Professional Documents
Culture Documents
Frameworks
Rodney Petersen
Government Relations Officer
Security Task Force Coordinator
EDUCAUSE
Overview
Definition(s) of Risk Management & Risk
Impact(s) of Risk
Enterprise Risk Management
ERM Frameworks
DHS Risk Management Framework
NIST Risk Assessment Framework
STF Risk Assessment Framework
Risk Equation
Risk = Vulnerability x Threat x Impact
*Probability
Vulnerability = An error or a weakness in the design,
implementation, or operation of a system.
Threat = An adversary that is motivated to exploit a
system vulnerability and is capable of doing so
Impact = the likelihood that a vulnerability will be
exploited or that a threat may become harmful.
*Probability = likelihood already factored into impact.
Types of Risk
Strategic Goals of the Organization
Operational Processes that Achieve Goals
Financial Safeguarding Assets
Compliance Laws and Regulations
Reputational Public Image
Responses to Risk
Severity
High
Transfer
Avoid
Low
Accept
Accept/Transfer
Low
High
Frequency
ERM Frameworks
COSOs ERM Integrated Framework
Australia/New Zealand Standard Risk
Management
ISO Risk Management - Draft Standard
The Combined Code and Turnbull
Guidance
A Risk Management Standard by the
Federation of European Risk Management
Associations (FERMA)
COSO Integrated
Control Framework
COSOs ERM
Integrated Framework
Entity objectives can be viewed in the
context of four categories:
Strategic
Operations
Reporting
Compliance
ERM considers activities at
all levels of the organization:
Enterprise-level
Division or subsidiary
Business unit processes
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
MONITOR
Security Controls
Continuously track changes to the information
system that may affect security controls and
reassess control effectiveness
CATEGORIZE
Information System
Define criticality /sensitivity of
information system according to
potential impact of loss
SELECT
Security Controls
Select baseline (minimum) security controls to
protect the information system; apply tailoring
guidance as appropriate
SP 800-37
SP 800-53 / SP 800-30
AUTHORIZE
SUPPLEMENT
Information System
Security Controls
SP 800-53A
ASSESS
Security Controls
Determine security control effectiveness (i.e.,
controls implemented correctly, operating as
intended, meeting security requirements)
SP 800-70
IMPLEMENT
Security Controls
Implement security controls; apply
security configuration settings
SP 800-18
DOCUMENT
Security Controls
Document in the security plan, the security
requirements for the information system and
the security controls planned or in place
Phases of
Risk Assessment
Phase 0: Establish Risk Assessment Criteria for
the Identification and Prioritization of Critical
Assets (a one-time process)
Phase 1: Develop Initial Security Strategies
Phase 2: Technological View - Identify
Infrastructure Vulnerabilities
Phase 3: Risk Analysis - Develop Security
Strategy and Plans
Phase 2: Identify
Infrastructure Vulnerabilities
Goal: To identify areas of potential
exposure associated with the systems
architecture.
Process 1: Evaluation of Key Technology
Components
Process 2: Evaluation of Selected
Technology Components
Conclusion
It is important to note that this is a process
that has no finish line. While a risk
assessment - the process of identifying
and quantifying risks - might take place on
an infrequent basis (e.g., annually), the
risk management process - the ongoing
process of mitigating the risks to the
organization - should be ingrained into the
institution's culture to be most effective.