2.1 ORGANIZATION-WIDE RISK MANAGEMENT
Managing information system-related security and privacy risk is a complex undertaking that requires the involvement of the entire organization—from senior leaders providing the strategic vision and top-level goals and objectives for the organization, to mid-level leaders planning, executing, and managing projects, to individuals developing, implementing, operating, and maintaining the systems supporting the organization’s missions and business functions. Risk management is a holistic activity that affects every aspect of the organization including the mission and business planning activities, the enterprise architecture, the SDLC processes, and the systems engineering activities that are integral to those system life cycle processes. Figure 1 illustrates a multi-level approach to risk management described in [SP 800-39] that addresses security and privacy risk at the organization level, the mission/business process level, and the information system level. Communication and reporting are bi-directional information flows across the three levels to ensure that risk is addressed throughout the organization.
The activities conducted at Levels 1 and 2 are critical to preparing the organization to execute the RMF. Such preparation involves a wide range of activities that go beyond simply managing the security and privacy risk associated with operating or using specific systems and includes activities that are essential to managing security and privacy risk appropriately throughout the organization. Decisions about how to manage such risk at the system level cannot be made in isolation. Such decisions are closely linked to the:
- Mission or business objectives of organizations;
- Modernization initiatives for systems, components, and services;
- Enterprise architecture and the need to manage and reduce the complexity20 of systems through consolidation, optimization, and standardization;21 and
- Allocation of resources to ensure the organization can conduct its missions and business operations effectively, efficiently, and in a cost-effective manner.
Preparing the organization to execute the RMF can include:
- Assigning roles and responsibilities for organizational risk management processes;
- Establishing a risk management strategy and organizational risk tolerance;
- Identifying the missions, business functions, and mission/business processes the information system is intended to support;
- Identifying key stakeholders (internal and external to the organization) that have an interest in the information system;
- Identifying and prioritizing assets (including information assets);
- Understanding threats to information systems and organizations;
- Understanding the potential adverse effects on individuals;
- Conducting organization- and system-level risk assessments;
- Identifying and prioritizing security and privacy requirements;22
- Determining authorization boundaries for information systems and common controls;23
- Defining information systems in terms of the enterprise architecture;
- Developing the security and privacy architectures that include controls suitable for inheritance by information systems;
- Identifying, aligning, and deconflicting security and privacy requirements; and
- Allocating security and privacy requirements to information systems, system elements, and organizations.
20 Managing complexity of systems through consolidation, optimization, and standardization reduces the attack surface and technology footprint exploitable by adversaries.
21 Enterprise architecture defines the mission, information, and the technologies necessary to perform the mission, and transitional processes for implementing new technologies in response to changing mission needs. It also includes a baseline architecture, a target architecture, and a sequencing plan. [OMB FEA] provides guidance for implementing enterprise architectures.
22 Security and privacy requirements can be obtained from many sources (e.g., laws, executive orders, directives, regulations, policies, standards, and mission/business/operational requirements).
23 Authorization boundaries determine the scope of authorizations for information systems and common controls (i.e., the system elements that define the system or the set of common controls available for inheritance).
In contrast to the Level 1 and 2 activities that prepare the organization for the execution of the RMF, Level 3 addresses risk from an information system perspective and is guided and informed by the risk decisions at the organization and mission/business process levels. The risk decisions at Levels 1 and 2 can impact the selection and implementation of controls at the system level. Controls are designated by the organization as system-specific, hybrid, or common (inherited) controls in accordance with the enterprise architecture, security or privacy architecture, and any tailored control baselines or overlays that have been developed by the organization.24
Organizations establish traceability of controls to the security and privacy requirements that the controls are intended to satisfy. Establishing such traceability ensures that all requirements are addressed during system design, development, implementation, operations, maintenance, and disposition.25 Each level of the risk management hierarchy is a beneficiary of a successful RMF execution—reinforcing the iterative nature of the risk management process where security and privacy risks are framed, assessed, responded to, and monitored at various organizational levels.
Without adequate risk management preparation at the organizational level, security and privacy activities can become too costly, demand too many skilled security and privacy professionals, and produce ineffective solutions. For example, organizations that fail to implement an effective enterprise architecture will have difficulty in consolidating, optimizing, and standardizing their information technology infrastructures. Additionally, the effect of architectural and design decisions can adversely affect the ability of organizations to implement effective security and privacy solutions. A lack of adequate preparation by organizations could result in unnecessary redundancy as well as inefficient, costly and vulnerable systems, services, and applications.
24 Controls can be allocated at all three levels in the risk management hierarchy. For example, common controls may be allocated at the organization, mission/business process, or information system level.
25 [SP 800-160 v1] provides guidance on requirements engineering and traceability.