The NIST 800 Series are documents that defines the United States federal government and how to implement their security policies, procedures and guidelines. The National Institute of Standards and Technology is known to be a unit of the Commerce Department that provides documents available at no charge which can be useful to government agencies, businesses and educational institutions. Our focus on the specifically on the NIST 800 series will be the NIST Special Publication 800-39.
NIST Special Publication 800-39 is a guidance for information security risk management which is usually an enterprise-wide program. There are multi-tiered approaches that are used (see below) and also contains defines the information security risk management cycle. Three tiers
The NIST Special Publication 800-39 lists the three tiers at which risk management should be addressed:
- organizational tier,
- business process tier;
- information systems tier.
Risks are analyzed and addresses where Information systems processes information. This is what makes the structural approach which is usually used an effective one. Risk management should not be done without taking into consideration its business process context as well as organizational tier.
Further look at the guidance of NIST SP 800-39 in the following areas.
At the first tier-organizational tier, that is where all activities related to information security risk management on performed based on enumerating, defining and prioritizing the business processes needed for the fulfilment of the organization’s mission. This tier simply serves the purpose of building what is called a governance structure for oversight of risk management. The governance structure needs to be created in agreement with both with organization’s mission and with regulatory requirements that affect the organization. The most important tasks realized in this tier are known to be the establishment of top-level risk responsibility and the establishment of risk management strategy.
The purpose of the establishment of top level risk responsibility is to ensure that risk-related activities are recognized and executed at all levels of the organization from top to bottom. The purpose of ensuring the establishment of risk management strategies is to align information security risk management activities with organization’s mission and regulatory environment and to set criteria for the risk management cycle activities. With the risk management strategy, it should address proper allocation of risk management resources and the monitoring of risk management processes.
Business processes Tier
Business processes that are designed to create a set of processes used to fulfill the mission of an organization. Proper information security risk management requires that such processes are clearly defined. It is not possible to effectively manage risks if one cannot associate these risks with the relevant business process. The set of business processes is which can also be called an “enterprise architecture”, can still use the process-based approach for information security risk management even when the organization is a small one.
After business processes, have been properly defined, there is the need for the business process owner to consider possible threats to each process and consequences of such threats. The enterprise architecture concept allows for effective information security risk management, but this is not the only advantage. Whenever business processes are clearly defined, two goals are set and achieved:
- separation of critical processes, in case of failure of one processes can result in failure when other ones are resilient;
- redundancy of critical process, this means if a critical process fails, the critical activity can be continued by the redundant process.
All business processes are supported by information systems. The information processing happens on the level of information processing system. The vulnerabilities and threats related to information security risk management is part of information processing systems. Also, security controls or measures are applied to elements of information processing system.
For any business process, all information processing resources needed to execute such process must be defined. This will become a part of the input to the risk assessment phase. And these resources will be a part of the output from risk assessment phase.
Risk management activities should also be applied throughout the information system development lifecycle. Planning for new information processing systems (or upgrading existing ones) is the excellent time to perform the risk assessment and implement the required security controls at the beginning of information system lifecycle even though preemptive approach as such is often unfortunately overlooked.