Critical Risk Management

​Private sector companies are not the only organizations that are embracing enterprise risk management. The U.S. government continues to do so too, albeit slowly. And recently, one U.S. federal agency released new draft guidelines on how risk management principles can be applied to critical infrastructure's information systems.

The proposed guidelines come from the U.S. Department of Commerce's National Institute of Standards and Technology (NIST). For the last few years, NIST has worked on refining its Risk Management Framework (RMF), which is aimed at helping organizations integrate information security principles and practices into enterprise risk management programs.

The RMF includes, among other components, a structured process for valuing organizational assets for selecting, implementing, and assessing security controls; and for monitoring security controls. Government officials say this RMF is especially necessary because threats to U.S. critical infrastructure are outpacing efforts to reduce vulnerabilities.

"There is an urgent need to further strengthen the underlying information systems, component products, and services that we depend on in every sector of the critical infrastructure," writes Ron Ross, a NIST computer scientist, in the foreword of the new guidelines.

The guidelines have seven objectives: strengthen the links between high-level risk management efforts and lower-level operational activities; institutionalize risk management preparatory activities; demonstrate how the RMF can be aligned with NIST's Cybersecurity Framework; integrate privacy concepts into the RMF; promote the development of secure software systems; integrate supply chain risk management principles into the RMF; and provide an alternative approach to selecting security controls.

In addition, the new guidelines include instructions for tasks that will help prepare organizations to use the RMF for their information systems and programs. These tasks are divided into separate categories—organization level and system level.  

On the organization level, these tasks include assigning risk management roles to employees, establishing an overall risk management strategy, assessing organization-wide risks, establishing and documenting baselines for stakeholder protection needs, categorizing the comparative impact levels of different information systems, and developing an organization-wide strategy for continuous monitoring.

On the systems level, the tasks include identifying the business mission that the system supports, identifying stakeholders that have an interest in the system, categorizing the types of information the system uses, conducting a system-level risk assessment, identifying the system's protection and privacy requirements, and registering the system for purposes of management and oversight.

"Given the significant and ever-increasing danger of the threats, it is imperative that organizations remain vigilant and that leaders and managers at all organizational levels understand their responsibilities and are accountable for protecting organizational assets and for managing security risks," NIST says in the guidelines.