Tier 1 – Organization
Tier 1 addresses risk from an organizational perspective with the development of a comprehensive governance structure and organization-wide risk management strategy that includes:
(i) the techniques and methodologies the organization plans to employ to assess information system-related security risks and other types of risk of concern to the organization;
(ii) the methods and procedures the organization plans to use to evaluate the significance of the risks identified during the risk assessment;
(iii) the types and extent of risk mitigation measures the organization plans to employ to address identified risks;
(iv) the level of risk the organization plans to accept (i.e., risk tolerance);
(v) how the organization plans to monitor risk on an ongoing basis given the inevitable changes to organizational information systems and their environments of operation; and
(vi) the degree and type of oversight the organization plans to use to ensure that the risk management strategy is being effectively carried out.
Tier 1 implements the first component of risk management (i.e., risk framing), providing the context for all risk management activities carried out by organizations. Tier 1 risk management activities directly affect the activities carried out at Tiers 2 and 3.
Tier 1 addresses risk from an organizational perspective by establishing and implementing governance structures that are consistent with the strategic goals and objectives of organizations and the requirements defined by federal laws, directives, policies, regulations, standards, and missions/business functions. Governance structures provide oversight for the risk management activities conducted by organizations and include:
(i) the establishment and implementation of a risk executive (function);
(ii) the establishment of the organization’s risk management strategy including the determination of risk tolerance; and
(iii) the development and execution of organization-wide investment strategies for information resources and information security.
In general, governance is the set of responsibilities and practices exercised by those responsible for an organization (e.g., the board of directors and executive management in a corporation, the head of a federal agency) with the express goal of:
(i) providing strategic direction;
(ii) ensuring that organizational mission and business objectives are achieved;
(iii) ascertaining that risks are managed appropriately; and
(iv) verifying that the organization’s resources are used responsibly.
Risks and resources can be associated with different organizational sectors (e.g., legal, finance, information technology, regulatory compliance, information security). Different sectors require specialized expertise in order to manage the risks associated with that sector. Thus, governance within organizations frequently is organized by sector. The five outcomes of governance related to organization-wide risk management are:
- Strategic alignment of risk management decisions with missions and business functions consistent with organizational goals and objectives;
- Execution of risk management processes to frame, assess, respond to, and monitor risk to organizational operations and assets, individuals, other organizations, and the Nation;
- Effective and efficient allocation of risk management resources;
- Performance-based outcomes by measuring, monitoring, and reporting risk management metrics to ensure that organizational goals and objectives are achieved; and
- Delivered value by optimizing risk management investments in support of organizational objectives.
As part of organizational governance, senior leaders/executives in consultation and collaboration with the risk executive (function), determine:
(i) the types of risk management decisions that are reserved for specific senior leadership roles (e.g., heads of agencies or chief executive officers, chief financial officers, chief information officers, chief information security officers);
(ii) the types of risk management decisions that are deemed to be organization-wide and the types of decisions that can be delegated to subordinate organizations or to other roles in the organization (e.g., systems and security engineers, mission/business owners, enterprise architects, information security architects, common infrastructure or service providers, authorizing officials); and
(iii) how risk management decisions will be communicated to and by the risk executive (function).
Three different types of governance models (i.e., centralized, decentralized, and hybrid). Regardless of the governance model(s) employed, clear assignment and accountability for accepting risk is essential for effective risk management.
The risk executive is a functional role established within organizations to provide a more comprehensive, organization-wide approach to risk management. The risk executive (function) serves as the common risk management resource for senior leaders/executives, mission/business owners, chief information officers, chief information security officers, information system owners, common control providers, enterprise architects, information security architects, information systems/security engineers, information system security managers/officers, and any other stakeholders having a vested interest in the mission/business success of organizations. The risk executive (function) coordinates with senior leaders/executives to:
- Establish risk management roles and responsibilities;
- Develop and implement an organization-wide risk management strategy that guides and informs organizational risk decisions (including how risk is framed, assessed, responded to, and monitored over time);
- Manage threat and vulnerability information with regard to organizational information systems and the environments in which the systems operate;
- Establish organization-wide forums to consider all types and sources of risk (including aggregated risk);
- Determine organizational risk based on the aggregated risk from the operation and use of information systems and the respective environments of operation;
- Provide oversight for the risk management activities carried out by organizations to ensure consistent and effective risk-based decisions;
- Develop a greater understanding of risk with regard to the strategic view of organizations and their integrated operations;
- Establish effective vehicles and serve as a focal point for communicating and sharing risk-related information among key stakeholders internally and externally to organizations;
- Specify the degree of autonomy for subordinate organizations permitted by parent organizations with regard to framing, assessing, responding to, and monitoring risk;
- Promote cooperation and collaboration among authorizing officials to include security authorization actions requiring shared responsibility (e.g., joint/leveraged authorizations);
- Ensure that security authorization decisions consider all factors necessary for mission and business success; and
- Ensure shared responsibility for supporting organizational missions and business functions using external providers receives the needed visibility and is elevated to appropriate decision-making authorities.
The risk executive (function) presumes neither a specific organizational structure nor formal responsibility assigned to any one individual or group within the organization. Heads of agencies or organizations may choose to retain the risk executive (function) or to delegate the function. The risk executive (function) requires a mix of skills, expertise, and perspectives to understand the strategic goals and objectives of organizations, organizational missions/business functions, technical possibilities and constraints, and key mandates and guidance that shape organizational operations. To provide this needed mixture, the risk executive (function) can be filled by a single individual or office (supported by an expert staff) or by a designated group (e.g., a risk board, executive steering committee, executive leadership council). The risk executive (function) fits into the organizational governance structure in such a way as to facilitate efficiency and to maximize effectiveness. While the organization-wide scope situates the risk executive (function) at Tier 1, its role entails ongoing communications with and oversight of the risk management activities of mission/business owners, authorizing officials, information system owners, common control providers, chief information officers, chief information security officers, information system and security engineers, information system security managers/officers, and other stakeholders at Tiers 2 and 3.
An organizational risk management strategy, one of the key outputs of risk framing, addresses how organizations intend to assess, respond to, and monitor risk—the risk associated with the operation and use of organizational information systems. The risk management strategy makes explicit the specific assumptions, constraints, risk tolerances, and priorities/trade-offs used within organizations for making investment and operational decisions. The risk management strategy also includes any strategic-level decisions and considerations on how senior leaders/executives are to manage information security risk to organizational operations and assets, individuals, other organizations, and the Nation. An organization-wide risk management strategy includes, for example, an unambiguous expression of the risk tolerance for the organization, acceptable risk assessment methodologies, risk response strategies, a process for consistently evaluating risk across the organization with respect to the organization’s risk tolerance, and approaches for monitoring risk over time. The use of a risk executive (function) can facilitate consistent, organization-wide application of the risk management strategy. The organization-wide risk management strategy can be informed by risk-related inputs from other sources both internal and external to the organization to ensure the strategy is both broad-based and comprehensive. An important Tier 1 risk management activity and also part of risk framing, is the determination of risk tolerance. Risk tolerance is the level of risk or degree of uncertainty that is acceptable to organizations and is a key element of the organizational risk frame. Risk tolerance affects all components of the risk management process—having a direct impact on the risk management decisions made by senior leaders/executives throughout the organization and providing important constraints on those decisions. For example, risk tolerance affects the nature and extent of risk management oversight implemented in organizations, the extent and rigor of risk assessments performed, and the content of organizational strategies for responding to risk. With regard to risk assessments, more risk-tolerant organizations may be concerned only with those threats that peer organizations have experienced while less risk-tolerant organizations may expand the list to include those threats that are theoretically possible, but which have not been observed in operational environments. With regard to risk response, less risk-tolerant organizations are likely to require additional grounds for confidence in the effectiveness of selected safeguards and countermeasures or prefer safeguards and countermeasures that are more mature and have a proven track record. Such organizations may also decide to employ multiple safeguards and countermeasures from multiple sources (e.g., antivirus software at clients and servers that are provided by different vendors). Another example illustrating the impact of risk tolerance on risk response is that risk tolerance can also affect the organizational requirements for trustworthiness provided by specific information technologies. Two organizations may choose the same information technologies, but their relative degree of risk tolerance may impact the degree of assessment required prior to deployment.
There is no correct level of organizational risk tolerance. Rather, the degree of risk tolerance is:
(i) generally indicative of organizational culture;
(ii) potentially different for different types of losses/compromises; and
(iii) highly influenced by the individual subjective risk tolerance of senior leaders/executives.
Yet, the ramifications of risk decisions based on risk tolerance are potentially profound, with less risk-tolerant organizations perhaps failing to achieve needed mission/business capabilities in order to avoid what appears to be unacceptable risk; while more risk-tolerant organizations may focus on near-term mission/business efficiencies at the expense of setting themselves up for future failure. It is important that organizations exercise due diligence in determining risk tolerance—recognizing how fundamental this decision is to the effectiveness of the risk management program.
Investment strategies play a significant role in organizational risk management efforts. These strategies generally reflect the long-term strategic goals and objectives of organizations and the associated risk management strategies developed and executed to ensure mission and business success. Underlying all investment strategies is the recognition that there is a finite amount of resources available to invest in helping organizations effectively manage risk—that is, effectively addressing risk to achieve on-going mission/business success.
Mission and Risk Priorities
Organizations generally conduct a variety of missions and are involved in different types of business functions. This is especially true for large and complex organizations that have different organizational components, each of which is typically focused on one or two primary missions. While all of these organizational components and associated missions/business functions are likely to be important and play a key role in the overall success of organizations, in reality they are not of equal importance. The greater the criticality of organizational missions and business functions, the greater the necessity for organizations to ensure that risks are adequately managed. Such missions and business functions are likely to require a greater degree of risk management investments than missions/business functions deemed less critical. The determination of the relative importance of the missions/business functions and hence the level of risk management investment, is something that is decided upon at Tier 1, executed at Tier 2, and influences risk management activities at Tier 3.
Anticipated Risk Response Needs
There is a great variation in the nature of potential threats facing organizations, ranging from hackers attempting to merely deface organizational Web sites (e.g., cyber vandalism), to insider threats, to sophisticated terrorist groups/organized criminal enterprises seeking to exfiltrate sensitive information, to a nation state’s military attempting to destroy or disrupt critical missions by attacking organizational information systems. The strategic investments required to address the risk from more traditional adversaries (e.g., hackers conducting small-group activities with limited capabilities) are considerably different than the investments required to address the risk associated with advanced persistent threats consistent with more advanced adversaries (e.g., nation states or terrorist groups with highly sophisticated levels of expertise and resources that seek to establish permanent footholds in organizations for purposes of impeding aspects of the organizational missions). To address less sophisticated threats, organizations can focus their efforts at Tier 3—investing to ensure that needed safeguards and countermeasures (e.g., security controls, security services, and technologies) are obtained, implemented correctly, operating as intended, and producing the desired effect with regard to meeting information security policies and addressing known vulnerabilities. In addition to these basic investments, organizations can also invest in continuous monitoring processes to ensure that the acquired security controls, services, and technologies are operating effectively throughout the system development life cycle.
When organizations need to address advanced persistent threats, it is likely that adequately addressing related risks at Tier 3 is not feasible because necessary security solutions are not currently available in the commercial marketplace. In those instances, organizations must purposefully invest beyond Tier 3 for significant response capabilities at Tier 2, and to some extent at Tier 1. At Tier 3, the nature of investment is likely to change from implementation of existing solutions to an added strategic focus on investing in leading-edge information security technologies (essentially experimenting with innovative security solutions/technologies and being an early adopter) or investing in information security research and development efforts to address specific technology gaps. Information security investments to address advanced persistent threats may require expenditures over the course of several years, as new security solutions and technologies transition from research to development to full deployment. The long-term view of strategic investing in the risk response needs for organizations can help to reduce the continuing focus on near-term vulnerabilities discovered in information systems—vulnerabilities that exist due to the complexity of the information technology products and systems and the inherent weaknesses in those products and systems.
Limitations on Strategic Investments
The ability of organizations to provide strategic information security investments is limited. Where the desired strategic investment funding or strategic resources are not available to address specific needs, organizations may be forced to make compromises. For example, organizations might extend the time frame required for strategic information security objectives to be accomplished. Alternatively, organizations might prioritize risk management investments, opting to provide resources (financial or otherwise) to address some critical strategic needs sooner than other less critical needs. All investment decisions require organizations to prioritize risks and to assess the potential impacts associated with alternative courses of action.
- NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View