featurefeature
elements that an enterprise needs to implement and
manage a robust risk management program. The
NIST RMF includes the system development life
cycle phases and the steps that risk management
organizations should follow (figure 1).
Test, Test, Test
Although all of the steps of the NIST RMF are
important, Step 4: Assess Security Controls is the
most critical step of a risk management program.
Testing the system thoroughly and then performing
ruthless configuration management to maintain
the security are essential. If the system is tested
properly, it will be fundamentally secure. If the
enterprise maintains a secure system configuration,
the system basically stays at the same level of
security. Often, enterprises do not adequately test
systems, and the mechanisms to verify accurate
auditing of security assessments and other controls
are lacking. Nothing can substitute for assessing
security controls. Some of the reasons for this lack
of security controls assessment are:
• Leadership not providing clear expectations for
assessing controls/testing schedules
• Inadequate oversight of the risk management
program
• Lack of skilled test managers and testers/security
assessors
• Leadership pressure to condense the testing cycle
due to the schedule having a higher priority than
the security of a system
Do you have
something
to say about
this article?
Visit the Journal
pages of the ISACA®
web site ( www.isaca.
org/journal), find the
article and click on
the Comments link to
share your thoughts.
Assessing Security Controls
Keystone of the Risk Management Framework
CISOs and CSOs need to ensure that their
enterprise risk management programs have a
solid foundation—the enterprise risk management
framework. This framework should provide a
disciplined and structured process that integrates
risk management activities into the system
development life cycle and enables risk executives
to make informed decisions. The US National
Institute of Standards and Technology (NIST)
Risk Management Framework (RMF) is such a
framework. Commitment to a risk management
framework and robust risk principles are critical
for a successful risk management program.
Making informed risk decisions involves risk-decision
fidelity and steps to determine risk acceptance. A
good recipe for making risk decisions includes a
mixture of:
• Objective data
• Pass/fail test results
• Mitigations
• Qualitative analysis
• Subjective data
• A healthy portion of intuition
The subjective data may raise eyebrows. This
ingredient considers probability and questions
who provides the data, as the data source could
be important. The intuition portion is also not as
objective as facts such as test results. Intuition
does not lend itself to a quantitative risk model,
rather, qualitative analysis is a key ingredient in the
decision-making recipe.
Practitioners inherit a variety of risk management
programs in various states over their careers. Some
are actually quite good, some are adequate and
others are complete disasters. Regardless of the
state of the program, sticking to a framework and
solid risk principles is critical.
During the last five years, the NIST RMF has gained
extensive use across the United States and several
other nations. NIST developed and published the
Lance Dubsky, CISM, CISSP
Is chief security strategist, global government, at FireEye and has more
than two decades of experience planning, building and implementing
large information security programs. Before joining FireEye, he served
as the chief information security officer for two US intelligence agencies,
where he led global security programs. In the realm of risk management,
Dubsky has served as a senior risk executive, authorizing official,
certification official and security control assessor. He managed the
transformation to the US NIST Risk Management Framework at two
organizations, optimized risk processes by merging risk and system
development life cycles, and established a risk assessment process for
satellite platforms.
