Risk management is a process in which an organization constantly assesses the level of risk it faces and takes action to reduce that risk. You look at the threats and vulnerabilities that your organization faces. You then take steps to reduce the resulting risk by mitigating the vulnerabilities and planning for the threats. The goal is to successfully mitigate such risks before the associated threat(s) can manifest and harm the organization.
Protect Assets
Guide Decisions
Reduce Risk
How is risk managed?
The National Institute of Standards and Technology (NIST) lays out its recommended plan for identifying, controlling, and continuously monitoring risk tied to each information system in an organization. This framework is designed to create a repeatable process that accomplishes the following tasks using a variety of publications and guidance provided by NIST:
- Categorize System
Categorize the sensitivity of the system’s data, followed by the enumeration of risks that might compromise the confidentiality, integrity, and availability of both the data and the information system.
Associated NIST publications: FIPS 199 and SP 800-60. - Select Controls
Select a specific set of security controls based on the sensitivity of the data and implement these controls while architecting the information system during the software/system development life cycle (SDLC).
Associated NIST publications: FIPS 200 and SP 800-53 - Implement Controls
Implement and test the security controls as the information system is built.
Associated NIST publications: SP 800-34, SP 800-61, and SP 800-128 - Assess Controls
Assess the performance and effectiveness of both the information system and the security controls to provide assurance that they are working as intended.
Associated NIST publication: SP 800-53A - Authorize System
Gain authorization and approval for the information system to begin processing, transmitting, and storing data to accomplish its mission.
Associated NIST publication: SP 800-37 - Monitor Controls
Continuously monitor the security controls to ensure they are effective during the life cycle of the information system.
Associated NIST publications: SP 800-37, SP 800-53A, SP 800-137.
Risk Assessments
One of the best ways to identify your risk of threats and vulnerabilities is to conduct a risk assessment. Risk assessment is a process of identifying, estimating, and prioritizing risks to organizational operations and assets that are tied to the operation of an information system. At a minimum, we recommend that UAB organizations conduct risk assessments when:
- A new third-party vendor is being considered to provide a service or product that involves UAB data, UAB information systems, and/or UAB information technology resources, such as networking.
Note: Vendors that already provide such services or products should be required to annually complete a risk assessment to determine whether the associated level of risk has increased or decreased during the previous year. - A new information system or web application is being developed and deployed by a UAB organization.
Note: Existing UAB-owned information systems and web applications should annually undergo a risk assessment to determine whether the associated level of risk has increased or decreased during the previous year. - Compliance frameworks, such as PCI DSS, HIPAA, or FISMA require that a risk assessment is conducted.
We can assist in the risk assessment process by providing the tools, offering guidance in how to address questions in the tools, reviewing the final assessment, and aiding the organizations in reducing areas of significant risk to an acceptable level.
Learn More
Are you interested in learning more details about Risk Management? See various NIST special publications:
FIPS 199 | Standards for Security Categorization of Federal Information and Information Systems |
---|---|
FIPS 200 | Minimum Security Requirements for Federal Informationand Information Systems |
NIST SP 800-30 | Guide for Conducting Risk Assessments |
NIST SP 800-34 | Contingency Planning Guide for Federal Information Systems |
NIST SP 800-37 | Guide for Applying the Risk Management Framework to Federal Information Systems |
NIST SP 800-50 | Building an Information Technology Security Awareness and Training Program |
NIST SP 800-53 | Security and Privacy Controls for Federal Information Systems and Organizations |
NIST SP 800-53A | Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans |
NIST SP 800-60 | Guide for Mapping Types of Information and Information Systems to Security Categories |
NIST SP 800-61 | Computer Security Incident Handling Guide |
NIST SP 800-64 | Security Considerations in the System Development Life Cycle |
NIST SP 800-128 | Guide for Security-Focused Configuration Management of Information Systems |
NIST SP 800-137 | Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations |