NIST SP 800-39 Chapter 1
THE NEED FOR INTEGRATED ORGANIZATION-WIDE RISK MANAGEMENT
Information technology is widely recognized as the engine that drives the U.S. economy, giving industry a competitive advantage in global markets, enabling the federal government to provide better services to its citizens, and facilitating greater productivity as a nation. Organizations in the public and private sectors depend on technology-intensive information systems to successfully carry out their missions and business functions. Information systems can include diverse entities ranging from high-end supercomputers, workstations, personal computers, cellular telephones, and personal digital assistants to very specialized systems (e.g., weapons systems, telecommunications systems, industrial/process control systems, and environmental control systems). Information systems are subject to serious threats that can have adverse effects on organizational operations (i.e., missions, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation by exploiting both known and unknown vulnerabilities to compromise the confidentiality, integrity, or availability of the information being processed, stored, or transmitted by those systems. Threats to information and information systems can include purposeful attacks, environmental disruptions, and human/machine errors and result in great harm to the national and economic security interests of the United States. Therefore, it is imperative that leaders and managers at all levels understand their responsibilities and are held accountable for managing information security risk--that is, the risk associated with the operation and use of information systems that support the missions and business functions of their organizations.
Organizational risk can include many types of risk (e.g., program management risk, investment risk, budgetary risk, legal liability risk, safety risk, inventory risk, supply chain risk, and security risk). Security risk related to the operation and use of information systems is just one of many components of organizational risk that senior leaders/executives address as part of their ongoing risk management responsibilities. Effective risk management requires that organizations operate in highly complex, interconnected environments using state-of-the-art and legacy information systems--systems that organizations depend on to accomplish their missions and to conduct important business-related functions. Leaders must recognize that explicit, well-informed risk-based decisions are necessary in order to balance the benefits gained from the operation and use of these information systems with the risk of the same systems being vehicles through which purposeful attacks, environmental disruptions, or human errors cause mission or business failure. Managing information security risk, like risk management in general, is not an exact science. It brings together the best collective judgments of individuals and groups within organizations responsible for strategic planning, oversight, management, and day-to-day operations--providing both the necessary and sufficient risk response measures to adequately protect the missions and business functions of those organizations.
The complex relationships among missions, mission/business processes, and the information systems supporting those missions/processes require an integrated, organization-wide view for managing risk. Unless otherwise stated, references to risk in this publication refer to information security risk from the operation and use of organizational information systems including the processes, procedures, and structures within organizations that influence or affect the design, development, implementation, and ongoing operation of those systems. The role of information security in managing risk from the operation and use of information systems is also critical to the success of organizations in achieving their strategic goals and objectives. Historically, senior leaders/executives have had a very narrow view of information security either as a technical matter or in a stovepipe that was independent of organizational risk and the traditional management and life cycle processes. This extremely limited perspective often resulted in inadequate consideration of how information security risk, like other organizational risks, affects the likelihood of organizations successfully carrying out their missions and business functions. This publication places information security into the broader organizational context of achieving mission/business success. The objective is to:
- Ensure that senior leaders/executives recognize the importance of managing information security risk and establish appropriate governance structures for managing such risk;
- Ensure that the organization's risk management process is being effectively conducted across the three tiers of organization, mission/business processes, and information systems;
- Foster an organizational climate where information security risk is considered within the context of the design of mission/business processes, the definition of an overarching enterprise architecture, and system development life cycle processes; and
- Help individuals with responsibilities for information system implementation or operation better understand how information security risk associated with their systems translates into organization-wide risk that may ultimately affect the mission/business success.
To successfully execute organizational missions and business functions with information system-dependent processes, senior leaders/executives must be committed to making risk management a fundamental mission/business requirement. This top-level, executive commitment ensures that sufficient resources are available to develop and implement effective, organization-wide risk management programs. Understanding and addressing risk is a strategic capability and an enabler of missions and business functions across organizations. Effectively managing information security risk organization-wide requires the following key elements:
- Assignment of risk management responsibilities to senior leaders/executives;
- Ongoing recognition and understanding by senior leaders/executives of the information security risks to organizational operations and assets, individuals, other organizations, and the Nation arising from the operation and use of information systems;
- Establishing the organizational tolerance for risk and communicating the risk tolerance throughout the organization including guidance on how risk tolerance impacts ongoing decision-making activities; and
- Accountability by senior leaders/executives for their risk management decisions and for the implementation of effective, organization-wide risk management programs.
1.1 PURPOSE AND APPLICABILITY
NIST Special Publication 800-39 is the flagship document in the series of information security standards and guidelines developed by NIST in response to FISMA. The purpose of Special Publication 800-39 is to provide guidance for an integrated, organization-wide program for managing information security risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems. Special Publication 800-39 provides a structured, yet flexible approach for managing risk that is intentionally broad-based, with the specific details of assessing, responding to, and monitoring risk on an ongoing basis provided by other supporting NIST security standards and guidelines. The guidance provided in this publication is not intended to replace or subsume other risk-related activities, programs, processes, or approaches that organizations have implemented or intend to implement addressing areas of risk management covered by other legislation, directives, policies, programmatic initiatives, or mission/business requirements. Rather, the risk management guidance described herein is complementary to and should be used as part of a more comprehensive Enterprise Risk Management (ERM) program.
This publication satisfies the requirements of FISMA and meets or exceeds the information security requirements established for executive agencies by the Office of Management and Budget (OMB) in Circular A-130, Appendix III, Security of Federal Automated Information Resources. The guidelines in this publication are applicable to all federal information systems other than those systems designated as national security systems as defined in 44 U.S.C., Section 3542. The guidelines have been broadly developed from a technical perspective to complement similar guidelines for national security systems and may be used for such systems with the approval of appropriate federal officials exercising policy authority over such systems. State, local, and tribal governments, as well as private sector organizations are encouraged to consider using these guidelines, as appropriate.
1.2 TARGET AUDIENCE
This publication is intended to serve a diverse group of risk management professionals including:
- Individuals with oversight responsibilities for risk management (e.g., heads of agencies, chief executive officers, chief operating officers);
- Individuals with responsibilities for conducting organizational missions/business functions (e.g., mission/business owners, information owners/stewards, authorizing officials);
- Individuals with responsibilities for acquiring information technology products, services, or information systems (e.g., acquisition officials, procurement officers, contracting officers);
- Individuals with information security oversight, management, and operational responsibilities (e.g., chief information officers, senior information security officers, information security managers, information system owners, common control providers);
- Individuals with information system/security design, development and implementation responsibilities (e.g., program managers, enterprise architects, information security architects, information system/security engineers; information systems integrators); and
- Individuals with information security assessment and monitoring responsibilities (e.g., system evaluators, penetration testers, security control assessors, independent verifiers/validators, inspectors general, auditors).
1.3 RELATED PUBLICATIONS
The risk management approach described in this publication is supported by a series of security standards and guidelines necessary for managing information security risk. In particular, the Special Publications developed by the Joint Task Force Transformation Initiative supporting the unified information security framework for the federal government include:
- Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach;
- Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations;
- Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations; and
- Draft Special Publication 800-30, Guide for Conducting Risk Assessments.
In addition to the Joint Task Force publications listed above, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) publish standards for risk management and information security including:
- ISO/IEC 31000, Risk management Principles and guidelines;
- ISO/IEC 31010, Risk management Risk assessment techniques;
- ISO/IEC 27001, Information technology Security techniques Information security management systems Requirements; and
- ISO/IEC 27005, Information technology Security techniques Information security risk management systems.
NIST's mission includes harmonization of international and national standards where appropriate. The concepts and principles contained in this publication are intended to implement for federal information systems and organizations, an information security management system and a risk management process similar to those described in ISO/IEC standards. This reduces the burden on organizations that must conform to both ISO/IEC standards and NIST standards and guidance.
1.4 ORGANIZATION OF THIS SPECIAL PUBLICATION
The remainder of this special publication is organized as follows:
- Chapter Two describes: (i) the components of risk management; (ii) the multitiered risk management approach; (iii) risk management at the organization level (Tier 1); (iv) risk management at the mission/business process level (Tier 2); (v) risk management at the information system level (Tier 3); (vi) risk related to trust and trustworthiness; (vii) the effects of organizational culture on risk; and (viii) relationships among key risk management concepts.
- Chapter Three describes a life cycle-based process for managing information security risk including: (i) a general overview of the risk management process; (ii) how organizations establish the context for risk-based decisions; (iii) how organizations assess risk; (iv) how organizations respond to risk; and (v) how organizations monitor risk over time.
- Supporting appendices provide additional risk management information including: (i) general references; (ii) definitions and terms; (iii) acronyms; (iv) roles and responsibilities; (v) risk management process tasks; (vi) governance models; (vii) trust models; and (viii) risk response strategies.
- 5 The term organization describes an entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency or, as appropriate, any of its operational elements) that is charged with carrying out assigned mission/business processes and that uses information systems in support of those processes.
- 6 An information system is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. In the context of this publication, the definition includes the environment in which the information system operates (i.e., people, processes, technologies, facilities, and cyberspace).
- 7 The aggregation of different types of risk across the organization is beyond the scope of this publication.
- 8 The evaluation of residual risk (which changes over time) to determine acceptable risk is dependent on the threshold set by organizational risk tolerance.
- 9 An executive agency is: (i) an executive department specified in 5 U.S.C., Section 101; (ii) a military department specified in 5 U.S.C., Section 102; (iii) an independent establishment as defined in 5 U.S.C., Section 104(1); and (iv) a wholly owned government corporation fully subject to the provisions of 31 U.S.C., Chapter 91. In this publication, the term executive agency is synonymous with the term federal agency.
- 10 At the agency level, this position is known as the Senior Agency Information Security Officer. Organizations may also refer to this position as the Chief Information Security Officer.
- 11 An overview of each Joint Task Force Transformation Initiative publication, similar to an Executive Summary, can be obtained through appropriate NIST ITL Security Bulletins at http://csrc.nist.gov.
- 12 Special Publication 800-39 supersedes the original Special Publication 800-30 as the source for guidance on risk management. Special Publication 800-30 is being revised to provide guidance on risk assessment as a supporting document to Special Publication 800-39.