Implementing a Cybersecurity Risk Management Program

An enterprise risk management program should be developed to address risks that have the potential to impact business operations. The implementation of a risk management program is critical to achieving the intended goals of your organization’s risk management strategy. Implementation should align with other defined security program goals. The lack of a risk management program may lead to ineffective implementation of your defined risk management strategy and the overall security program is likely to falter. This most frequently occurs due to control owners not being assigned the necessary actions that are required to manage a holistic program. The assignment of risk management controls, accountability, and continuous management are key to maintaining an effective program.

A risk management program that is consistent with your organization’s control environment should be developed, implemented, and maintained to manage or otherwise limit the impact of risks, including security risks, to an acceptable level. Your program should ensure that plans are developed for conducting security testing, privacy testing, training, and monitoring activities associated with information systems. These plans need to be executed promptly, according to defined control requirements. Testing, training, and monitoring plans should be reviewed consistently, by the risk management strategy, to align with organization-wide priorities for risk response actions.

The risk management program should be appropriate for the size and complexity of your organization. The program can take different forms depending on its size and complexity. In a large, complex organization, risk management may be an independent organizational unit. In a small, less complex organization, the risk management program may be integrated into other functional areas of a security program such as business continuity management, third-party risk management, and regulatory compliance. Regardless of the structure used, lines of authority should be established for enforcing and monitoring controls. The senior official (e.g., Risk Officer or CISO) that is responsible for risk management should be accountable for leading the program activities.

The risk management program plan should include the overall objectives of the risk management strategy defined for your organization. A formal risk assessment and risk treatment process should be implemented as part of your program. The mitigation of risks identified from risk assessments, risk treatment, and threat monitoring processes should also be addressed. At a minimum, this should include tracking capabilities within a repository system that stores risk assessments that have been performed, the risks identified, and the remediation performed or that is currently in progress.

Consider partnering with a reputable security provider that offers an effective way to manage and maintain risk assessment results and action plans. Any solution should include the ability to assign and track remediation activities.

The risk management program should specifically address security risks beyond the boundaries of technological impacts. These areas may include financial risks, strategic risks, operational risks, internal business risks, and regulatory compliance risks. A threat awareness component of your plan should be implemented that contains appropriate requirements for maintaining a cross-functional information-sharing capability.

When considering how to implement an enterprise-wide risk management program, it may be helpful to look at very high-level areas of risk for which the impacts could be large, and the likelihood of occurrence is also high. For example, if your organization is extremely dependent on access to customer data, you may want to initially focus the risk program on protecting the systems that house that data. You may want to raise the priority of the controls and mitigations currently in place to prevent a data breach or the lack of availability of that data due to a data center outage or failure of the networks used to access that customer data. You may also want to increase the capability and depth of those controls.

For most organizations, a risk management program will take time to be fully implemented. The implementation process may require regular tuning. Risk management activities are most effective when they are established as a core aspect of your organization’s processes and are continually improved. The approach to communicating risk management objectives may vary depending on the organization. It may be as simple as outlining a few key goals in an email to stakeholders or as complex as a comprehensive plan that is managed in a sophisticated risk management tool. The key is to have communicated objectives that will help facilitate the management of your overall program, to which incremental improvements are made over time. Stakeholder engagement and participation are key aspects of a successful risk program, regardless of the size of your organization.

Leadership from across your organization is required for the risk management program to be successful. While there is no substitute for executive support, commitment from all levels of management is essential to address the range of risks faced by the various operational areas. Oversight roles and responsibilities may include:

• Establishing updated program strategies and objectives (e.g., annually)
• Updating risk tolerance parameters and priorities
• Guiding how risks should be managed
• Coordinating communications with stakeholders
• Modifying or improving training and awareness requirements
• Establishing budgets or funding requirements
• Implementing new risk management program methodologies
  
  

Your risk management program should address cloud-related security and privacy risks. Cloud computing is exposed to the same threats, vulnerabilities, and risks as other technology environments. This is true whether the cloud computing environment is managed internally by personnel in your organization or by a third party such as a Cloud Service Provider (CSP).

Cloud computing may involve different security control configurations and processes than those employed in more traditional network architecture. Simply moving existing network technology to the cloud may not be appropriate since controls, policies, and procedures may not translate effectively to a cloud-based environment.

Tools such as a cloud access security broker (CASB) are specifically designed to assist with the implementation of security controls in a cloud environment. A CASB is an on-premises or cloud-based security policy enforcement point that resides between a cloud service consumer (CSC) and a cloud service provider (CSP) to combine and enforce security controls as cloud-based resources are accessed. A CASB can consolidate multiple types of security control enforcement. Examples include authentication, single sign-on, authorization, device profiling, encryption, logging, alerting, and malware prevention.

Tenancy should be another cloud-based risk consideration. Cloud-based applications or services can exist in either a single or multi-tenant environment. Since security control requirements may vary by tenant in a multi-tenant environment, with some requiring higher levels of security than others, abuse by one tenant could potentially weaken the security posture of other tenants. A third-party assessment (e.g., SOC audits, penetration tests, and vulnerability assessments) can provide insight into the CSP’s control environment and its ability to meet your organization’s requirements.

It is essential to ensure that stakeholders responsible for implementing your program and managing operational risk understand your organization’s plan as well as their responsibilities. Training should focus on the specifics of the risk management program, including your organization’s approach, timeline, roles, responsibilities, and reporting. Training activities are essential to the success of your risk management program and should be a continuous component of our overall program.

Ensuring that your risk management program remains effective will require continuous monitoring of risks, threats, strategies, your organization’s objectives, and the performance of the program as designed. Assessments of your program should help identify when updates or improvements are required. Action needs to be taken when identified risks exceed or are close to exceeding your organization’s risk tolerances. Determining when to address risks may be a complex exercise and difficult to measure. You may find the best approach is to use a combination of qualitative and quantitative metrics or measurements that can be reviewed to arrive at actionable decisions.

• Qualitative measurements:
  • Internal or external audit ratings for risk management (e.g., satisfactory, needs improvement, unsatisfactory)
  • Management assessment of the program
  • Risk analysis by service and process owners
  • Self-assessments by control owners
  • Regulatory reviews
• Quantitative measurements:
  • Technical measures (e.g., such as availability, virus infections, number of emergency changes, access violations)
  • Scheduled versus completed incident response plan and business continuity plan testing
  • Realized risk impacts (e.g., dollar amount, customers, reputation, stock price, etc.)
  • Percentage of risk management objectives that have been met
  • Percentage of risk management action plans that are on schedule
    
    

An effective risk management program necessitates the ability to systematically document processes as well as track historical and potential future risks. Establishing a common location for risk tracking and documentation will likely simplify the implementation and ongoing management of your risk management program. You can establish this repository by defining a directory on a physical or cloud-based server, developing a spreadsheet that contains links to various risk management documentation, or acquiring the use of a risk management software tool. As you plan to establish a risk management program repository, be sure to consider the following:

• Confidentiality of sensitive information
• Integrity of policies, plans, procedures, and processes
• Availability of the repository to authorized stakeholders
• Role-based access controls
• Required backup frequency of the information
• Alternate storage and availability location if the primary repository becomes unavailable

Simply storing information in a risk management repository of software tools is not sufficient for managing risks. Consider developing and maintaining a risk register to track all defined risks along with other appropriate details. Consider recording the following details in your risk register:

• Risk category
• Description of the risk
• A unique risk identifier
• Risk impacts
• Risk valuations
• Results of risk analysis
• Risk mitigation and disposition decisions and plans
• Internal and, if applicable, external stakeholders
• Risk ownership
• Due date for action plan

If your organization is just starting to develop a risk management program, a simple spreadsheet may suffice for an initial risk register. If you need or want something more sophisticated, myriad commercial risk management software solutions include the capability to maintain a risk register.

Look to New WindowVistrada Cybersecurity experts for more information on implementing a risk management framework.