Table of Contents
Getting Started
Developing an effective risk management program is important in building an information security program. Risk management activities should take into account people, business processes (information handling), and technology.
Evaluate and select risk management methods:
- ISO/IEC 27005:2011 provides guidance in establishing a risk management program, and describes how to implement each phase of risk management (identification, assessment, treatment, monitoring and review)
- NIST Special Publication 800-39, Managing Information Security Risk: Organization, Mission and Information System View, describes the fundamentals and the process of completing risk assessments
- NIST Special Publication 800-30 Revision 1 is a Guide For Conducting Risk Assessments
- ISO/IEC 27002:2013 is an international standard that assists organizations with evaluating information security controls and performing risk treatment activities
- NIST Special Publication 800-37 Revision 1, Guide for Applying the Risk Management Framework, offers guidance in evaluating controls and applying risk treatment methods
- The HEISC Risk Management Framework is closely aligned with the guidance provided in the NIST publications cited above
- ISO/IEC 27005:2011, used in combination with the above framework, provide a complementary and comprehensive approach to identifying, assessing, and treating risks
Perform a high level risk assessment:
- Identify risks associated with information handling/business processes and begin educating the stakeholder community about information security risk management and what’s involved in various stages (risk identification, assessment, treatment, monitoring and review)
- Visit each major stakeholder (senior staff, administrative department heads, etc.,) and discuss/evaluate:
- The types (classifications) of information their department handles
- How they handle paper documents with various types of information (Read more about data classification in the Asset Management Chapter.)
- Use of encryption to protect sensitive or confidential information (Read more about encryption in the Cryptography Chapter.)
- Third party service providers that they use to handle information on their behalf
- External websites/portals where they enter and/or store information (Read more about third party service providers in the Supplier Relationships Chapter.)
- Where they store institutional data (on their workstations, on the network, and/or external storage facilities like Dropbox or One Drive)
- The potential impact of a loss of data integrity or availability and business continuity considerations (Read more about business continuity in the Information Security Aspects of Business Continuity Chapter.)
- The specific compliance requirements that apply to this stakeholder’s area such as HIPAA or PCI and whether these requirements are being addressed in a compliant manner. This can facilitate additional helpful conversations with legal affairs and auditors on campus. (Read more about compliance requirements in the Compliance Chapter.)
3. Develop a ranking system to help you sort and prioritize their responses
Evaluate risks and vulnerabilities associated with ‘technology and people’:
- Identify IT-managed equipment/assets (use vulnerability scanning tools to conduct discovery scans and/or pull the information from an asset register)
- Run vulnerability scans on those assets (servers, network equipment, PCI network devices, for example)
- Verify where confidential information resides (use a Data Loss Prevention (DLP) tool to scan IT-managed workstations and network directories or try to identify this in general at stakeholder meetings) (See the HEISC Confidential Data Handling Blueprint for additional suggestions.)
- Have staff and faculty completed security awareness training that emphasizes data protection? (See the Cybersecurity Awareness Resource Library for Suggestions.)
Expand the information security risk management program:
- Adopt specific methodologies described in the standards and guidelines listed in #1 above
- Complete a formal information security risk assessment across the university
- Take a phased or incremental approach if the institution is large or has decentralized IT operations
- Outsource risk assessments to third party service providers if you don’t have resources to perform them
- Reevaluate risks and vulnerabilities on a recurring basis as each risk assessment is a ‘snapshot’ at a point in time
- Explore the use of GRC solutions that can assist with developing a formal risk management system.
- See the HEISC GRC FAQ for an overview of GRC solutions.
- Review the following resources for additional recommendations:
Risk Management is the foundation of every good information security program. There are many approaches that an institution can take to identify risks that impact people, business processes (information handling), and technology. Prioritize identified risks and implement information security policies, controls, and compliance initiatives to assist with making information security program improvements.
Top of page
Overview
Risk management is an activity directed towards assessment, mitigation, and monitoring of risks to an organization. Information security risk management is a major subset of the enterprise risk management process, which includes both the assessment of information security risks to the institution as well as the determination of appropriate management actions and established priorities for managing and implementing controls to protect against those risks.
The risk management process involves setting institutional priorities and making key decisions in regards to what is sometimes called the institution's "appetite for risk". Primary direction in making decisions about risk acceptance needs to come from institutional leadership. Information security organizations may manage the risk management program but it's necessary to consult with institutional leadership about handling risks that cannot effectively be reduced or mitigated. The Risk Management Framework provides useful guidance to assist with developing these processes.
This process can be broadly divided into two components:
- Risk assessment
- Risk treatment
Risk assessment identifies, quantifies, and prioritizes risks against both criteria for risk acceptance and objectives relevant to the organization. The assessment results guide the determination of appropriate management action and priorities for managing information security risks and for implementing controls selected to protect against these risks. The assessment should include both a systematic approach to estimating the magnitude of risks and a process for comparing estimated risks against risk criteria to determine the significance of the risks.
The scope of a risk assessment can be either the whole organization, parts of the organization, an individual information system, or even specific system components or services. Performing a risk assessment in areas that include technology infrastructure also includes performing vulnerability assessments to help quantify risks. This process of assessing risks and vulnerabilities will need to be performed at recurring intervals, especially if an incremental approach is selected, to ensure that comprehensive and effective results are obtained. This will also ensure that constantly evolving changes in security requirements and/or significant changes are assessed. For example, IT will be implementing new products or services each year and new or additional risks may be introduced due to vulnerabilities that can be exploited.
Once a risk assessment is completed, risk treatment is the next step in the process. For each of the risks identified during a risk assessment, a risk treatment decision needs to be made. Possible options for risk treatment include:
- Knowingly and objectively accepting risks, providing they clearly satisfy the organization's policy and criteria for risk acceptance;
- Applying appropriate controls to reduce the risks;
- Avoiding risks by not allowing actions that would cause the risks to occur;
- Transferring the associated risks to other parties, e.g. insurers or suppliers.
For each of the risks where the treatment decision is to apply some level of risk mitigation, appropriate controls may be selected from other sections of the Guide or elsewhere (SANS Top Twenty Critical Security Controls, for example). Controls should be selected to ensure that risks are reduced to an acceptable level. Take into account applicable federal, state, and local statutes as well as other binding regulations. Additionally, consider institutional goals and objectives, operational requirements and constraints, the cost of implementing effective controls relative to potential harm of not implementing them, and the costs likely to result from one or more security failures.
It should be kept in mind that even after mitigating all current risks, achieving a 'state of complete security' is unlikely. Making continuous improvements through ongoing risk management activities will make a very positive impact.
A vulnerability assessment is basically an inventory of all vulnerabilities. It is often thought of as a technical examination (networks scanning, etc.) however, a complete vulnerability assessment would include all physical, process, etc.
The risk assessment considers those vulnerabilities in light of the other aspects of the risk formula - threats and impact (which includes the concepts of both asset and value) so that the potential mitigations that might be applied can be prioritized.
Risk management encompasses risk assessment and vulnerability assessment along with the mitigation. It also includes measuring the outcome of the process, and repeating the process again and again.
Top of page
Risk Assessment
Objective: Analyze and evaluate risk.
There are a variety of risk management tools and methodologies that can be used. Please view this compilation of Risk Assessment Tools and review Taking Risk Assessment from Project to Process: A Novel Approach, a presentation from the 2010 Security Professionals Conference that highlights an approach to risk assessment that is cost-effective, standardized, and simple to deploy. Additionally, Verizon publishes an annual Data Breach Investigations Report (DBIR), which can be useful for focusing on known threat vectors. Also, several institutions are taking a more proactive approach, partnering with key stakeholders to introduce risk assessments into the project life cycle as early as possible.
Top of page
Risk Treatment
Objective: Develop a plan that identifies the controls necessary to reduce, retain, avoid, or transfer identified risks.
There are a several ways to develop an effective risk treatment plan. One way is to follow the Risk Management Framework Phase 3, Mitigation Planning, that begins with the following two steps:
Step 1: Develop options to mitigate risk.
Step 2: Confer with management to agree upon strategy.
Alternatively, create a risk registry, which is a tool that can assist with managing and tracking risks. Record identified risks, their severity, and the actionable steps to be taken for each. Share with risk stakeholders and institutional leadership. Finally, organizations that have a mature risk management program in place may want to explore purchasing a solution to automate the business processes associated with governance, risk, and compliance (GRC). Before investing in a GRC solution, you may want to review the GRC FAQ to assist with making this decision.
Specific Risk Treatment Examples
- Cyber Insurance is one way to reduce risks. However, if interested in this coverage, ask about the terms and conditions and review them carefully for potential exclusions. Most Cyber Insurance policies will not pay benefits if the insurance company determines that information affected during a data breach incident was not encrypted at rest. Additionally, they will scrutinize the protection applied to IT infrastructure where the information was stored to assess levels of protection and can deny the claim if they consider it inadequate or not meeting their standards. This coverage can be very expensive and conducting extensive research is warranted. Also take a look at the EDUCAUSE Cyber Insurance portal and this informative article from the Wall Street Journal.
- Developing processes similar to The Standard for Personal Digital Identity Levels of Assurance can potentially assist with risk mitigation (see Identity Assurance at Virginia Tech).
Top of page
Resources
Campus Case Studies On This Page
Identity Assurance at Virginia Tech
EDUCAUSE Resources
- IT Risk Management: Try This Exercise at Your Institution, an example of using the EDUCAUSE Top Ten IT Issues as a guide to inform risk management practices (from Educause Review Online)
- Practical Approaches to Effective Risk Management, Presentation at EDUCAUSE Annual Conference, 2011
- Proactive Compliance through Information Systems Risk Management, Presentation at the MidAtlantic Regional Conference, 2011
- Cyber Insurance portal for EDUCAUSE publications, presentations and other resources on this topic.
- Taking Risk Assessment from Project to Process: A Novel Approach Presentation at the Security Professionals Conference, 2010
- Risk Management Framework for an adaptable approach to risk management oriented toward higher education.
- Risk Assessment Tools for a list of some tools available to aid in risk assessment and management.
- Security Risk Assessment and Analysis portal for EDUCAUSE publications, presentations and other risk assessment and analysis resources.
- Risk Management portal for EDUCAUSE publications, presentations and other resources on this topic.
- Information Security Program Self-Assessment Tool is intended to help a CIO or CISO evaluate and track the maturity of an information security program.
- Privacy Risk Assessment portal for EDUCAUSE publications, presentations and other resources on this topic.
- Foundations for Effective Security Risk and Program Assessment, EDUCAUSE Security Professionals Conference 2010
- GRC FAQ: Frequently Asked Questions about Governance, Risk, and Compliance (GRC) Systems, 2012
Initiatives, Collaborations, & Other Resources
- Statement on Standards for Attestation Engagements (SSAE) No. 16 (formerly SAS 70) focuses on the design of controls and their operating effectiveness.
- Payment Card Industry Standard (PCI)
- Verizon's Annual Data Breach Investigations Report provides known threat vector information
- Evaluating Cloud Risk for the Enterprise: A Shared Assessments Guide
Top of page
Standards
ISO 31000:2009 | 800-30: Risk Management Guide for Information Technology Systems | APO12.01 | PCI DSS, v3.0, released November 2013, is a standard for assisting with compliance with the Payment Card Industry Data Security Standard (PCI DSS). | ID.RA-1 | 45 CFR 164.308(a) |
Top of page
Questions or comments? 
Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).