Cybersecurity Risk Management – Resources for Agency Action
The proliferation in the use of technologies such as social media, the Internet of Things, mobility, and cloud computing by government agencies has increased the potential cyber risks facing those agencies. Diverse agency data stores extend the source of risk throughout government organizations, bringing the need for new approaches that move beyond traditional security precautions. Cyberattacks against government are becoming more common and severe – a trend made more pronounced as agencies have increased reliance on digital networks for distance work in the response and recovery efforts around COVID-19. Engaging leaders in protecting an organization's cyber, IT, and information assets is a critical starting point to effective security.
A next logical step for any government or commercial organization is to leverage risk management and analytics to implement a mission-based security program. Indeed, cyber is increasingly being viewed as a key component in enterprise risk management (ERM) frameworks. ERM focuses on assessing significant challenges to an organization and its operations and implementing a set of predetermined risk responses. ERM has become an important strategy to address systemic risk across an organization. Securing data and managing cyber risk must now become critical elements in agency ERM frameworks.
The IBM Center has examined how government can address cyber risk issues in multiple forums. In the 2018 report, Managing Cybersecurity Risk in Government: An Implementation Model, authors Rajni Goel, James Haddow and Anupam Kumar from Howard University address cybersecurity risk management needs by developing a decision model that allows agencies to tailor approaches for particular cyber challenges. The report reviews existing risk management frameworks in use across government and analyzes steps that agencies can take to understand and respond to those risks in a manner consistent with existing law and policy. They put this work together to develop an implementation model based on taking five steps to improve cybersecurity outcomes: Prioritize, Resource, Implement, Standardize, and Monitor–the PRISM model.
As the report notes, “the National Institute of Standards and Technology (NIST) finds that poorly managed cybersecurity risk may negatively affect performance and place an organization at risk by reducing its ability to innovate. This can occur even while leaders focus in the near term on the precise status of their organization’s cybersecurity posture and the risk of becoming a victim of cybercrime or cyberattack.” A methodology for cybersecurity risk management can help agencies become more resilient in responding to risks adequately and appropriately.
To address this challenge, the report seeks to improve agency capacity to implement effective cyber risk management through the PRISM decision model that can lead agencies to make intelligent choices about how best to address cyber risk. The model helps agencies begin by prioritizing risk drivers and interdependencies, and linking cybersecurity goals to mission and operational objectives. The model can also assist agencies in communicating return on security investments to mitigate cyber risks. Such communications can foster discussion, assessment, decisions, and actions to tailor approaches for addressing cyber risk management in government.
Another area of cyber risk comes in the form of effective approaches to cybersecurity protection for endpoint devices used by Federal agencies. As noted in a 2018 report from the Center for Strategic and International Studies (CSIS), Extending Federal Cybersecurity to the Endpoint: "While cybersecurity awareness in the federal government has improved, along with efforts to provide more secure architectures and managed security services for federal networks, these efforts are focused on systemic risks and vulnerabilities in core infrastructures. Few extend to the millions of endpoint devices connected to these systems."
Reducing risks in endpoint cybersecurity for the government includes multiple strategies:
- adopting flexible, user-centered approaches for federal agencies in managing security risks, vulnerabilities, threats, and incidents;
- addressing cyber risk management for the rising number of consumer and other endpoint devices connected to federal systems;
- using procurement incentives to promote industry innovation and inclusion of security in developing device-based solutions for government; and
- educating users on protecting the integrity and confidentiality of data that they access through endpoint devices.
As organizations move forward in addressing cyber risk management, guidance from NIST and evolving capabilities in industry are merging to define a path forward for agencies to follow.
Information security and risk management are essential for all public-sector organizations because they depend on information and IT systems to make informed, critical decisions and successfully carry out their missions. And those IT systems and information resources are subject to almost constant threats that can have significant and wide-ranging impacts on operations, compromising the confidentiality, integrity or availability of information for an agency.
Given the significant and growing danger of these threats, leaders must understand their responsibilities for achieving sound information security and for managing IT-related security risks. This NIST Cybersecurity Framework provides a broad road map for government and commercial organizations to get started on this effort. Although the process is complex, several resources allow agencies to enhance such understanding in a public-sector context.
First, NIST -- in partnership with the Defense Department, the Office of the Director of National Intelligence and the Committee on National Security Systems -- developed a common information security framework for the federal government and its contractors in order to improve information security and strengthen risk management processes. The Risk Management Framework:
- Promotes the implementation of robust continuous monitoring processes, enabling near-real-time risk management and ongoing information system authorization.
- Encourages the use of automation to provide senior leaders with the necessary information to make cost-effective, risk-based decisions.
- Integrates information security into the enterprise architecture and system development life cycle.
- Emphasizes the selection, implementation, assessment and monitoring of security controls throughout the system's life cycle.
- Suggests creating a risk executive -- a senior official dedicated to understanding how risks can affect strategic goals and objectives.
- Establishes responsibility and accountability for security controls deployed within organizational information systems and inherited by those systems (i.e., common controls).
In addition to the guidance contained in the Risk Management Framework, NIST has published two additional documents -- NIST SP 800-39 and NIST SP 800-30 -- that emphasize the need for integrated organization-wide risk management and risk assessments.
Agencies can use the connection between information/IT systems and critical business processes to form a focal point for assessing risk through the threat, vulnerability, and consequence concept. This targeted approach to implementing security controls reduces budget impact while increasing effectiveness. It allows agencies to implement an effective information security program that is framed with three primary goals to promote a holistic approach and an effective information security architecture:
- Protect data and information systems.
- Conduct security protection activities with respect to security compliance requirements (security compliance-related vulnerabilities).
- Analyze cyberthreat data and develop predictive and proactive threat prevention (cyberthreat vulnerabilities independent of compliance).
In addition, agencies can use cyberthreat analysis and security intelligence to address vulnerability management in two critical areas. The first area focuses on understanding and assessing an organization's security compliance profile and using analysis to develop actions that remediate compliance-related vulnerabilities as quickly as possible, through immediate response and the plan of action and milestones process required by law and policy. The compliance profile approach to continuous monitoring creates a continuous improvement capability that enhances situational awareness.
Taken together, resources from NIST and the research noted above provide a strong road map for agencies to follow in the continual improvement of their cybersecurity posture. This objective, growing every more important as agencies rely on digital networks in the response and recovery efforts around COVD-19, and as these changes remain key agency priorities in the future.
This post draws from several prior posts written by the author about cybersecurity risk management, including posts co-authored with late Center Fellow John Lainhart.