Tier 1 - Organisation view
Overview
Tier 1 addresses risk from an organizational perspective, focusing on the establishment and implementation of governance structures aligned with strategic goals, objectives, and the requirements defined by laws, directives, policies, regulations, standards, and mission/business functions.
Governance structures provide oversight for risk management activities and include:
- Establishing and implementing a risk executive (function) to facilitate consistent, organization-wide application of the risk management strategy;
- Developing the organization’s risk management strategy:
- Creating and executing organization-wide investment strategies for information resources and information security.
The risk management strategy also includes any strategic-level decisions and considerations on how senior leaders/executives are to manage information security risk to organizational operations and assets, individuals, other organizations, and the Nation, depending on the size and impact of the organization..
Organisational Risk Management Strategy
From there, as one of the key outputs of risk framing, the organizational risk management strategy makes explicit the specific assumptions, constraints, determination of risk tolerances, and risk response strategies.
Additionally Tier one includes a process for consistently evaluating risk across the organization in relation to the organization’s risk tolerance, as well as the priorities, trade-offs, and approaches for monitoring risk over time and for making investment and operational decisions.
At Tier 1, risk assessments support organizational strategies, policies, guidance, and processes for managing risk, with a focus on organizational operations, assets, and individuals.
For example, Tier 1 risk assessments may address:
- The specific types of threats directed at organizations that may be different from other organizations and how those threats affect policy decisions;
- Systemic weaknesses or deficiencies discovered in multiple organizational information systems capable of being exploited by adversaries;
- The potential adverse impact on organizations from the loss or compromise of organizational information (either intentionally or unintentionally); and
- The use of new information and computing technologies such as mobile and cloud and the potential effect on the ability of organizations to successfully carry out their missions/business operations while using those technologies.
Tier Integration & Communication
Organization-wide assessments of risk can be based solely on the assumptions, constraints, risk tolerances, priorities, and trade-offs established in the risk framing step (i.e., derived primarily from Tier 1 activities). However, more realistic and meaningful risk assessments are based on assessments conducted across multiple mission/business lines (i.e., derived primarily from Tier 2 activities).
The ability of organizations to effectively use Tier 2 risk assessments as inputs to Tier 1 risk assessments is shaped by such considerations as:
- The similarity of organizational missions/business functions and mission/business processes; and
- The degree of autonomy that organizational entities or subcomponents have with respect to parent organizations. In decentralized organizations or organizations with varied missions/business functions and/or environments of operation, expert analysis may be needed to normalize the results from Tier 2 risk assessments.
Finally, risk assessments at Tier 1 take into consideration the identification of mission-essential functions from Continuity of Operations Plans (COOP) prepared by organizations when determining the contribution of Tier 2 risks.
Risk assessment results at Tier 1 are communicated to organizational entities at Tier 2 and Tier 3.
(Sources: NIST SP 800-30, NIST SP 800-39)