What's Inside
Using a risk management framework can enhance your security and compliance posture. Keep reading to learn how.
What Is the Risk Management Framework (RMF)? + Best Practices
Using a risk management framework can enhance your security and compliance posture. Keep reading to learn how.
Get Started With Drata
Nearly every business needs to meet some kind of compliance requirement. You might be using your compliance posture to build customer trust or be in a heavily regulated industry like healthcare or financial services. In either case, most compliance mandates require you to understand your risk tolerance before putting controls in place to mitigate the leftover risk.
Identifying, assessing, and analyzing risk can be overwhelming for many companies. You may struggle with knowing where to start or how to set goals. However, a risk management framework enables you to create repeatable processes that allow you to define, review, and mitigate IT risks to more effectively set and monitor controls.
A risk management framework (RMF) is a set of practices, processes, and technologies that enable an organization to identify, assess, and analyze risk to manage risk within your organization.
A building block for any strong compliance program, a risk management framework typically follows these steps:
Identify
Assess
Analyze
Determine risk tolerance
Implement controls
Monitor and update
The National Institute of Standards and Technology (NIST) Risk Management Framework sets out a risk-based approach for governing security, privacy, and cyber supply chain risk management. The NIST RMF consists of the following seven steps:
Prepare: activities that set the stage for managing security and privacy risks
Categorize: using an impact analysis to organize the systems and information they process, store, and transmit
Select: determining the controls that will protect the systems and data
Implement: deploying controls and documenting activities
Assess: determining whether the implemented controls work as intended and produce the desired results
Authorize: having a senior official authorize the system to operate
Monitor: reviewing controls to ensure they continue to mitigate risks as intended
Established by ISACA (previously known as the Information Systems Audit and Control Association), the COBIT Framework focuses on enterprise governance and consists of these primary principles:
Principle 1: Meeting stakeholder needs
Principle 2: Covering the enterprise end to end
Principle 3: Applying a single integrated framework
Principle 4: Enabling a holistic approach
Principle 5: Separating governance from management
COBIT groups the governance and management objectives into the following five domains:
Evaluate, Direct, and Monitor (EDM): Governing body evaluates strategic options, directs senior management, and monitors achievement.
Align, Plan, and Organize (APO): Management addresses organization, strategy, and supporting activities.
Build, Acquire, and Implement (BAI): Management treats the definition, acquisition, and implementation of solutions, integrating them into business processes.
Deliver, Service, and Support (DSS): Management addresses services, operational delivery, and their supports, including security.
Monitor, Evaluate, and Assess (MEA): Management monitors performance and ensures that the program meets internal targets, internal control objectives, and external requirements.
At first glance, the NIST RMF and COBIT appear different, mainly because they use different terminology.
For example, NIST takes you through discrete steps based on technology assets, while COBIT focuses on leadership’s responsibilities. The difference between the two models focuses on NIST being process-oriented and COBIT being oversight-oriented. However, fundamentally, they both still require the same five components.
Everyone in your organization plays a role in mitigating risk. Governance is the practice of defining and assigning responsibilities so that everyone knows what they need to do and has the skills to do it.
For example, governing risk includes:
Assigning oversight responsibilities.
Establishing employee policies.
Reviewing documents proving people followed approved practices and procedures.
Before doing anything else, you need to identify your organization’s risks. You can do this from a strategic level or an asset-focused level. For example, you might think in terms of the following risks:
Compliance
Financial
Legal
If you’re focusing on technologies, you might focus more on the following risks:
IT
Operational
Data breach
However, your technology and strategic risks are interrelated in a digitally transformed business—meaning either approach will have similar results.
After identifying risks, you need to measure their impact on your organization. At a very high level, measuring risk usually involves the following equation:
Risk = [Likelihood of an adverse event] X [Impact to the business]
While that might seem like simple math, the reality is more complex. The likelihood of an adverse event can depend on multiple factors, while the impact can be fines or loss of brand value and reputation.
To protect yourself, you need to find ways to reduce the impact arising from an adverse event. Some examples of risk mitigation strategies include:
Implementing technical controls
Creating contingency plans
Establishing processes and procedures
In an ever-changing world, your risk is going to evolve. With each change, you need to monitor your organization’s risk mitigation controls to ensure they maintain the accepted level of risk.
In addition, you need to ensure that you report your monitoring outcomes to the appropriate responsible parties, like your senior leadership or board of directors.
Some things to monitor and report on might include new:
Regulations impacting your organization.
Internal technologies that enable business processes.
Technologies enabling better customer experiences.
Regardless of the RMF you choose, you still need to engage in the same six basic steps.
Your risks primarily arise from the choices you make for your organization. Every new technology you add that enables business operations also creates a new risk. For example, a Software-as-a-Service (SaaS) application used for collaboration also increases the number of access points that threat actors can use during an attack.
Your strategic business and compliance goals need to align so that you can make informed risk decisions.
Every organization has a different risk tolerance. After your impact analysis, you need to decide whether to:
Accept a risk: Benefit outweighs the impact, and mitigation is cost prohibitive.
Refuse a risk: Impact outweighs the benefit, and mitigation is cost prohibitive.
Transfer a risk: Benefit outweighs the impact, but you can reduce the impact by offloading some risk.
Mitigate a risk: Benefit outweighs the impact, and you can put controls in place that reduce the likelihood of the adverse event.
For example, purchasing insurance helps you transfer some of the risk. If a cyber attack happens, then the insurance company’s payment covers the financial risk.
You can’t protect what you don’t know you have. After aligning your strategic business and compliance objectives, you need to identify and catalog all assets, including:
Data
Devices
Users
Storage locations
Applications
Networks
Once you identify and catalog everything, you need to categorize them based on their risks. For example, if you collect, store, or transmit personally identifiable information (PII) or credit card data, then that data poses a high risk. Any devices, users, storage locations, applications, or networks that access, process, or transmit this data are also a high risk. Ultimately, this drives the rest of your risk management processes.
After categorizing the assets based on the risk they pose, you need to consider how a data breach impacting these assets will affect your organization. It’s important to remember that this is different from the pure risk review you did when categorizing them.
For example, PII is a high risk because::
Cybercriminals want to steal it.
Regulations require you to protect it.
Customers trust you with it.
However, the impact analysis goes deeper than this. Consider these factors when engaging in the impact analysis:
Cost to respond to an incident
Cost to notify people impacted by an incident
Lost revenue from customer churn
Fines for noncompliance
Often, this step is the most difficult. Your security controls can be based on either their type or purpose.
Six basic security controls you need to consider are:
Physical
Administrative
Technical
Preventive
Detective
Corrective
The first three focus on how you protect. The second three focus on what they’re used for. For example, you might have a technical control for managing user access to systems, networks, and applications. However, this could also be a preventive control that seeks to mitigate the risk associated with unauthorized attacker access.
The most challenging part is monitoring, enforcing, and maintaining the control’s effectiveness. Your IT environment is continuously changing. For example, your developers might spin up a container and then spin it back down later. They need to do this as part of their jobs. On the other hand, it’s often difficult to:
Identify the cloud-based resource in real-time.
Ensure appropriate configurations.
Assign a responsible party to the resource.
If you’re monitoring to ensure the controls remain in place, you can enforce them when you find something missing. For example, if you’re monitoring your environment, you can identify the new asset which allows you to review configurations and access controls. If you notice a problem, you can enforce the controls to maintain a robust security and compliance posture.
As part of a strong compliance posture, your leadership and board of directors needs to know that your security program functions as intended. Most compliance mandates require that leadership and the board review IT security so that they can understand how well the organization manages risk.
In some cases, like for SOC 2 compliance, management and boards are required to provide evidence proving that the organization complies with internal controls. If the attestation proves false, then they can be held responsible.
When reporting your compliance posture, you need to make sure that everyone understands the identified risks, the mitigating controls, and the controls’ ability to work as intended.
For most companies, maturing their risk management processes is challenging. Many organizations start with risk registers or simple spreadsheets that document their risk and controls. However, as the organization grows and matures, its compliance program also needs to mature.
Risk management software can streamline many manual processes, giving you predictable, consistent results. Using automation to map your controls to the risk management framework you choose reduces the time spent and allows employees to focus on more critical activities. In addition, it enables you to continuously monitor the controls to enforce them as necessary.
At Drata, we believe that when you strengthen your security posture, you also improve your compliance posture. Using Drata’s Risk Management solution, you can draw from our library of threat-based risks mapped to various frameworks, including HIPAA, NIST Cybersecurity Framework, NIST 800-171, and ISO 27001.
Keep Reading
Take Your Learning Further
Discover research, guides, templates, and other resources on risk management.