Skip to main content

Overview

To integrate the risk management process throughout the organization, a three-tiered approach is employed that addresses risk at the:

  1. Organisation level;
  2. Mission/business process level; and
  3. Information system level.

The risk management process is carried out seamlessly across the three tiers with the overall objective of continuous improvement in the organisation’s risk-related activities and effective inter-tier and intra-tier communication among all stakeholders having a shared interest in the mission/business success of the organisation.

Multi Tiered Risk management.png

The activities conducted at Levels 1 and 2 are critical to preparing the organisation to execute the RMF. Such preparation involves a wide range of activities that go beyond simply managing the security and privacy risk associated with operating or using specific systems and includes activities that are essential to managing security and privacy risk appropriately throughout the organisation.

In contrast to the Level 1 and 2 activities that prepare the organisation for the execution of the RMF, Level 3 addresses risk from an information system perspective and is guided and informed by the risk decisions at the organisation and mission/business process levels. The risk decisions at Levels 1 and 2 can impact the selection and implementation of controls at the system level. Controls are designated by the organisation as system-specific, hybrid, or common (inherited) controls in accordance with the enterprise architecture, security or privacy architecture, and any tailored control baselines or overlays that have been developed by the organisation.

Without adequate risk management preparation at the organisational level, security and privacy activities can become too costly, demand too many skilled security and privacy professionals, and produce ineffective solutions. For example, organisations that fail to implement an effective enterprise architecture will have difficulty in consolidating, optimizing, and standardizing their information technology infrastructures. Additionally, the effect of architectural and design decisions can adversely affect the ability of organisations to implement effective security and privacy solutions. A lack of adequate preparation by organisations could result in unnecessary redundancy as well as inefficient, costly and vulnerable systems, services, and applications.

To help overcome these challenges, CSFaaS offers expert assistance in implementing effective risk management practices, ensuring that security and privacy risks are efficiently managed across all levels of your organization. Contact us.

(Sources: NIST SP 800-30, NIST SP 800-37, NIST SP 800-39)