Risk Management Framework2 Risk Management Framework InformationSystem Categorization – a security role is assigned to the new IT system on the basis of business objectives and mission. Security Controls – the project’s security controls (software, hardware and technical processes) are selected for approval by the leadership. Implementation of Security Controls – the security controls is put into action. Assessment of Security Controls – the security controls are reviewed and approved by an independent assessor. Authorization of the Information System – an authorization package is presented by the agency for risk determination and risk assessment. Monitoring Security Control – the current security controls are constantly monitored by the agency on the basis of the environment or the system itself. 1.The number of controls/sub-controls found in the framework These controls are an endorsed set of actions that provide an actionable and specific way so of stopping pervasive attacks as a means for cyber defense. They were developed by private and public sector security experts who also maintain them and know how these attacks work. Thecontrolssupportstandard-based,large-scalesecurityautomationforcyberdefenses Implementation of security controls Security Controls Assessment of security controls Authorization of the information system Monitoring security controlsFeedback Informatio n System Categorizat ion
Risk Management Framework3 management. In addition, these controls aim to not only transform threat data into unlawful guidance but also improve cyberspace security at both individual and corporate level. Security controls that offer support to information security managers and practitioners in implanting computer information systems. For instance, critical security controls are for auditing, implementing and planning in depths. In addition, security operations also focus on continuous monitoring, security operation management in terms of intelligence, response, and detection (Peltier, 2017). 2.The categories used in the risk-based approach Organizations usually select and implement three type of controls namely: Specific controls –provide privacy or security capability for an information system. Common controls – provide privacy or security capability for many systems. Hybrid controls – comprise of common and system-specific characteristics. These controls are consistently allocated an organization or system with in accordance with the security or privacy architecture and the enterprise architecture of the organization. This activity engages the privacy and security architects, the enterprise architect, the privacy or security officers, the agency’s senior privacy official, the agency’s information security officers, the senior official accountable for risk management, the chief information officer, the control providers, the system owners, and every authorizing official (Hillson, 2017). It is, therefore, a call for organizations to implement the identified common controls that will support multiple information systems in an efficient and effective manner as the common capability for protection. When used to support a system, consistent, efficient and cost-effective
Risk Management Framework4 privacy and security safeguards are promoted in the entire organization. In addition, activities and processes pertaining to risk management are also simplified through the assignment of accountability and responsibilities for the monitoring, authorization, assessment, implementation, and development of those control (Presley & Landry, 2016). 3.Why today's organizations should base security program strategy and decisions upon it We live in a world of constant and inevitable change where some things are under our control and most are actually beyond our control. But then again, the consequences of lack of properpreparationforrisksarelikelytobringaboutnegativeeffectsontheeconomy, companies, employees and at large the community. Since everyone strives to increase the likelihoodofsuccessreducingtheprobabilityoffailure,employingariskmanagement framework is the way to go. In this context, it is very paramount for an organization to base their security program strategy and decision on the risk management framework. Risk assessment thoroughly looks at processes, situations, activities or processes that may cause harm especially to people as well as analyzing and evaluating the likelihood and severity of the risk (Vittor, 2017). This helps in creating awareness of risk and hazard as well as identifying those who might be at risk. The framework provides a control program that helps to address a particular hazard after determining the adequate and appropriate control measure. As a result, when control measures and hazards are prioritized, the legal requirements guiding the organization are met. 4.The differences between risk management and enterprise risk management Day in day out, whether knowingly or unknowingly, employees in organizations are engaged in risk management in one way or the other. The uncertainty relating to a product’s or a
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Risk Management Framework5 system’s future performance is not only a risk to the end user but also the organization itself. A system that is prone to fail too often or in a manner that is likely to be unsafe requires further implementationsoastorectifyandavoidfurtherdamage.Inordertoavoidthese implementations that very expensive, organizations opt risk management techniques. Depending on their preferences organizations go either for the traditional risk management or the enterprise risk management which have differing characteristics. Unlike the enterprise risk management that uses a holistic approach, the traditional risk management is usually departmentalized or rather segmented in the sense that each department deals independently with its own risk. Moreover, the main focus on the traditional risk management is preventing losses is tactical as opposed to the enterprise risk management strategic approach that aims at providing savings, increasing sustainability through lowering the risk in the whole organization (Bromiley et al., 2015). As opposed to the traditional risk management that manages the financial and physical assets uncertainties, the enterprise risk management seek to assess the whole asset portfolio which comprises of intangibles, for instance, proprietary systems, innovative processes, employees, suppliers, employees, and so on. In conclusion, many have the belief that traditional risk management is not adequate when it comes to dealing with the realities of change, which is inevitable and can result in a lot of damage (Graubart & Bodeau, 2016). This is the reason why most companies around the world consider using the enterprise risk management.
Risk Management Framework6 References Bromiley, P., McShane, M., Nair, A., & Rustambekov, E. (2015). Enterprise risk management: Review, critique, and research directions.Long range planning,48(4), 265-276. Graubart, R., & Bodeau, D. (2016). The Risk Management Framework and Cyber Resiliency. Hillson, D. (2017).Managing risk in projects. Routledge. Peltier, T. R. (2016).Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Auerbach Publications. Presley, S. S., & Landry, J. P. (2016). A Process Framework for Managing Cybersecurity Risks in Projects. Vittor, T. R., Sukumara, T., Sudarsan, S. D., & Starck, J. (2017, April). Cyber security-security strategy for distribution management system and security architecture considerations. InProtective Relay Engineers (CPRE), 2017 70th Annual Conference for(pp. 1-6). IEEE.