that the organization will be
willing to accept.
Process 1: Risk Assessment
Steps
1. Assess the potential impact of threats (and vulnerabilities) to
critical assets (qualitative and/or quantitative)
2. Evaluate the likelihood of occurrence of the threats (high,
medium, low)
3. Create a consolidated analysis of risks, based on the impact
value to critical assets and the likelihood of occurrence
Process 2: Protection Strategy and Mitigation Plans

Conclusion
It is important to note that this is a process
that has no finish line. While a risk
assessment - the process of identifying
and quantifying risks - might take place on
an infrequent basis (e.g., annually), the
risk management process - the ongoing
process of mitigating the risks to the
organization - should be ingrained into the
institution's culture to be most effective.