Tier 2 - Mission/Business Process View

Overview

Tier 2 addresses risk from a mission/business process perspective by designing, developing, and implementing mission/business processes that support the missions/business functions defined at Tier 1.

Tier 2 risk management activities include:

Defining the mission/business processes needed to support the missions and business functions of organisations;
Prioritizing the mission/business processes with respect to the strategic goals and objectives of organisations;
Defining the types of information needed to successfully execute the mission/business processes, the criticality/sensitivity of the information, and the information flows both internal and external to organisations;
Incorporating information security requirements into the mission/business processes; and
Establishing an enterprise architecture with embedded information security architecture that promotes cost-effective and efficient information technology solutions consistent with the strategic goals and objectives of the organisation and measures of performance.

Risk aware Mission/Business Processes

The risk management activities at Tier 2 begin with the identification and establishment of risk-aware mission/business processes to support the organisational missions and business functions. A risk-aware mission/business process is one that explicitly takes into account the likely risk such a process would cause if implemented. Risk aware processes are designed to manage risk in accordance with the risk management strategy defined at Tier 1 and explicitly account for risk when evaluating the mission/business activities and decisions at Tier 2.

Implementing riskaware mission/business processes requires a thorough understanding of the organisational missions and business functions and the relationships among missions/business functions and supporting processes. This understanding is a prerequisite to building mission/business processes sufficiently resilient to withstand a wide variety of threats including routine and sophisticated cyber attacks, errors/accidents, and natural disasters.

An important part of achieving risk-aware processes is the understanding of senior leaders/executives of:

The types of threat sources and threat events that can adversely affect the ability of organisations to successfully execute their missions/business functions);
The potential adverse impacts/consequences on organisational operations and assets, individuals, other organisations, or the Nation if the confidentiality, integrity, or availability of information or information systems used in a mission/business process is compromised; and
The likely resilience to such a compromise that can be achieved with a given mission/business process definition, applying realistic expectations for the resilience of information technology.

A key output from the Tier 2 definition of mission/business processes is the selected risk response strategy for these processes within the constraints defined in the risk management strategy. The risk response strategy includes identification of information protection needs and the allocation of those needs across components of the process (e.g., allocation to protections within information systems, protections in the operational environments of those systems, and allocation to alternate mission/business execution paths based on the potential for compromise).

Risk assessment at the Mission/Business Process Tier

At Tier 2, risk assessments support the determination of mission/business process protection and resiliency requirements, and their allocation to the enterprise architecture within mission/business segments. These segments typically include multiple information systems, with varying levels of criticality or sensitivity related to core organisational missions or business functions.

Alignment with Business Continuity Plans (BCPs)

Risk management at Tier 2 is closely aligned with the development of Business Continuity Plans (BCPs), ensuring processes continue to function even when faced with compromised systems.

Information Security Architecture

Allocation of protection and resiliency requirements is accomplished through an information security architecture embedded within the enterprise architecture. The information security architecture represents that portion of the enterprise architecture specifically addressing information system resilience and providing architectural information for the implementation of security capabilities. Security architecture is a critical component of enterprise architecture, helping organisations select common controls that are inherited by organisational information systems at Tier 3.

Integrating Risk Management into Enterprise Architecture

Risk management considerations can be addressed as an integral part of the enterprise architecture by:

Developing a segment architecture linked to the strategic goals and objectives of organisations, defined missions/business functions, and associated mission/business processes;
Identifying where effective risk response is a critical element in the success of organisational missions and business functions;
Defining the appropriate, architectural-level information security requirements within organisation-defined segments based on the organisation’s risk management strategy;
Incorporating an information security architecture that implements architectural-level information security requirements;
Translating the information security requirements from the segment architecture into specific security controls for information systems/environments of operation as part of the solution architecture;
Allocating management, operational, and technical security controls to information systems and environments of operation as defined by the information security architecture; and
Documenting risk management decisions at all levels of the enterprise architecture.

Influence on Tier 3 Activities

Tier 2 activities directly affect the activities carried out at Tier 3. For example, the information security architecture portion of the enterprise architecture developed at Tier 2 influences and guides the allocation of information protection needs which, in turn, influences and guides the allocation of the security controls to specific components of organisational information systems at Tier 3. Risk assessment results produced at Tier 2 are communicated to and shared with organisational entities at Tier 3 to help inform and guide the allocation of security controls to information systems and environments in which those systems operate.

Tier 2 risk assessments also provide assessments of the security and risk posture of organisational mission/business processes, which inform assessments of organisational risks at Tier 1. Thus, risk assessment results at Tier 2 are routinely communicated to organisational entities at Tier 1 and Tier 3.

The use of enterprise architecture can greatly enhance an organisation’s risk posture by providing greater transparency and clarity in design and development activities - enabling a more consistent application of the principle of ‘wise use’ of technologies across the organisation; optimizing the trade‐offs between value gained from and the risk being incurred through the information systems supporting organisational missions/business functions.

(Sources: NIST SP 800-30, NIST SP 800-39)

Overview​

Risk aware Mission/Business Processes​

Risk assessment at the Mission/Business Process Tier​

Alignment with Business Continuity Plans (BCPs)​

Information Security Architecture​

Integrating Risk Management into Enterprise Architecture​

Influence on Tier 3 Activities​