Risk Management

Empower CyberSecurity With a Zero Trust Holistic Risk Management Strategy.

NIST RMF SP 800-37 Rev.2
Open FAIR Model

CyberSecurity risks are a significant concern for all organizations, potentially leading to financial losses, reputational harm, and even life-threatening situations. As these risks continue to evolve in scale and complexity, organizations must proactively manage them in a strategic and cost-effective manner.

Two crucial elements in CyberSecurity are Zero Trust and Risk Management. The National Institute of Standards and Technology (NIST) and the CyberSecurity and Infrastructure Security Agency (CISA) provide various methodologies and standards to assist in this endeavor, including the Risk Management Framework (RMF) and the CyberSecurity Framework 2.0. Our focus will be on RMF, CSF, and Open FairTM.
Integrating Risk Management with the Zero Trust CyberSecurity strategy model can provide a holistic and powerful approach to proactively detect and defend your business against most advance persistent threats in today's complex and evolving threat environment. Let's start with reviewing the Zero Trust CyberSecurity strategy components:
  1. Understanding Zero Trust:
    • Principle: Zero Trust assumes that no one, whether inside or outside the organization, can be automatically trusted. Access is strictly controlled and authenticated, regardless of location or network.
  1. Identify Critical Assets and Data:
    • Action: Conduct a thorough assessment to identify the most critical assets, data, and systems within your organization. This includes customer data, intellectual property, financial records, and sensitive operational information.
  1. Risk Assessment and Classification:
    • Action: Perform a comprehensive risk assessment to understand potential threats and vulnerabilities associated with the identified assets. Classify risks based on likelihood and impact.
  1. Access Control and Segmentation:
    • Action: Implement strict access controls and network segmentation. This means that employees, contractors, and systems only have access to the resources they absolutely need to perform their duties.
  1. Continuous Monitoring:
    • Action: Implement real-time monitoring and logging of network traffic, user activity, and system behavior. This helps in identifying any anomalous behavior that might indicate a security breach.
  1. Multi-Factor Authentication (MFA):
    • Action: Enforce MFA across all access points to add an extra layer of security. This ensures that even if credentials are compromised, unauthorized access is still prevented.
  1. Endpoint Security:
    • Action: Strengthen endpoint security by deploying advanced endpoint protection solutions. These tools can detect and respond to threats at the device level.
  1. Data Encryption:
    • Action: Implement robust encryption protocols for data at rest and in transit. This ensures that even if data is intercepted, it remains unreadable.
  1. Continuous Training and Awareness:
    • Action: Conduct regular training sessions to educate employees about security best practices. This includes phishing awareness, password management, and recognizing suspicious activities.
  1. Incident Response Plan:
    • Action: Develop and regularly update an incident response plan that outlines the steps to take in the event of a security breach. This should include roles and responsibilities, communication protocols, and steps for containment, eradication, and recovery.
  1. Vendor and Third-Party Risk Management:
    • Action: Apply Zero Trust principles to third-party relationships. Evaluate the security practices of vendors and contractors and ensure they meet your organization's security standards.
  1. Compliance and Regulatory Adherence:
    • Action: Ensure that your security practices align with industry regulations and compliance standards relevant to your business. This can help in avoiding legal repercussions and maintaining customer trust.
  1. Regular Testing and Evaluation:
    • Action: Conduct regular security assessments, penetration tests, and vulnerability scans to identify weaknesses and areas that need improvement.
  1. Adaptive Security Framework:
    • Action: Implement an adaptive security framework that can evolve with the changing threat landscape. This includes staying informed about emerging threats and technologies.
  1. Documentation and Reporting:
    • Action: Maintain detailed records of security incidents, risk assessments, and mitigation efforts. This documentation can be invaluable for post-incident analysis and regulatory compliance.

NIST has recently published Special Publication (SP) 800-207, "Zero Trust Architecture," delineating the foundational components of a zero trust architecture (ZTA). This approach shifts from broad network perimeters to securing individual resources or small clusters. It addresses contemporary CyberSecurity challenges, including remote users and cloud-based assets.

Although zero trust architecture (ZTA) strategies have been integrated into current federal CyberSecurity policies, SP 800-207 identifies areas for further research and standardization to support the development and implementation of ZTA strategies. The publication offers a clear definition of both zero trust and ZTA, suggests deployment models, illustrates scenarios where ZTA can enhance IT security, and provides a high-level roadmap for ZTA adoption. Within SP 800-207, the NIST CSWP 20 outlines the implementation of ZTA, referencing a comprehensive introduction to the NIST SP 800-37 Revision 2, which is the Risk Management Framework (RMF) for Information Systems and Organizations. The RMF employs a risk-based approach encompassing security control selection, specification, implementation, assessment, authorization, and continuous monitoring, structured around seven steps. The RMF is a dynamic process that allows organizations to manage CyberSecurity risks by applying a set of security controls and continuous monitoring, all tailored to the organization's specific needs.
  • The RMF seven steps are as follow:
    1. Organizational and system preparation (PREPARE)
    2. System categorization (CATEGORIZE)
    3. Control selection (SELECT)
    4. Control implementation (IMPLEMENT)
    5. Control assessment (ASSESS)
    6. System authorization (AUTHORIZE)
    7. Control monitoring (MONITOR)
NIST RMF SP 800-37 Rev.2
While the RMF steps are initially presented in sequence, they can be carried out or revisited in any order after the initial implementation. The discrete tasks within these steps can be conducted and revisited as needed, potentially in parallel with other steps and tasks. The transitions between steps are adaptable, as depicted in the diagram. This flexibility is pertinent in the development and implementation of a ZTA, as the dynamic nature of Zero Trust may necessitate revisiting RMF steps in response to new information, technological changes, or security breaches.

Typically, when embarking on a Zero Trust implementation or migration, we kick-start the process with our Risk Management Framework (RMF). In the initial phase, we often follow a systematic approach, though subsequent implementations may deviate from this sequence. The RMF steps closely align with the overarching steps advocated by John Kindervag for zero trust [6-7]. Below, we provide a partial mapping. This procedure assumes that the authorization boundary has been defined and that we have a clear understanding of the system components involved in the work flow (indicating that the PREPARE step has been accomplished and pertinent data has been gathered). It's worth noting that Kindervag's original high-level description did not explicitly incorporate a CATEGORIZE step, as it wasn't initially tailored to consider federal agency policies. In our endeavors, we heavily rely on the CyberSecurity Framework 2.0 in conjunction with the OpenFairTM Risk Management Framework to ensure a thorough and robust implementation.

  • The Kindervag steps involve:
    1. Mapping the Attack Surface: This involves defining the protect surface [6], identifying vulnerable areas that could be targeted by a malicious actor. This task encompasses activities in the PREPARE and SELECT steps.
    2. Identifying and Mapping Data Flows: From the tasks in the PREPARE step (specifically P-12 and P-13), it's essential to identify and map the flow of data.
    3. Implementation of Controls: This step, known as the IMPLEMENT phase, focuses on integrating controls outlined in the SELECT phase onto the resource and its associated Policy Enforcement Point (PEP). The PEP might be a distinct component from the resource itself and is utilized to enforce authentication and authorization-related controls. It's imperative to treat the underlying network as untrusted, ensuring that links between individual resources pass through a PEP.
    4. Assessment: In the ASSESS step, it's crucial to verify that all access policies developed and deployed during the IMPLEMENT phase are functioning as intended. This phase culminates in the AUTHORIZE step, at which point the system and work flow are deemed ready for actual operation.
    5. Monitoring and Management: The MONITOR step involves setting up processes for monitoring and managing the resource, specifically focusing on its security posture.

The NIST CyberSecurity Framework (Framework or CSF) delineates crucial CyberSecurity outcomes to aid organizations in mitigating their CyberSecurity risks. It underscores that a one-size-fits-all approach is inadequate for managing these risks, recognizing that organizations encounter unique challenges based on their specific circumstances and mission objectives. Consequently, each organization's adoption of the Framework and their approach to Risk Management will be individually tailored.

The Framework's set of CyberSecurity outcomes provides a structured taxonomy for understanding, assessing, prioritizing, and communicating about CyberSecurity risks. It encompasses the following key areas:

  • Understanding and Assessment:
    • Describing an organization's current or desired CyberSecurity posture across various entities, such as organizations, sectors, or business units.
    • Identifying potential CyberSecurity gaps, especially concerning emerging threats or technologies, and evaluating progress in addressing them.
    • Aligning policy, business, and technological approaches to CyberSecurity Risk Management across the entire organization or within specific areas.
  • Prioritization:
    • Determining the most impactful opportunities for enhancing CyberSecurity Risk Management.
    • Organizing and prioritizing actions to mitigate CyberSecurity risks in alignment with the organization's mission, legal and regulatory requirements, and governance expectations.
    • Guiding decisions regarding CyberSecurity-related workforce capabilities and requirements.
  • Communication:
    • Offering a common language for discussing CyberSecurity risks, needs, capabilities, and expectations with both internal and external stakeholders.
    • Complementing an organization's Risk Management process by providing a succinct way for executives and others to grasp the core concepts of CyberSecurity risk, allowing them to articulate risks at a high level and understand how their organization employs CyberSecurity standards, guidelines, and practices.

The Framework accommodates organizations at various stages of their CyberSecurity program maturity. Those with existing programs can use the Framework to identify opportunities for enhancing and communicating their CyberSecurity Risk Management efforts while considering their current practices and necessary adjustments. Conversely, organizations without existing programs can utilize the Framework as a foundation and reference point for establishing one, while they are planning their CyberSecurity Risk Management and Zero Trust strategy.

Within an Open FAIRTM Risk Management System [1] incorporates a Risk Management Stack [5], a proficient team of security experts, guided by robust Corporate and Security Policies, establishes a well-informed and rigorously tested process and technology model. This model is sourced from reputable providers and follows a systematic approach, involving continuous evolution and monitoring of Risk Targets, Controls, and a proactive security stance, all managed in a cost-effective manner. The Risk Management Stack [5], as depicted below, consists of two primary elements: RISK and RISK MANAGEMENT. The Controls module within the RISK Element oversees and manages all identified Assets, evaluating factors like loss frequency and magnitude based on their assigned policies (e.g., password resets, backups, encryption). The Risk Control element is susceptible to potential Threats that could Impact the overall architecture if they were to materialize.

Risk Management System

To grasp the Risk Management System [4], let's begin with the Risk Management Stack [5]. This stack comprises five key components: "Accurate Risk Modeling," "Meaningful RISK Measurements," "Effective Risk Comparisons," "Well-formed Mitigation Decisions," and lastly, "Effective Governance (Management)." Additionally, having a clearly defined and logically structured taxonomy is a crucial element of any risk assessment approach. Without a well-established taxonomy (industry standards), there is a prevalence of uncertainty, which hinders the ability to accurately measure or estimate risk factor variables. This, in turn, affects Asset Visibility (Business Continuity Planning), leading to a suboptimal level of comprehension among management regarding the reports that drive effective decision-making. As highlighted in "Measuring And Managing Information Risk" by Jack Freund and Jack Jones, "The taxonomy is the foundation of the Risk Management process. It is the language of Risk Management." It underpins the entire process and forms the basis for a robust metric value proposition and the overarching Goal Question Metric (GQM) approach [4].

FAIR Risk Management Stack

The Risk Management process is not strictly sequential. In practice, it involves simultaneous and ongoing engagement with various activities. The dynamic nature of business needs and the evolving risk landscape means that monitoring, assessment, and reporting function in a feedback loop. This allows for adaptive Risk Management measures in response to both realized and anticipated shifts in the landscape.

Returning to our Open FAIRTM Risk Management System, the RISK MANAGEMENT component governs the personnel, policies, processes, and logical controls (technologies) that an organization chooses to implement. These decisions and executions aim to enhance risk maturity and increase the overall value of the organization. Sound Risk Management decisions are rooted in accurate risk measurements, leading to cost-effective and value-added choices. All of this is contingent on a well-defined Corporate and Security Governance structure, which is responsible for overseeing and executing the Risk Management system. Governance serves as the linchpin that holds the entire system together, ultimately determining the overall success of the Risk Management endeavor.

The NIST (CSF) is a voluntary framework encompassing standards, guidelines, and best practices for managing CyberSecurity risk. It provides a universal language for CyberSecurity Risk Management, aiding organizations in managing and mitigating their CyberSecurity risks. The framework comprises six core functions: Govern, Identify, Protect, Detect, Respond, and Recover. Each function is further broken down into categories and subcategories, offering detailed guidance on Risk Management.

The CSF functions like a wheel, with labeled functions interrelated and to be followed during initial implementation. After implementation, individual functions may be executed as needed, based on the specific action or event. For instance, initially, an organization will categorize assets under IDENTIFY and implement measures to secure those assets under PROTECT. Investments in planning and testing in the GOVERN and IDENTIFY Functions will support timely incident response and recovery actions in the event of a CyberSecurity incident, addressed by the RESPOND and RECOVER Functions. GOVERN holds a central position as it establishes the policies and procedures guiding the implementation of the surrounding five Functions. During regular operations, if an event is triggered and detected, the organization will RESPOND and RECOVER accordingly. This process continues in a similar manner until changes are prompted by a change management event, necessitating a re-evaluation of the organization's risk posture.

CISA offers guidance on implementing the NIST CyberSecurity Framework (CSF), aiding organizations in enhancing their cyber resilience. It also provides direction on developing a comprehensive, risk-based CyberSecurity program that reduces an organization’s cyber risk and enables swift response and recovery from incidents.

The CSF Core Functions are the highest-level categories that organize CyberSecurity outcomes. Here's a breakdown of each function:
  1. GOVERN (GV): This function involves establishing and overseeing the organization’s CyberSecurity Risk Management strategy, expectations, and policy. It provides guidance on how the organization will achieve and prioritize outcomes across the other five functions based on its mission and stakeholder expectations. Governance activities are crucial for integrating CyberSecurity into the broader enterprise Risk Management strategy. This function covers organizational context, CyberSecurity strategy, supply chain Risk Management, roles, responsibilities, authorities, policies, processes, procedures, and oversight.
  2. IDENTIFY (ID): This function helps in assessing the current CyberSecurity risk to the organization. It involves understanding the organization’s assets (such as data, hardware, software, systems, facilities, services, and people) and related CyberSecurity risks. This understanding enables the organization to focus and prioritize its efforts in line with its Risk Management strategy and mission needs identified under GOVERN. It also includes identifying necessary improvements to policies, processes, procedures, and practices supporting CyberSecurity Risk Management.
  3. PROTECT (PR): This function focuses on using safeguards to prevent or reduce CyberSecurity risk. Once assets and risks are identified and prioritized, PROTECT aims to secure those assets to lower the likelihood and impact of adverse CyberSecurity events. Outcomes under this function include awareness and training, data security, identity management, authentication, access control, platform security, and technology infrastructure resilience.
  4. DETECT (DE): This function involves finding and analyzing potential CyberSecurity attacks and compromises. DETECT enables the timely discovery and analysis of anomalies, indicators of compromise, and other potentially adverse CyberSecurity events that may indicate ongoing CyberSecurity incidents.
  5. RESPOND (RS): In this function, action is taken in response to a detected CyberSecurity incident. RESPOND supports the ability to contain the impact of CyberSecurity incidents. Outcomes in this function cover incident management, analysis, mitigation, reporting, and communication.
  6. RECOVER (RC): This function is about restoring assets and operations that were affected by a CyberSecurity incident. RECOVER aims for the timely restoration of normal operations to reduce the impact of CyberSecurity incidents and facilitate appropriate communication during recovery efforts.

The CSF Core functions are interconnected, with each one influencing and supporting the others. For instance, asset categorization under IDENTIFY leads to securing those assets under PROTECT. Investments in planning and testing in GOVERN and IDENTIFY Functions contribute to effective incident response and recovery in RESPOND and RECOVER Functions. GOVERN, positioned at the center of the wheel, informs how an organization will implement the remaining five functions.

In summary, combining Open FAIRTM Risk Management with the NIST Risk Management and Analysis Framework(s) is crucial for attaining CyberSecurity maturity. The NIST CyberSecurity Framework, along with guidance from CISA, offers a solid foundation for managing CyberSecurity risks. Open FAIRTM further enhances this by providing a reliable and quantitative assessment of the organization's risk posture in terms of likelihood and monetary impact. It is highly advisable for organizations to adhere to these guidelines to accurately identify, assess, and effectively mitigate CyberSecurity risks.

  1. The FAIRTM Institute
  2. NIST CyberSecurity Framework (CSF)
  3. CISA CyberSecurity Framework
  4. CISA CyberSecurity Performance Goals
  5. Measuring and Managing Information Risk
  6. ON2IT (2020) A hands-on-approach to Zero Trust implementation
  7. Kindervag J (2017) Zero Trust: The Way Forward in CyberSecurity (DarkReading)

Johnny Sandaire PhD, CISSP, CC, OpenFAIR, MCAD