Learning Objectives
By the end of this section, you will be able to:
- Identify the key components and principles of an effective ISRM strategy
- Describe various compliance frameworks and regulations related to information security and risk management and how they are used
- Develop a comprehensive risk management plan
- Determine the importance of continuous monitoring and improvement of the ISRM strategy
It is essential for today’s organizations to have a well-crafted information security and risk management (ISRM) strategy, which is a structured approach to managing an organization’s security processes, tools, and policies to mitigate risk. Organizations may be attracted to the capabilities of emerging technologies, but they must also recognize that it is imperative for them to safeguard their physical and digital assets. Not only does a well-structured ISRM strategy protect against data breaches and cyberattacks, it also serves as a mechanism for managing the organization’s overall risk exposure.
Key Objectives, Principles, and Components of ISRM Strategy
ISRM does not merely involve deploying the latest security technologies or adhering to compliance regulations, although these are important. Its primary purpose is to develop a composed set of practices to protect an organization’s informational assets and data infrastructure. A robust ISRM strategy aims to achieve three fundamental objectives: to safeguard organizational assets, to prevent data breaches and cyberattacks, and to reduce overall risk exposure. These objectives are embedded into the core components and principles that define the ideal ISRM strategy.
With cybercriminals employing increasingly sophisticated techniques, from social engineering to advanced malware, the need for proactive cyber defense mechanisms has also been increasing. These mechanisms should ideally include, but not be limited to, network monitoring, penetration testing, and employee training on cybersecurity best practices. A proactive approach can significantly reduce the probability of a successful attack, thereby preserving stakeholder trust and ensuring data integrity.
Another objective of ISRM is to reduce an organization’s overall risk exposure. This involves not only implementing technological solutions, but also facilitating a cultural shift within the organization toward prioritizing cybersecurity. By conducting regular risk assessments, adopting a layered security approach, and encouraging a culture of cybersecurity awareness, organizations can significantly mitigate the risks they face. In doing so, organizations can protect their assets while simultaneously positioning themselves favorably in a competitive market where consumers and clients are becoming increasingly savvy about data security. To establish and maintain an effective ISRM strategy, several core components must be diligently addressed and continually refined. These include risk assessment, policy development, control implementation, training and awareness, monitoring and auditing, and response and recovery.
Risk Assessment
Risk assessment involves identifying potential threats and vulnerabilities, and the impact they could have on an organization’s assets. It requires a thorough understanding of the organization’s infrastructure, data, and business processes. By employing methodologies such as threat modeling and vulnerability assessments, organizations can prioritize risks based on their likelihood and potential impact, enabling them to allocate resources more effectively.
Policy Development
Policy development follows risk assessment as a critical step in articulating the organization’s stance on various security issues. Policies provide a formal set of guidelines that dictate how assets should be protected and how security incidents should be managed. These policies should be clear, concise, and easily understandable, ensuring that all stakeholders, from the CEO to the newest employee, are on the same page regarding security expectations and responsibilities. Additionally, IT managers should ensure that the organization maintains adequate documentation such as acknowledgment forms and training records to track employee training.
Control Implementation
Control implementation involves putting into place the necessary safeguards to mitigate identified risks. These controls can be administrative (policies and procedures), technical (such as firewalls and encryption), or physical (like security cameras and access controls). The key is to establish a balanced mix of these controls to create a multilayered security environment. Control effectiveness should also be regularly reviewed to ensure they are performing as intended.
Training and Awareness
Training and awareness programs are essential for cultivating a culture of security within an organization. Employees are often the first line of defense against cyber threats, so it is vital that they are equipped with the knowledge and tools they need to recognize and respond to potential security incidents. Regular training sessions, coupled with awareness campaigns, can significantly reduce the risk of human error, which is a leading cause of data breaches.
Monitoring and Auditing
Monitoring and auditing are crucial for maintaining visibility over the organization’s security posture. Continuous monitoring of network traffic, user activities, and system configurations ensures that any anomalous behavior can be detected and addressed promptly. Auditing provides a retrospective analysis, helping to uncover security lapses and ensure compliance with relevant laws and policies.
Response and Recovery
Finally, response and recovery involve being prepared to act when a security incident occurs. An organization should have in place a plan for incident response, which is a predetermined set of procedures and steps taken to identify, investigate, and respond to a potential security incident. After identifying the breach, an organization should have procedures for containing the threat, eradicating the malicious elements, and recovering any lost data. Post-incident analysis is also important, as it provides insights that can be used to strengthen the organization’s defenses against future attacks.
By effectively addressing these core components, organizations can build a resilient ISRM strategy that can protect their assets, maintain stakeholder trust, and ensure the continuity of their operations. Each component is important, and only when they are seamlessly integrated can an organization truly safeguard itself in the digital age.
Compliance Frameworks and Regulations Related to ISRM
In the context of ISRM, a compliance framework is a set of guidelines and best practices designed to help an organization comply with legal, regulatory, and technical standards. It serves as the foundation of secure and resilient organizational practices. These frameworks provide a structured set of guidelines and best practices that are designed to aid organizations in safeguarding their digital assets and ensuring their adherence to the CIA triad. Additionally, these frameworks help to establish a foundation for security practices, aligning organizational processes with industry standards and thus ensuring legal and regulatory compliance.
For organizations aiming to support their security posture and maintain the trust of their stakeholders, adhering to regulations not only mitigates the risk of legal repercussions, but also fosters a culture of continuous improvement and due diligence in security practices.
Table 5.4 shows some of the frameworks that are often used to provide guidance for stakeholders as they seek to stay within the boundaries and laws of their organization’s host government.
Framework | Description |
---|---|
ISO/IEC 27001 Information Security Management Systems Requirements |
|
National Institute of Standards and Technology (NIST) |
|
NIST-800-137 NIST Special Publication 800-137, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations” |
|
ISO/IEC 27001
ISO/IEC 27001 is a globally recognized standard for the establishment and certification of an information security management system (ISMS), a framework that helps organizations manage their information security by defining policies, procedures, and controls. Developed by the International Organization for Standardization (ISO), ISO/IEC 27001 sets out the criteria for assessing and treating information security risks tailored to the needs of the organization. The standard encompasses both the technical and organizational aspects of information security, ensuring an integrated approach.
The significance of ISO/IEC 27001 lies in its universal applicability across industries and organizations of any size. It provides a robust framework that helps organizations secure their information assets, enhance their resilience against cyber threats, and establish trust with stakeholders. By achieving certification, organizations demonstrate their commitment to information security, which can lead to competitive advantages, improved client relationships, and compliance with legal and regulatory requirements.
The ISO/IEC 27001 standard is structured into ten main clauses, with the last six dedicated to the ISMS requirements:18
- Scope: Defines the boundaries and applicability of the ISMS
- Normative references: Lists the standards referenced in ISO 27001
- Terms and definitions: Clarifies the terminology used in the standard
- Context of the organization: Explains the internal and external factors that can impact the ISMS
- Leadership: Emphasizes the importance of top management’s involvement and the establishment of an information security policy
- Planning: Covers risk assessment and the process of establishing information security objectives
- Support: Encompasses resources, competence, awareness, communication, and documented information
- Operation: Deals with the execution of the processes and controls necessary to manage information security risks
- Performance evaluation: Involves monitoring, measurement, analysis, evaluation, internal audit, and management review
- Improvement: Focuses on continual improvement of the ISMS
Although not one of the clauses, guidance on implementing specific controls is discussed in Annex A.
The principles of ISO/IEC 27001 are organized around a risk-based approach, and this ensures that the ISMS is tailored to the specific risks faced by the organization. The approach promotes a culture of continuous improvement, transparency, and accountability.
National Institute of Standards and Technology
Imagine taking the role as the new chief information security officer of a bank and the CEO asks you, “How secure are we?” How would you approach answering this question? Or where could you go to get the information? One place to start would be with the National Institute of Standards and Technology (NIST). NIST is a nonregulatory federal agency within the U.S. Department of Commerce that helps to set standards and guidelines to ensure the security and privacy of information systems. NIST’s contribution to U.S. cybersecurity is significant, as the agency provides resources, best practices, and frameworks to assist organizations in safeguarding their information.
The NIST Special Publications 800 series is a collection of documents that cover various aspects of information security. These publications provide guidelines, recommendations, and best practices to help organizations manage and protect their information systems. Comparing the practices of your hypothetical bank against the guidelines set forth by NIST could help you answer your boss’s question about security. One of the most notable contributions from NIST is the framework for improving critical infrastructure cybersecurity, commonly known as the NIST Cybersecurity Framework. This framework comprises five domains: identify, protect, detect, respond, and recover (refer to Figure 5.7). Each domain involves specific security activities that, when implemented, provide organizations with a strategic view of their cybersecurity posture.
Numerous organizations across different sectors have adopted NIST standards to enhance their cybersecurity practices. For example, a financial institution might align its security policies and procedures with NIST’s best practices to improve its resilience against cyber threats. In the health-care sector, a hospital might use NIST guidelines to secure patient data and ensure HIPAA compliance. These real-world applications demonstrate the versatility and effectiveness of NIST standards in bolstering cybersecurity defenses and fostering a culture of security awareness and compliance.
Other Compliance Frameworks and Regulations
There are several frameworks and regulations in addition to NIST, NIST-800, and ISO/IEC 27001 that guide information security policy within an organization. Many of these depend on the nature of the business, the type of data that is collected, or even the geographic location of the business’s headquarters.
- The Federal Information Security Management Act (FISMA) is a U.S. law that is part of the E-Government Act of 2002. It is designed to bolster information security across federal agencies, and it establishes a comprehensive framework that mandates agencies to develop, document, and implement security programs to protect information and assets. FISMA emphasizes a risk-based policy for cost-effective security, requiring agencies to conduct regular risk assessments, implement security measures, and undergo continuous monitoring. Compliance with FISMA demonstrates an organization’s commitment to protecting governmental information and assets.
- The Health Information Technology for Economical and Clinical Health (HITECH) Act, enacted in 2009, represents significant legislation in health information technology and privacy. It aims to promote the adoption and meaningful use of health information technology, while also strengthening the privacy and security provisions of HIPAA. HITECH introduced stricter enforcement of HIPAA rules and increased penalties for noncompliance, emphasizing the need for health-care providers and related entities to safeguard electronic protected health information (ePHI). It also incentivized the implementation of electronic health records (EHRs), marking a transformative step in the modernization of health-care data management and security.
Developing a Comprehensive Risk Management Plan
A risk management plan (RMP) is a strategic document that outlines how risk is assessed, monitored, and mitigated within an organization. An RMP is a critical component in an organization’s information security and risk management strategy. It provides a structured four-stage approach to identifying, assessing, mitigating, and monitoring potential risks that could compromise sensitive data, intellectual property, and other vital assets. This strategic document is crucial for shaping an organization’s cybersecurity posture, guiding the allocation of resources, and prioritizing actions to enhance resilience against cyber threats.
Phase 1: Risk Identification
The initial phase of developing an RMP, identifying potential risks, is the priority. This process involves using various techniques and tools to uncover vulnerabilities, threats, and potential impact on organizational assets. A strengths, weaknesses, opportunities, and threats (SWOT) analysis is a commonly used method that helps in understanding both internal and external factors that could pose risks. When applied to risk identification in ISRM, SWOT becomes a powerful instrument in the hands of cybersecurity professionals. The SWOT analysis in Figure 5.10 shows how it has been used and adapted to meet the needs of a team assessing their own information security. By evaluating the strengths of an organization, such as robust security policies or advanced technological infrastructure, professionals can form policies that enhance brand value, increase employee awareness to reduce attacks, and make data-informed decisions regarding system upgrades.
The assets at risk in an organization can be vast and varied, including tangible assets such as hardware and intangible assets such as data and intellectual property. Protecting these assets requires a clear understanding of their value and the potential repercussions of any compromise. To aid in this process, a range of tools and technologies is available. Scanners, for instance, can automatically detect vulnerabilities in a network, while AI-based solutions offer advanced capabilities to predict and identify emerging threats. By employing these tools and methodologies, organizations can develop a clear and actionable understanding of their risk landscape, laying the foundation for effective risk management.
Phase 2: Risk Assessment
The risk assessment phase is a critical stage in the RMP, where the organization dives into the potential likelihood and impact of various identified risks. This process is like a detective’s investigation, where each clue helps in prioritizing risks based on their severity. Imagine a team of cybersecurity experts evaluating a network system, much like detectives combing through a crime scene. They identify potential threats and vulnerabilities, such as what types of data are at risk, what protections are currently in place, and what additional measures are necessary to close any security gaps.
This phase is not just about finding problems, but also about devising strategies to mitigate them. Through risk assessments, ISRM professionals can make data-driven decisions to align security measures with organizational objectives. The comprehensive nature of risk assessment technologies and approaches highlights the need for ISRM professionals to have a similar breadth and depth of knowledge. With the appropriate certifications and continuous learning, these professionals can contribute to a safer and more secure digital landscape.
The two predominant assessment methods are quantitative and qualitative.
- Quantitative assessment: Quantitative assessments are often viewed as more time intensive than qualitative but can be more accurate when evaluating risk. The impact of the risk is often evaluated in the context of the expected cost of the risk. One method used in quantitative risk assessment is expected monetary value (EMV) analysis, which is a mathematical calculation for determining the expected monetary impact of risks: it multiplies the dollar cost of a risk by the probability of that risk occurring and then adds the values together for all risks. A decision tree analysis is another quantitative method that is more visual than EMV (Figure 5.11). The decision tree includes each risk, along with its financial impact and the probability associated with each risk. The project manager then can see the path that offers the least impact (cost) on the project. Regardless of the method chosen, quantitative risk assessment involves calculations that give a monetary value to the impact of the risks to the project.
- Qualitative assessment: Qualitative impacts can be categorized as high, medium, and low with the probability of occurrence ranked on a scale from very likely to highly unlikely. Even though the assessments are more subjective than the quantitative approaches, there are methods that can facilitate the processes. For example, a brainstorming session with key stakeholders or with the project team could generate a list of potential risks. Additionally, in-depth interviews with experts or stakeholders can identify risks and begin to assess the impact and probability. A SWOT analysis can be used as well. In particular, the internal weaknesses and the external threats can be considered risks to evaluate in the project.
Another method used when conducting the qualitative assessment of risks is the Delphi method, which involves rounds of questionnaires sent to individuals with expertise who provide anonymous responses in which they identify risks and assess their impact and probabilities. The project manager will analyze the responses after each round to look for commonalities. Then, the compiled results are presented to the experts again and they have the opportunity reevaluate the responses and amend the list. The end result of the Delphi method is a list of risks that the experts have arrived at through this consensus-building process. Whatever method is used for conducting the qualitative assessment of the RMP, the important factor is to get input from various stakeholders and experts in the field to identify the risks and then organize the risks based on their impact and probability of occurrence. Figure 5.12 illustrates the contrast between quantitative and qualitative assessments when applied to an organization that specializes in IP generation.
A risk matrix is a visual representation of the identified risks categorized by both impact and probability. A risk matrix can be used with both qualitative and quantitative assessments. In qualitative assessments, the matrix will be populated with categories that are subjective, such as high probability or low impact, whereas a quantitative risk matrix would include the numerical measures of these values. Often the matrix is color coded with a predetermined color scheme to help quickly identify those risks that have the highest impact or probability.
In Figure 5.13, the highest-risk items are highlighted in red with the lower-risk items in green. Each risk matrix can be evaluated by the project manager to determine which risks should be monitored more closely and to prioritize the highest impact items. Then, the RMP can address the appropriate risk mitigation strategies for those higher priority items while putting less focus on risks with minimal overall impact on the project.
Phase 3: Risk Mitigation Strategies
Uncertainty in projects cannot be eliminated, but it can be mitigated. Some broad mitigation strategies include being proactive and developing a plan to deal with risks if they materialize. Each identified risk should have a strategy attached so that there is a plan in place to minimize the impact of the risk on the project. These broad strategies offer some general decisions that can be made with each risk; however, the actual activities used to alleviate the impact will need to be tailored to the specific risk. Figure 5.14 lists broad strategies for dealing with risk.
The first strategy, acceptance, describes a situation where the risk, impact, and probability are known, and the project team makes the decision to accept the impact. The risk might be at a level where it would not have a meaningful impact on the overall project. In some cases, the benefit of accepting the risk outweighs any negative impacts from the risk. Generally, the acceptance strategy is used when there are minimal impacts to the cost, the schedule, or team performance. It is important to continue to monitor the risk to ensure the impact remains at an acceptable level. Overall, the project continues to move forward without substantive consequences to the project plan and deliverables.
In the avoidance approach, the project team develops strategies to prevent the risk from occurring. For example, to avoid the risk of a new CRM system not functioning properly, the system could be tested with key stakeholders to make sure it meets performance measures. With risk avoidance, the project manager might consider moving resources from one part of the project (such as personnel or funding) to another part to help reduce the risk. Risk avoidance is used when there are risks to performance and could involve having backup vendors in case one vendor cannot fulfill what they are contracted to do. Avoiding risks to the schedule may involve setting realistic deadlines that are not too aggressive.
The control approach to mitigating risks involves trying to minimize the impact of risks. This involves consistent monitoring and having a plan in place to proactively respond to the risks. For example, tracking expenses against the expected budget at regular intervals can help the project team identify when line items are at risk of going over budget. When the project manager notices this, they can then implement strategies to manage the expense in that line to control the risk of going over budget. To control the risk of going over schedule, the project manager can keep close tabs on the time needed for tasks and redelegate as needed to make sure the project stays on time.
The transfer strategy can be used to shift the risk—and thus the impact—to another entity associated with the project. However, this approach may not be the best strategy because unintended consequences can arise. For example, if the project is running behind schedule, the project manager could transfer the cause of that delay to an individual team member rather than to the project team as a whole. Although the project team’s reputation might be preserved somewhat, this kind of action could greatly impact the team dynamics. Likewise, if the impact of a product’s failure is transferred to a particular vendor used to produce the product, the business relationship could be altered, even if the costs of the failure are no longer the responsibility of the project team. Caution should be used when choosing this strategy because of the additional consequences that could result.
Finally, the watch strategy involves essentially taking no action but having activities in place in the project plan to consistently monitor the risk for changes that could either increase the probability of occurrence or increase the impact. Strategies such as tracking the actual expenses versus budgeted expenses on a regular basis, or having project team updates on the status of action items, can be used to watch for changes. Monitoring is a key strategy that should be used for all risks identified and should be a key component of the RMP. The bottom line with any of the approaches to risk mitigation is to invest time on the front end of the planning process to be proactive in how the project team responds to risk.
Phase 4: Monitoring and Review
The implementation of risk mitigation strategies is not the end of the risk management process. In fact, mitigation requires ongoing attention and diligence to ensure its effectiveness and adaptability to new threats and changes in the organization’s environment. This phase emphasizes the necessity of continuous monitoring and regular reviews to maintain the integrity of the RMP.
Frameworks for Continuous Monitoring and Improvement of the ISRM Strategy
The ongoing process of assessing the security posture and compliance of an IT infrastructure by automatically collecting, analyzing, and reporting data on various security controls is called continuous monitoring. It is critical for detecting and responding to threats and vulnerabilities in real time. It helps to ensure that the implemented risk mitigation strategies are working as intended and that no new risks have emerged. Continuous monitoring aids in maintaining a strong security posture, as it provides ongoing insights into the effectiveness of security controls and the organization’s overall risk exposure.
Continuous monitoring plays an important role in ensuring the ongoing integrity, availability, and security of critical assets and information. Continuous monitoring is a necessary component of an effective ISRM strategy, ensuring that security controls are operating as intended and that any malicious activities are detected and addressed in a timely manner.
The Information Systems Audit and Control Association (ISACA) is an international association that provides IT professionals with knowledge, credentials, education, and community in IT governance, control, risk, security, audit, and assurance. IT governance is the process of managing and controlling an organization's IT capabilities to improve IT management, ensure compliance, and increase the value of IT investments. ISACA offers several certifications and comprehensive cyber education and plays an important role in setting global standards for cybersecurity. Through its publications, certifications, and guidance, ISACA provides industry best practices and frameworks that organizations can adopt to enhance their monitoring capabilities and align with relevant regulatory requirements.
One of ISACA’s most notable contributions to the field is the development of the Control Objectives for Information and Related Technologies (COBIT) framework (Figure 5.15), a comprehensive framework developed by ISACA for IT governance and management that helps organizations meet business challenges in the areas of regulatory compliance, risk management, and aligning IT strategy with organizational goals.19 In addition to COBIT5, NIST also provides a continuous monitoring strategy.20 It is recognized globally and is widely adopted by organizations seeking to align their IT processes with their strategic objectives, while ensuring that risks are managed effectively and resources are used responsibly.
Various tools and technologies play a pivotal role in facilitating continuous monitoring, each serving specific purposes and providing different insights into the organization’s security posture.
One of the key tools available for continuous monitoring is a security information and event management (SIEM) system, a centralized security tool that combines security information management with security event management. The tool collects, consolidates, and organizes data within the system, including user data, application data, and network data, to analyze and detect suspicious activity within the system. The aggregated data are analyzed to detect unusual activities, patterns, or events. The tools not only detect attacks but can also prevent and block threats to the system. Additionally, the tool can compile the necessary information for compliance reporting purposes. Finally, the SIEM system can monitor user actions to identify potential issues before those actions pose a threat to the organization. For example, if confidential employee information is being shared via email to an entity outside of the company that is not known to have a business need for the information, the SIEM system can flag those emails as threats. In a similar way, the system can identify incoming phishing emails and automatically block the sender. Through analytics, the SIEM system can quickly recognize unusual activity and take appropriate action to minimize the impact.
An intrusion detection system (IDS) is integrated into the SIEM system. The IDS looks specifically at traffic on the network to determine if there is suspicious activity coming into or out of the network. That data are then fed into the SIEM system to be aggregated with the other data gathered. The IDS can also detect security violations within the network. The tool does not stop the threat; it simply identifies the threat, sends the data on, and alerts network administrators of the threat. The IDS looks for known sources of threats. For example, the detection system could pick up on a specific chain of characters or source code that is part of a known malware threat. Because the IDS checks traffic against known threats, it is important to regularly update the system to make sure the newest cyber threats are being monitored.
The IDS works in conjunction with an intrusion prevention system (IPS) to prevent ongoing attacks to the network. The IPS is a more proactive approach to maintaining the security of the network. One example of an IPS is a firewall web application that prevents downloading of material from unsecured websites. To prevent threats from entering the network, all traffic goes through the IPS before entering the network. As with the IDS, the IPS works off of known threats, so new cyberattacks might get through. When suspicious activity is noticed, the IPS will block the activity from getting into the network, send an alert to administrators (facilitated by the SIEM system), and often terminate the connection where the threat originated in the system. This could mean a user is disconnected from the system to prevent further intrusion until the threat can be mitigated. Today’s IPS tools have detection capabilities built in and are now referred to as intrusion detection and prevention systems (IDPSs). Many organizations use one integrated tool rather than having two separate tools to manage security.
Footnotes
- 18International Organization for Standardization, ISO/IEC 27001:2022 (ISO, 2022).
- 19COBIT5 was published in 2012, and a new version (COBIT 2019) was released in 2018. COBIT 2019 was updated for newer technology and has six principles that use some revised terminology. Although COBIT 2019 is the most current version, many organizations still use COBIT5. 6.3 Data Security and Privacy from a Global Perspective discusses COBIT 2019.
- 20Kelley Dempsey, Nirali S. Chawla, Arnold Johnson, et al. “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations,” NIST Special Publication 800-137, National Institute of Standards and Technology, September 2011, https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-137.pdf