Skip to content

Page051

The Risk Management Process

The United States National Institute of Standards and Technology (NIST) published Special Publication 800-30, Risk Management Guide for Information

Technology Systems (see https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final). The guide describes a 9-step Risk Analysis process:

  1. System Characterization
  2. Threat Identification
  3. Vulnerability Identification
  4. Control Analysis
  5. Likelihood Determination
  6. Impact Analysis
  7. Risk Determination
  8. Control Recommendations
  9. Results Documentation

We have covered these steps individually; let us end this section by following NIST’s process.

System Characterization describes the scope of the risk management effort and the systems that will be analyzed. The next two steps, Threat Identification and Vulnerability Identification, identify the threats and vulnerabilities required to identify risks using the “Risk = Threat × Vulnerability” formula.

Step 4, Control Analysis, analyzes the security controls (safeguards) that are in place or planned to mitigate risk. Steps 5 and 6, Likelihood Determination and Impact Analysis, are needed to identify important risks (especially those with the high likelihood and high impact/consequence). As the name implies: Step 7 (Risk Determination) calculates the risk.

The previous 7 steps are used to determine Control Recommendations, or the risk mitigation strategy. That strategy is documented in the final step, Results Documentation.

Risk Maturity Modeling

Risk maturity modeling (part of a continuous improvement process) seeks to measure the maturity of an organization’s risk management process. It typically has five levels. The names vary depending on the model; here are the ones commonly used:

  • One: Ad hoc/Very basic
  • Two: Preliminary/Initial/Basic
  • Three: Defined/Repeatable/Emerging
  • Four: Integrated/Managed/Mature
  • Five: Optimized/Leadership/Advanced

Surveys are used to gauge an organization’s maturity. The process is similar to Carnegie Mellon’s CMMI (Software Capability Maturity Model Integration, discussed in Chapter 9, Domain 8: Software Development Security), which also has five levels.