Risk Management Framework

• Risk Management Framework is the basic guidelines and standards for information security. In this article, I'm referencing guidelines presented by NIST which can be found at this link. Below, I'm going to provide explanations of the seven steps for risk management tasks.

Task 1

• The first task listed in Appendix E of the NIST guidelines is risk management roles. The purpose of this tasks create a team of individuals who will be responsible for different assignments and oversee the general information security of the organization. Creating these roles allows people to focus only on information security and all of their energy towards that. Some of these roles include Chief Information Officer and Senior Agency Official for Privacy.

Task 2

• The second task is to create a risk management strategy. This strategy involves collective thinking from your team established in the previous task. The goal is to create an overall management strategy specific to your organization and that also includes risk tolerance into the equation. Risk tolerance is getting an idea of what needs the most security, what has the most security, and what the organization is where the organization is willing to add security.

Task 3

• The third task is an organization wide risk assessment. The purpose of this is to get an understanding over the entire organization of where risks are presents and where more security is necessary. This needs to be an ongoing assessment and updated when necessary. Individuals should be able to use this assessment to determine where to focus resources on improving security.

Task 4

• The fourth task of is to work on creating organization-specific cybersecurity controls and baselines. Establishing cybersecurity standards throughout all departments and systems in an organization is a crucial step to largely improving the security of an organization. This will help to streamline security as well as establish good practices throughout the organization.

Task 5

• The fifth task is to create organization wide control standards for information systems. Like the previous step, information controls that are consistent, solid, and standardized throughout the organization will provide a stable security environment. This will also allow easy integration of new information systems.

Task 6

• The sixth task involves impact-level prioritization. By beginning to group similar systems that face similar risks we can more easily roll out controls and security framework to larger parts of the organization at a time. This will also help us to assign resources to certain sectors of where security needs to be improved.

Task 7

• The final step of the first seven is to create a continuous monitoring strategy. Once all of the framework is laid down and established, we now need to focus on strategies that will allow 24/7 monitoring of the organizations information systems. This will allow us to frequently and actively update risk assessments, necessary controls, and other security configurations for the organization. This will also provide constant security data that can be used in breach response and other situations.