IT Risk Management: How to Get Started with Risk Frameworks
When developing an IT risk management program, it can be hard to know where to start. There are a lot of questions you might ask yourself, like:
- Which frameworks should you use?
- Are you a single practitioner or do you have a team?
- Do you want a qualitative or quantitative framework?
It’s also important to define policy. Often, you’ll find that specific frameworks are named within risk management policies. They are also named within standard risk procedures, an explanation of how risk management committees work, how the framework works, and the duration at which risks are evaluated. Having specific IT risk management frameworks named within your policy will also keep your legal team happy.
But how do you select an IT risk management framework? Where do you get started? This article outlines how different risk management frameworks work, what types of teams they’re made for, and other key differentiators between them. Hopefully you’ll walk away with enough understanding to choose your very first framework.
The 5 Most Common IT Risk Management Frameworks
1. NIST RMF
Developed by the National Institute of Standards and Technology, NIST RMF is the IT risk management framework that gets the most traction. With its well-defined steps and process, it’s a good fit for big organizations — especially those with a risk management team or committee — as it does require dedicated resources to implement and manage.
Qualitative in nature, NIST RMF is also very specific to cybersecurity — particularly cybersecurity risk. It also aligns well with another NIST framework, NIST SP 800-53, which is a framework for those working with the federal government.
The NIST RMF framework provides 7 steps to get started:
- Prepare – Essential activities to prepare the organization to manage security and privacy risks
- Categorize – Categorize the system and information processed, stored, and transmitted based on an impact analysis
- Select – Select the set of NIST SP 800-53 controls to protect the system based on risk assessment(s)
- Implement – Implement the controls and document how controls are deployed
- Assess – Assess to determine if the controls are in place, operating as intended, and producing the desired results
- Authorize – Senior official makes a risk-based decision to authorize the system (to operate)
- Monitor – Continuously monitor control implementation and risks to the system
2. OCTAVE Allegro
First released in September 1999 by the Software Engineering Institute at Carnegie Mellon University, OCTAVE Allegro is another commonly used IT risk management framework. OCTAVE stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation.
It offers a very lightweight risk management process, and OCTAVE Allegro is a great risk management framework if your organization has a single practitioner new to risk management. Unfortunately, OCTAVE Allegro doesn’t scale for a team-oriented approach so it won’t be a great fit for organizations with entire risk management teams or committees.
If you can fill out a series of 10 forms and circulate them for peer review, then OCTAVE Allegro may be a great fit for your IT risk management program. It also has examples, including threat trees which walk you through different hypothetical situations to understand risk.
Smaller organizations (or organizations with a single practitioner assigned to do risk management) would find OCTAVE Allegro to be a great fit, especially if they want to get their program up and running in just one day. One downside is that it only looks at one point in time, and the framework doesn’t address ongoing governance.
3. OCTAVE FORTE
OCTAVE FORTE, or Operationally Critical Threat, Asset, and Vulnerability Evaluation for the Enterprise, is a cybersecurity aligned IT risk management framework. It’s scalable and often overseen by a large team or risk management committee. On this list, it’s the first enterprise risk management framework we’ve included, and it’s also qualitative in nature. Whereas OCTAVE Allegro is a good fit for a single practitioner, Octave FORTE is a better fit for a team or committee.
What is more unique to OCTAVE FORTE is that its documentation encourages continuous process, addressing continuous governance of risk. Other frameworks may simply outline the process once, giving the impression that once you’ve set up your controls you’re done. But, the continuous nature of OCTAVE FORTE should be observed with other frameworks as well, as risks change and adapt over time — especially as threat actors grow more and more intelligent.
OCTAVE FORTE addresses business risks and cybersecurity risks, and it’s good if you want to have a risk management committee. It’s a broader framework than OCTAVE Allegro because it gets into enterprise risk management, not just cybersecurity risk management. It allows businesses to better align and understand overall risk, helping risk practitioners eliminate siloed risk management frameworks. This allows the executives to not have competing frameworks so they can better understand the broader risk landscape.
Consisting of a 10-step process, FORTE is somewhat inspired by other standards created by the Committee of Sponsoring Organizations (COSO), the International Standards Organization (ISO), and the National Institute of Standards and Technology (NIST).
These 10 steps help an organization achieve the following:
- Understand its assets, capabilities, and risks
- Form risk appetite statement(s) to document risk tolerance
- Create response plans to manage risks
- Form processes to monitor whether risk is being managed effectively
- Develop a plan to improve the organization’s ERM program
4. COSO Enterprise Risk Management
COSO debuted in 1992, but the enterprise risk management framework came out in 2004. COSO has been endorsed by the Federal Reserve and the Federal Deposit Insurance Corporation, and is one of the most common Enterprise Risk Management frameworks cited by publicly traded companies as the 2004 standard addresses Section 404 of Sarbanes Oxley (SOX). In terms of level of complexity, it’s comparable to NIST RMF, and it’s necessary to have a team of practitioners or a risk committee to manage the framework.
COSO specifically defines ERM as “the culture, capabilities, and practices, integrated with strategy-setting and its performance, that organizations rely on to manage risk in creating, preserving, and realizing value.” The 2017 ERM provides guidance on what to do to incorporate risk assessment, objective setting, corporate governance, risk tolerance, risk appetite, and risk response into business strategies. This helps organizations to proactively respond to institutional investors who want a focus on strategic long-term value creation. Unfortunately, COSO does not succinctly help internal auditors how to link risk assessments to value creation or preservation, and does not provide prescriptive guidance on how to measure risks.
5. FAIR Risk Management
The only quantitative IT risk management framework included in this list is the FAIR Risk Management framework. FAIR, or Factors Analysis of Information Risk Management, allows practitioners to define risk in terms of monetary cost.
FAIR can get complicated with its definitions; it requires a cost for everything, from productivity, to telecommunications, staff salaries, and more. However, the nice part about FAIR is that risks can be defined by their values. Controls also have costs, so it becomes easier to understand the monetary impact of a control for a certain risk.
There are experienced practitioners who work with FAIR and understand how to price out the costs of everything within an organization. The benefits of quantitative risk management are that you’re able to provide the board with actual numbers and costs, which allows for better decisions on how to manage risks on their part.
However, FAIR is quite complicated to implement and often doesn’t work for organizations unless they can invest enough resources.
Fret Less With Frameworks
Using a risk framework helps you stand up your risk management program, but it also helps you make sure to cover all of your bases. When you’re starting out, it can be confusing getting to know the cybersecurity and compliance landscape. But with frameworks, you’re able to put structure in place and have a place to start without building everything from scratch.
Not only does using an IT risk management framework help you start your program, but it also gives you peace of mind knowing you’re adhering to standards set by someone outside your organization. Non-partial third-parties developed these frameworks based on years of IT risk management expertise so you can know where to start.
Hyperproof helps compliance professionals adhere to 60+ different frameworks, including ISO 27001, NIST, CMMC, FedRAMP, and many more. The platform also makes it easy to collaborate across teams and help you automate time-consuming repetitive tasks.
Get the Latest on Compliance Operations.
Kayne McGladrey, CISSP is the field CISO for Hyperproof and a senior member of the IEEE. He has over two decades of experience in cybersecurity and has served as a CISO and advisory board member, and focuses on the policy, social, and economic effects of cybersecurity lapses to individuals, companies, and the nation.