The Optimal Risk Management Framework: Identifying the Requirements and Selecting the Framework

The tremendous rise of cybersecurity attacks, coupled with organizations' exploration of new technologies such as artificial intelligence (AI) and blockchain to expand their business or better secure their controls, gives cause to review the foundational framework that is being used to identify, assess and action IT risk impacting business objectives. This is a perpetual struggle: reviewing the use of new technologies and their impact to the organization’s objectives, profit mentality and revenue streams. With Apple and Goldman reviewing the feasibility of issuing a new credit card or the old news of Internet of Things (IoT) or driverless cars, enterprise risk and cyberrisk departments or groups must be working overtime to evaluate and drive the analysis of risk. Some organizations have their own risk management frameworks that are modeled after COBIT. Others have their own proprietary frameworks or use a hybrid of frameworks.

Selecting a Risk Management Method or Framework

What criteria are firms using to select the frameworks they use? How often are these frameworks and their basic tenets reviewed? Is the selected framework communicated to the employees of the firm? Is the framework or methodology selected by the firm understood by all? Do these frameworks use quantitative factors or qualitative factors to evaluate risk? Short of performing a scientific survey of organizations to inventory and evaluate the commonly used risk methods, frameworks, their pros and cons, and their methods of implementation, the National Cyber Security Centre, a part of Government Communications Headquarters (GCHQ), an intelligence and security organization for the United Kingdom, summarized the commonly used risk methods and frameworks.¹ ISACA’s Risk IT Framework Excerpt² was referenced to understand the essentials of risk governance and the purpose and intended audience of the risk framework. Using the guidance from ISACA and GCHQ can provide a reference point to determine the optimal framework and enablers to evaluate technology risk. What are several of the gaps in the frameworks that give one pause?

Ensure the Selection Meets the Needs

To ensure that the risk management framework meets the organization's needs, the criteria shown in figure 1 should be used.

Determine the Right Time to Use a Risk Method or Framework

Management and risk assessors, along with the business, need to understand not only how, but when to use risk methods or frameworks. One framework should cover all situations or should be able to be customized to the current threats and vectors affecting cyber or IoT.

International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) ISO/IEC 27005:2001 mentions,

Assessment and analysis is only effective in situations where it can be used to obtain new information, in support of decision making and management, since the scenario is knowable.³

As a result, it is preferable that organizations use a variety of different approaches.

It is recommended that a risk framework, assessment and supporting analysis be used to help guide IT and the business in driving value to the organization. It should help determine priorities and expectations.

Costs and Prerequisites

Given the broad and generic nature of the guidance, specialist skilled resources are needed to tailor the implementation to the requirements of the business. The cost of these resources should be considered along with the cost of purchasing the standards.⁴

The risk IT principles used should be flexible enough to adjust to current threats and risk and, where possible, should provide the basis for the practitioner to inventory the business-related and IT risk impacting the enterprise.

Recommendations

Organizations are using the US National Institute of Standards and Technology (NIST) Cybersecurity Framework to customize their assessment of controls related to cyber or cloud to mitigate the threats and other risk impacting the network assets or enterprise IT structure, COBIT, and other frameworks. The following assumptions are applicable:

• Threat vectors, such as IoT, continue to challenge business and security professionals alike on a methodology to respond.
• Skill sets to implement a framework may become immature.
• One risk framework may not fit all firms or fit the entire firm.
• A risk framework may fit some scenarios, but not all scenarios.
• NIST; Federal Financial Institutions Examination Council (FFIEC); and Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) have at their core, or reference, COBIT.
• The risk framework has to be nimble, simple to use, consistent and adaptable to different scenarios.
• The design and implementation of the risk framework should be kept simple.
• There may be licensing restrictions or limitations on available resources to design and implement a framework or keep its implementation evergreen.
• The threat to the organization may be too complex or inconsistent to be understood.

Accounting for these assumptions, practicable recommendations follow. No matter the method, the basic elements of the framework should include the following:

• What is the risk?
• Can the risk be evaluated on a quantitative or qualitative basis?
• The criteria for selection and implementation of the framework should be understood by the business.
• The business should be a partner in collaborating on how the risk or threat affects the people, processes or technology of the organization and in helping to prioritize the risk remediation approach and strategy.
• The strategy for implementing the framework should be simple and unscheduled.
• The required resources and response to the risk must be proportionate and sustainable to the risk and threat.
• Before an organization contacts a vendor requesting a risk management product, the objective for the product's purchase, selection and implementation should be approved by senior management. There are too many vendors who are willing to sell a risk method or assessment to support management’s decision-making. Management must first decide on the objective, approach and time frame to communicate, implement and select the framework, and establish a threat response methodology that prioritizes the threats and techniques.
• It should be understood that the staff may not know about all threats all the time to know how to respond to each and cannot always expect that the framework will give this guidance.
• ISACA’s Risk IT principles⁵ should be followed:
  • Connect to the business objectives.
  • Align the IT risk with enterprise risk management (ERM).
  • Function as part of the daily activities.
  • Establish tone at the top and accountability.
  • Promote fair and open communication.
  • Balance the cost/benefit of IT risk.
  • Share risk with senior management. There should be no separate silos of risk that may not be communicated to employees.

Conclusions

Each risk management framework has its pros and cons, as illustrated in figures 2 and 3.^{6, 7, 8, 9, 10, 11, 12} Practitioners should use the simplest framework that meets their requirements and use common sense to ensure its proper implementation and communication. There is no finite list of requirements. As organizations conduct their periodic risk control assessments, they must ensure that their selection meets their needs. Risk control assessments change over time. ISACA’s Risk IT principles help the user determine the proper framework and guide its implementation, communication and ensure that it remains evergreen.

Editor’s Note

ISACA recently released COBIT 2019 (http://congou.everwoodsite.com/resources/cobit). COBIT 2019 is an evolution of COBIT and incorporates Risk IT, similar to the approach in COBIT 5. A COBIT 2019 Risk Focus area is in development and is expected to be released in 2019.

Endnotes

¹ National Cyber Security Centre, “Summary of Risk Methods and Frameworks,” United Kingdom, 23 September 2016, http://www.ncsc.gov.uk/guidance/summary-risk-methods-and-frameworks
² ISACA, The Risk IT Framework Excerpt, USA, 2009, congou.everwoodsite.com/Knowledge-Center/Research/Documents/Risk-IT-Framework-Excerpt_fmk_Eng_0109.pdf
³ Op cit National Cyber Security Centre
⁴ Ibid.
⁵ Op cit ISACA
⁶ Op cit National Cyber Security Centre
⁷ National Institute of Standards and Technology, “Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems,” NIST Special Publication 800-160, USA, November 2016, http://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-160.pdf
⁸ ISACA, COBIT 5 for Risk, USA, 2013
⁹ European Union Agency for Network and Information Security, “Octave v2.0,” http://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_octave.html
¹⁰ Caralli, R.; J. Stevens; L. Young; W. Wilson; Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process, Carnegie Mellon, USA, May 2007, http://resources.sei.cmu.edu/asset_files/TechnicalReport/2007_005_001_14885.pdf
¹¹ National Institute of Standards and Technology, “Information Risk Management: HMG IA Standard Numbers 1 and 2,” USA, 8 August 2015, http://www.ncsc.gov.uk/guidance/information-risk-management-hmg-ia-standard-numbers-1-2
¹² European Union Agency for Network and Information Security, “Recommendations on Cyber Insurance,” http://www.enisa.europa.eu/procurement/recommendations-on-cyber-insurance