Even the savviest of compliance managers finds it difficult to narrate all the risks that face their organizations. The reality is that no two people are likely to hold the same view about risk management within the same enterprise, particularly if one is from the IT department and another from a business unit.
Differences in opinion occur frequently among the IT and business groups. Businesspeople want to weigh risks based on their bottom line, while IT people want to weigh the risk by the probability that something may go wrong with their systems. To an untrained eye, these two philosophies may be the same, and this may be a nonissue. But many in the industry have noticed the problem, and the National Institute of Standards and Technology (NIST) has done something about it.
The long-awaited draft NIST 800-39, “Integrated Enterprise-Wide Risk Management,” finally sheds much-needed light on this subject and provides helpful guidance on how organizations can improve their risk management processes to be more effective.
This newest addition to the NIST Special Publications may confuse some folks, as NIST SP 800-30,“Risk Management for Information Technology Systems,” was published a few years back. Widely used, the 800-30 guidelines taught us about the threats and vulnerabilities, residual risks, impact levels and risk mitigation methodology. What it failed to address was the influence organizational risks may have had on IT risks, and vice versa. Come to think of it, both should have been aligned, but they were not -- at least not until 800-39 was developed and published.
The 800-39 document, which is still in draft format, takes risk management from narrow to broad and addresses it from top to bottom. It acknowledges that “for decades, organizations have managed risk at the information systems level. This information system focus provided a very narrow perspective that constrained risk-based decisions by senior leaders/executives to the tactical level." It goes on to say that this caused a lack of linkage or traceability to the organizational mission/business function.
The 800-39 document, which is still in draft format, takes risk management from narrow to broad and addresses it from top to bottom.
Clearly, enterprises exist to conduct business. Risk management processes need to assure that the risks to the availability and the integrity of business functions and mission are identified and minimized. While security risks have been the primary focus of the current risk management process, other risks such as the investments, supply chains, budgets, etc., must also be considered. Security risks must be aligned with the organizational risks to accurately gauge the effectiveness of security controls.
This is precisely why all compliance officers must review these guidelines. With the knowledge gained, they could help refine their enterprise governance models to incorporate the new way of managing risks, and also help their organizations make better risk-based decisions. Educated compliance officers will be in a position to ask their external auditors to define how gaps/deficiencies affect the enterprise mission.
But most importantly, compliance officers need to review these guidelines so they can let NIST know their views on this new approach by emailing firstname.lastname@example.org. They have until Jan. 25 to do so. The document can be found on the NIST website.
Meenu Gupta, CISA, CISM, CISSP, CIPP is president of Mittal Technologies Inc. and specializes in IT solutions engineering and IT security architecture development. Gupta consults with the U.S. government and teaches at the University of Maryland University College.