The senior computer scientist who led the team that developed risk management framework guidance for the National Institute of Standards and Technology says those CISOs have the right idea. "Managing risk with regard to information systems and security sometimes doesn't go to the highest levels and that's why the risk framework is a way to get senior leaders involved early in the process," says Ron Ross in an interview with GovInfoSecurity.com (transcript below).
"In order for the organization to make good, credible risk-based decisions and invest dollars wisely, it really does take the involvement of everyone up the chain of command, especially with today's advanced persistent threats that have the ability through some well placed malware to really bring down an entire organization's operations with some well placed malwares," Ross says. "The realization of this by senior leaders now has energized them and gotten them involved in the process of managing risk."
In the interview, conducted by Information Security Media Group's Eric Chabrow, Ross:
- Outlines the genesis and core principals behind the risk management framework,
- Explains the synergy between the risk management framework and continuous monitoring of IT systems and
- Addresses how organizations can get started in implementing a risk management framework.
The Department of Commerce, which oversees NIST, this fall awarded Ross, who serves as principal architect of NIST's risk management framework, and five colleagues - Kelley Dempsey, Peggy Himes, Arnold Johnson, Marianne Swanson and Patricia Toth - gold medals for significantly improving U.S. computer security by designing, developing and disseminating the risk management framework in support of the Federal Information Security Management Act.
Besides leading NIST's Federal Information Security Management Act compliance team, Ross also supports the State Department in the international outreach program for information security and critical infrastructure protection. He previously served as the director of the National Information Assurance Partnership, a joint activity of NIST and the National Security Agency.
A graduate of the United States Military Academy at West Point, Ross served in a variety of leadership and technical positions during his 20-year career in the Army. While assigned to the National Security Agency, he received the Scientific Achievement Award for his work on an interagency national security project and was awarded the Defense Superior Service Medal upon his departure from the agency. He's a two-time recipient of the Federal 100 award for his leadership and technical contributions to critical information security projects affecting the federal government. During his military career, Ross served as a White House aide and as a senior technical advisor to the Department of the Army.
Last year, the Information Systems Security Association named Ross its distinguished fellow, the group's highest tribute, for his leadership in the development of influential information security documents.
Ross is a graduate of the Program Management School at the Defense Systems Management College and holds a master and Ph.D. in computer science from the United States Naval Postgraduate School.
Please check out earlier interviews GovInfoSecurity.com conducted with Ross:
- NIST Guidance Seen Saving Government Millions
- FISMA Reform Without Reforming FISMA
- Defining Information Security Metrics
Risk Management Framework Explained
ERIC CHABROW: Simply, what is a risk management framework?
RON ROSS: The risk management framework was a model that NIST proposed going back to 2004, 2005. It was an outgrowth of the Federal Information Security Management Act, where NIST was given responsibility for developing the implementing security standards and guidelines for the federal government so our federal agencies could demonstrate compliance to legislation and also build effective information security programs and manage risk within their organizations.
The framework was a simple six-step process that we established and we defined to help organizations define how they select their controls, how they go about assessing those controls to see if they are effective and then really reaching some kind of an authorization or risk base decision on whether their information systems are good enough to go and support the operations, the core missions that the organizations are carrying out.
The final step, which is getting a lot of publicity today, is that of continuous monitoring, where we are trying to ensure that in a world today that moves very rapidly with the advance persistent threats and things that really can do great damage to our federal organizations through their information systems, we're able to monitor the security state over time and manage risk over time in a world that can be very dangerous.
CHABROW: Risk management has been around for a few years, but when I speak with chief information security officer, such as those from the financially strapped states, they say they are just initiating these risk management frameworks. Why do you think that risk management is gaining more attention now?
ROSS: There is a greater understanding on behalf of organizations in the public and the private sectors of the severity of the cyber attacks today that are occurring that can either have the potential to bring down a key capability of these organizations or exfiltrate information, where information could be intellectual property, anything that is a value to organizations can be stolen from these systems with the implementation of malware. There is a greater realization of the threats that are out there, and organizations are trying to do the best they can to apply a cost-effective, risk-reduction regimen, which includes the application of security controls and how you pick those controls, and which ones are more effective against certain types of threats. All of that really demands some kind of an organized framework so you can assist your decision makers in making the right decisions in an environment where a resources can be fairly scarce so within all organizations today.
Smart Spending of Limited Dollars
CHABROW: Can you go a little bit more into that because that is something that I hear from these state CISOs and others about this synergy between effective risk management and smart spending of limited dollars on IT security?
ROSS: The key to all of the security work that we do, it all rests on protecting the organization's missions. The core missions in business operations. That is the real reason we do security is to protect those missions to make sure we can have mission success and the business can go on, whether it is an e-commerce or whether it's protecting a key federal operation. And with limited dollars you have to make sure that you get the best investment that you possibly can, and so the risk framework provides an approach, a methodology if you will, a discipline methodology to go through and examine what are the threats out there? What types of things may cause damage to your organization?
We have a very large and robust catalog of security controls in our special publication, 800-53, that help organizations determine which controls should I apply, which ones are most effective, and how can we get the best bang for our buck. That really is to me what the risk management framework does best, and help decision makers come to good credible risk based decisions on how they should protect their organizations.
CHABROW: Let's talk about those decision makers because when I talk to CISOs, one of the things they tell me when they pursue their risk management initiatives is to get more participation on IT security from the business leaders, departments secretaries or agency directors. How does a risk management framework involve non-IT leaders and IT security decision making and why is that important?
ROSS: That's going to be one of the topics that we continue to address is the involvement of senior leadership in the risk management decision making process. Senior leaders are managing risk all the time. Managing risk with regard to information systems and security sometimes doesn't go to the highest levels and that's why the risk framework is a way to get senior leaders involved early in the process, because a lot of the things that you want to do whether it's the wise use of technology as you build out your enterprise architecture or you deploy certain security controls to various systems or the environments of operations, where those systems operate in the enterprise. Those investments have to be very carefully considered.
In order for the organization to make good, credible risk-based decisions and invest dollars wisely, it really does take the involvement of everyone up the chain of command, especially with today's advanced persistent threats that have the ability through some well placed malware to really bring down an entire organization's operations with some well placed malware. The realization of this by senior leaders now has energized them and gotten them involved in the process of managing risk, in addition to having a very capable security staff and folks that can support them in that process.
CHABROW: You mentioned that one of the important things about risk management framework is the move toward continuous monitoring of IT systems. How does the framework deal with continuous monitoring?
ROSS: Continuous monitoring has been a very hot topic as you are aware. It's been the subject of both the Office of Management and Budget and the federal agencies have been trying to implement continuous monitoring programs. It is an important part of the risk framework, not just as the information system level but continuous monitoring also has a role at the organization's governance level and the level where organizations actually build out their mission and business processes that these are the activities that take place that allow organizations to carry out their core missions and business functions.
In a world today where we have advanced persistent threats and the operations tempo of the adversaries is on the order of minutes or hours and they are constantly thinking up new ways to do damage to our systems, we really have to have processes and procedures in place. Many times supported by automated tools it will allow us to understand what is the security state of my system not just every three years but sometimes down to a period of hours. That understanding of the security state of your systems helps us continue to make good risk base decisions, and so the risk acceptance that we had yesterday when that system was authorized may not be the same risk that is out there today based upon the new threats, some additional vulnerabilities that may emerge. The likelihood that those threats can exploit the vulnerabilities and the ultimate impact on the missions and business operations of the enterprise, so continuous monitoring is our attempt to kind of stay in this rapid cycle so we can have the best knowledge and information to continue to make good risk based decisions.
CHABROW: In implementing a risk management framework can seem daunting. What are some initial steps an organization should take that won't make the process seem so overwhelming?
Getting Started on Risk Management Framework
ROSS: We try in the risk framework to be very thorough and comprehensive in the process. We certainly have a very large and rich control catalog that they have security controls that cover management operational and technical controls. The key element here is understanding what controls are really necessary to protect the organization's core missions and business operations.
And of course, NIST tries to help a little bit by providing initial recommendations. We call them baseline controls. These are starting sets of controls that we recommend that you take a look at first, and then the process of the risk framework allows organizations to go through and specifically tailor controls so they fit the specific missions and operations of the organization.
But I think the other key component today is getting a good threat briefing and understanding where the current threats are within the space that the organization is dealing in, and then be able to take a look at those threats in the context of what the organization looks like with regard to their information technology and their current set of vulnerabilities. That's the part that is the most difficult, managing the threats and vulnerabilities to make decisions about whether I deploy additional controls and if so, how many of those controls do I deploy.