Involving Non-Tech Agency Brass in Infosec
NIST Guidance Developed with DoD, Intel CommunityNIST Special Publication 800-39: Integrated Enterprise-Wide Risk Management: Organization, Mission and Information Systems View is the fourth of a series of risk management and information security guidelines developed by NIST in collaboration with the Defense Department and intelligence community.
A risk management framework is a tool to get non-IT and non-IT security departmental and agency leaders involved in IT risk management, something many have avoided because it's often seen as being too technical. Yet, senior leaders address risk constantly in other aspects of their jobs, and guidance on IT security risk management encourages their participation in key decision making to secure their organizations' digital assets.
"Managing risk with regards to information systems and security sometimes doesn't go to the highest levels; that's why the risk framework is a way to get senior leaders involved early in the process," Ron Ross, a NIST senior computer scientists and risk management framework principal architect, says in an interview Monday on the risk management framework with GovInfoSecurity.com.
Most IT security initiatives require organizations to wisely invest dollars, so it's imperative the business leaders be part of the risk management process. "It really does take the involvement of everyone up the chain in command, especially with today's advanced persistent threats that have the through some well placed malware to really bring down an entire organization's operations," Ross says. "The realization of this by senior leaders now has energized them and has gotten them involved in the process of managing risk."
Risk-Aware Missions, Business Processes
According to NIST, a risk management strategy addresses some of the fundamental issues that organizations face in how risk is assessed, responded to, and monitored over time in the context of critical missions and business functions. The strategic focus of the risk management strategy allows organizations to influence the design of key mission and business processes, making these processes risk aware. Risk-aware mission and business processes drive enterprise architecture decisions and prompt the development and implementation of effective information security architectures that provide roadmaps for allocating safeguards and countermeasures to information systems and the environments in which those systems operate.
SP 800-39 is the fourth in the series of risk management and information security guidelines being developed by the Joint Task Force Transformation Initiative, a joint partnership among the Department of Defense, the Intelligence Community, NIST and the Committee on National Security Systems. The partnership, under the leadership of the secretaries of Defense and Commerce - NIST is part of the Commerce Department - and director of national intelligence, continues to collaborate on the development of a unified information security framework for the federal government to address the challenges of protecting federal information and information systems as well as the nation's critical IT infrastructure.
The latest publication details the multi-tiered risk management approach (moving from organization to missions to systems) to ensure that strategic considerations (including top-level organizational goals and objectives), drive investment and operational decisions with regard to managing risk to organizational operations and assets, individuals, other organizations, and the Nation. This type of risk-based decision making is especially important with respect to how organizations address advanced persistent threats which have the potential through sophisticated cyber attacks, to degrade or debilitate federal information systems supporting the critical applications and operations of the federal government, NIST says.
Comments Sought
Individuals who want to comment on SP 800-39 should do so by sending an e-mail to sec-cert@nist.gov by Jan. 25.
According to NIST, the risk management approach described in this publication is supported by a series of security standards and guidelines necessary for managing information security risk. In particular, NIST says, the special publications developed by the Joint Task Force Transformation Initiative supporting the unified information security framework for the federal government include:
- SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach;
- SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations;
- SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations; and
SP 800-30, Guide for Conducting Risk Assessments. SP 800-39 supersedes the original SP 800-30 as the source for guidance on risk management. SP 800-30 is being revised to provide guidance on risk assessment as a supporting document to SP 800-39 and is projected for final publication in 2011.