What Is Risk Management Framework?

Risk Glossary

Organizations face a variety of different risks, and cyber threats are becoming a top-of-mind security concern. An organized approach to risk management is essential to minimizing the probability and impact of successful cyberattacks.

A risk management framework (RMF) can help with this. An RMF defines the process for identifying and managing the risks to an organization to eliminate or minimize the probability and impacts associated with these risks.

What is the Purpose of a Risk Management Framework?

A risk management framework enables an organization to make intelligent decisions about how it will address the various risks faced by the business. Effectively managing these risks provides a number of different benefits to an organization, including:

  • Insider Threat Management: Most data breaches are caused by insiders, either intentionally or unintentionally. By identifying risky behaviors that could lead to a breach and codifying responses, an organization positions itself to respond quickly and effectively to a potential incident.
  • IP Protection: An organization's intellectual property is vital to its ability to compete effectively in the marketplace. A risk management framework can help an organization to identify risks to its IP and develop strategies for minimizing these risks.
  • Regulatory Compliance: Many types of customer data are protected by data privacy laws and data protection regulations. To avoid regulatory penalties and legal action, an organization must take steps to minimize the potential for exposure of the protected data in its care.
  • Vulnerability Management: Within an organization's network, different vulnerabilities have varying levels of exploitability and impact. A risk management framework provides a structured process for identifying and managing the risks associated with these vulnerabilities.

How Do You Develop a Risk Management Framework?

The National Institute of Standards and Technology (NIST) has created a risk management framework for securing US government systems. However, the risk management framework steps outlined by NIST's are widely applicable to cyber risk management.

1. Categorize Information Systems

Different information systems have different levels of importance within an organization. Some computers may be "critical systems" or store and process sensitive data that is protected by laws and regulations. Others, like employee workstations, may be useful but are not vital to operations.
Categorizing information systems based upon their roles and the data that they can access is crucial to risk management. This information helps to determine the impact of attacks and with prioritizing security controls.

2. Select Security Controls

Based on the categorization of each information system, the next step in risk management is selecting a set of security controls for each asset. Security controls should be selected based upon several different factors, including:

  • Regulatory Requirements: Data protection regulations like the GDPR, PCI DSS, and HIPAA outline minimum requirements for the security of sensitive data protected under the law. Security controls should be selected to meet or exceed these requirements.
  • Corporate Policy: Data protection regulations only cover certain types of data. Additional protections may be required for systems containing intellectual property or other types of sensitive business data.
  • Business Needs: Security controls should balance security with usability. Select security controls that meet requirements, but also ensure that it is still possible for employees to do their jobs.

When selecting security controls, it is important to define a policy that is sustainable. Rather than taking a "check the box" approach to compliance, design controls that meet requirements but are also maintainable.

3. Implement Security Controls

After designing security controls for a system or systems, the next step is to implement these security controls. At this stage in the process, it is essential to document the controls put in place to ensure that they can be properly monitored and maintained.

4. Assess Security Controls

After implementing security controls, test them to ensure that they are effective. If they don't work, return to step 2 and design new controls.

5. Authorize Information System

Once a system is secure it can be authorized for use. Any risks not mitigated by the selected security controls should be documented as accepted risk.

6. Monitor Security Controls

Security is not a "one and done" exercise. Security controls should be regularly monitored and assessed to ensure that they are effective and updated as needed.

Learn about the importance of including insider risk in a risk management program