We are often asked “how do you leverage IOR Insight in the risk assessment process?” We usually like to point to NIST due to its use in both government and non-government settings. So if you recall from the NIST 800-30 guide for conducting risk assessments, a key question in determining risk is deciding on a Risk Frame as depicted in their diagram which we’ve included below for reference:

 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

The Organizational Risk Frame is important as it sets the tone and perspective of everything that follows – both in terms of methodology as well as ongoing risk monitoring. One approach that is on top of the minds of many leaders in the Security discipline is the idea of framing risk around the business processes themselves.

This isn’t a new concept but as we continue to apply layers of security and controls of various types and we continue to get surprised by successful attacks, security leaders and business leaders alike are looking for more. They are trying to identify better ways to reduce the surprises and close the gap on weaknesses in our environment that lead to incidents.

We believe that one of the biggest problems is in bridging knowledge of the threats with the realities of what business users are doing, why they are doing it, and the importance of those activities to the overall business. Tools are available to scan a network and identify millions of instances of data movement, but do not understand why. Are these exchanges expected or unexpected? We can scan a range of IP addresses and identify all kinds of vulnerabilities but are they mission critical systems? Do they hold any data that we consider top secret? And if so, how does each system relate to the company’s business value?

These questions are just a few examples of the kinds of questions that security teams need to answer to be effective and valuable to the organization. Most of us aren’t swimming in extra security budget, and even large enterprises have their resource limits. Knowing the answers to these questions above are critical to knowing how your limited budget should be applied. If you can’t answer these questions, you simply can’t make the most informed decisions about how to prioritize risks.

Framing your risk management processes around your business processes enables your team to understand how your business activities relate to what is known within IT and Security.

It is indeed a top-down approach to asking “what goes on around here every day that we need to fix/monitor?” Going through the risk assessment methodology and supporting activities can produce meaningful results in context with what your business actually does on an everyday basis.

This approach will help uncover things that are critical to helping you secure your environment that were previously unknown. Namely:

  • Applications. You’ll identify critical applications and applications that aren’t so critical, applications you had no idea existed, and even applications that overlap or do exactly the same thing but for any number of historical reasons are still in use.
  • Data. You will learn about the data being passed around between departments, systems, and 3rd party vendors. You’ll identify how it is passed around and what sorts of transmission methods are being used. You’ll also be able to see the variations of impact/classification of that data and compare that to your handling policies for various data types.
  • Vendors. You can scan the network to figure out who you are talking to but this process is just as revealing for vendors as it is for applications. If you have had the uncomfortable experience of seeing an Internet vendor scanning tool return hundreds or even thousands of surprise vendors, you’ll appreciate the need to proactively understand who is sending what to whom and why is that taking place.

We see a lot of concern about the effort involved to perform this kind of analysis and that fear generally results in deprioritizing what would otherwise be a high priority task. There are ways to pragmatically conduct this analysis however. In fact, our solution takes all of this a step further to capture/maintain this information and then produce a variety of risk analytics to support risk-informed decision making.

The importance of analyzing security risk from a business process lens is clear. In fact, below is just a partial list of frameworks that call for this type of analysis:

  • NIST Cybersecurity Framework
    • ID.AM-3
    • ID.AM-5
  • HIPAA – Security Rule 45 C.F.R. §§
    • 164.308(a)(1)(ii)(A)
    • 164.308(a)(3)(ii)(A)
    • 164.308(a)(8)
    • 164.310(d)
    • 164.308(a)(7)(ii)(E)
  • ISO/IEC – 27001:2013
    • A.13.2.1
    • A.8.2.1
  • COBIT 5
    • DSS05.02
    • APO03.03
    • APO03.04
    • BAI09.02
  • PCI DSS
    • 1.1.3
    • 2.4
    • 12.2

Source: http://www.hhs.gov/sites/default/files/nist-csf-to-hipaa-security-rule-crosswalk-02-22-2016-final.pdf

These are important activities for all security teams to perform in some capacity or another; it may be time to pause and reflect on how are you uncovering unknown risks, and to observe your IT environment, your security investments, and even your data through a business lens.