Comprehensive Report on Risk Management Framework and Security

Verified

Added on 2021/06/15

AI Summary

This report provides an overview of the Risk Management Framework, detailing its components and implementation process. It covers information system categorization, security controls, and the assessment and authorization processes. The report explores the number of controls within the framework, the categories used in a risk-based approach, and the reasons why organizations should base their security program strategy on this framework. Furthermore, it highlights the differences between traditional risk management and enterprise risk management, emphasizing the strategic and holistic approach of the latter. The report draws on references to support its analysis, providing a comprehensive understanding of risk management strategies and their relevance in today's dynamic environment.

Running Head: Risk Management Framework 1
Risk Management Framework
Student’s Name
University Affiliation

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

Risk Management Framework 2
Risk Management Framework
 Information System
Categorization – a security role is assigned to the new IT system on the basis of
business objectives and mission.
 Security Controls – the project’s security controls (software, hardware and technical
processes) are selected for approval by the leadership.
 Implementation of Security Controls – the security controls is put into action.
 Assessment of Security Controls – the security controls are reviewed and approved by
an independent assessor.
 Authorization of the Information System – an authorization package is presented by
the agency for risk determination and risk assessment.
 Monitoring Security Control – the current security controls are constantly monitored
by the agency on the basis of the environment or the system itself.
1. The number of controls/sub-controls found in the framework
These controls are an endorsed set of actions that provide an actionable and specific way
so of stopping pervasive attacks as a means for cyber defense. They were developed by private
and public sector security experts who also maintain them and know how these attacks work.
The controls support standard-based, large-scale security automation for cyber defenses
Implementation
of security
controls
Security
Controls
Assessment
of security
controls
Authorization
of the
information
system
Monitoring
security
controlsFeedback
Informatio
n System
Categorizat
ion

Risk Management Framework 3
management. In addition, these controls aim to not only transform threat data into unlawful
guidance but also improve cyberspace security at both individual and corporate level.
Security controls that offer support to information security managers and practitioners in
implanting computer information systems. For instance, critical security controls are for auditing,
implementing and planning in depths. In addition, security operations also focus on continuous
monitoring, security operation management in terms of intelligence, response, and detection
(Peltier, 2017).
2. The categories used in the risk-based approach
Organizations usually select and implement three type of controls namely:
Specific controls –provide privacy or security capability for an information system.
Common controls – provide privacy or security capability for many systems.
Hybrid controls – comprise of common and system-specific characteristics.
These controls are consistently allocated an organization or system with in accordance
with the security or privacy architecture and the enterprise architecture of the organization. This
activity engages the privacy and security architects, the enterprise architect, the privacy or
security officers, the agency’s senior privacy official, the agency’s information security officers,
the senior official accountable for risk management, the chief information officer, the control
providers, the system owners, and every authorizing official (Hillson, 2017).
It is, therefore, a call for organizations to implement the identified common controls that
will support multiple information systems in an efficient and effective manner as the common
capability for protection. When used to support a system, consistent, efficient and cost-effective

Risk Management Framework 4
privacy and security safeguards are promoted in the entire organization. In addition, activities
and processes pertaining to risk management are also simplified through the assignment of
accountability and responsibilities for the monitoring, authorization, assessment, implementation,
and development of those control (Presley & Landry, 2016).
3. Why today's organizations should base security program strategy and decisions upon it
We live in a world of constant and inevitable change where some things are under our
control and most are actually beyond our control. But then again, the consequences of lack of
proper preparation for risks are likely to bring about negative effects on the economy,
companies, employees and at large the community. Since everyone strives to increase the
likelihood of success reducing the probability of failure, employing a risk management
framework is the way to go.
In this context, it is very paramount for an organization to base their security program
strategy and decision on the risk management framework. Risk assessment thoroughly looks at
processes, situations, activities or processes that may cause harm especially to people as well as
analyzing and evaluating the likelihood and severity of the risk (Vittor, 2017). This helps in
creating awareness of risk and hazard as well as identifying those who might be at risk. The
framework provides a control program that helps to address a particular hazard after determining
the adequate and appropriate control measure. As a result, when control measures and hazards
are prioritized, the legal requirements guiding the organization are met.
4. The differences between risk management and enterprise risk management
Day in day out, whether knowingly or unknowingly, employees in organizations are
engaged in risk management in one way or the other. The uncertainty relating to a product’s or a

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

Risk Management Framework 5
system’s future performance is not only a risk to the end user but also the organization itself. A
system that is prone to fail too often or in a manner that is likely to be unsafe requires further
implementation so as to rectify and avoid further damage. In order to avoid these
implementations that very expensive, organizations opt risk management techniques. Depending
on their preferences organizations go either for the traditional risk management or the enterprise
risk management which have differing characteristics.
Unlike the enterprise risk management that uses a holistic approach, the traditional risk
management is usually departmentalized or rather segmented in the sense that each department
deals independently with its own risk. Moreover, the main focus on the traditional risk
management is preventing losses is tactical as opposed to the enterprise risk management
strategic approach that aims at providing savings, increasing sustainability through lowering the
risk in the whole organization (Bromiley et al., 2015). As opposed to the traditional risk
management that manages the financial and physical assets uncertainties, the enterprise risk
management seek to assess the whole asset portfolio which comprises of intangibles, for
instance, proprietary systems, innovative processes, employees, suppliers, employees, and so on.
In conclusion, many have the belief that traditional risk management is not adequate when it
comes to dealing with the realities of change, which is inevitable and can result in a lot of
damage (Graubart & Bodeau, 2016). This is the reason why most companies around the world
consider using the enterprise risk management.

Risk Management Framework 6
References
Bromiley, P., McShane, M., Nair, A., & Rustambekov, E. (2015). Enterprise risk management:
Review, critique, and research directions. Long range planning, 48(4), 265-276.
Graubart, R., & Bodeau, D. (2016). The Risk Management Framework and Cyber Resiliency.
Hillson, D. (2017). Managing risk in projects. Routledge.
Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines for
effective information security management. Auerbach Publications.
Presley, S. S., & Landry, J. P. (2016). A Process Framework for Managing Cybersecurity Risks
in Projects.
Vittor, T. R., Sukumara, T., Sudarsan, S. D., & Starck, J. (2017, April). Cyber security-security
strategy for distribution management system and security architecture considerations.
In Protective Relay Engineers (CPRE), 2017 70th Annual Conference for (pp. 1-6).
IEEE.