Security & Privacy Risk Management Model (SP-RMM)
Thank you for showing interest in the Secure Controls Framework’s™ (SCF) Security & Privacy Risk Management Model (SP-RMM)!
The concept of creating the SP-RMM was to create an efficient methodology to identify, assess, report and mitigate risk. This project was approached from the perspective of asking the question, “How should I management risk?” and was a collaboration between ComplianceForge and the SCF.
Why You Should Care About The SP-RMM
Ask yourself these two questions about your organization and your personal exposure in risk & threat management operations:
Can you prove that the right people within your organization are both aware of risks and have taken direct responsibility for mitigating those risks?
If there was a breach or incident that is due to identified risks that went unmitigated, where does the “finger pointing” for blame immediately go to? (Is it you? Would you have guilt by association?)
Risks & Threats Do Not Exist In A Vacuum
It is vitally important to understand that risks and threats do not exist in a vacuum. If your cybersecurity and privacy program is appropriately built, you will have a robust controls framework where risks and threats will map directly to controls. Why is this?
Controls are central to managing risks, threats, procedures and metrics.
Risks, threats, metrics and procedures need to map into the controls, which then map to standards and policies.
If you worry about having to preface risk management discussions with, “Please don't shoot the messenger!” then the SP-RMM can be an additional layer of protection for your professional reputation. Where the SP-RMM benefits security, technology and privacy personnel is the potential “get out of jail” documentation that quality risk assessments and risk management practices can provide. Just like with compliance documentation, if risk management discussions are not documented then risk management practices do not exist.
Instead of executive leadership hanging blame on the CIO or CISO, quality risk management documentation can prove that reasonable steps were taken to identify, assess, report and mitigate risk. This type of documentation can provide evidence of due diligence and due care on the part of the CIO/CISO/CRO, which firmly puts the responsibility back on the management of the team/department/line of business that “owns” the risk.
The SP-RMM is designed to be an integral tool of an organization’s ability to demonstrate evidence of due diligence and due care. This not only benefits your organization by having solid risk management practices, but it can also serve as a way to reduce risk for those who have to initiate the hard discussions on risk management topics.
Based on the applicable statutory, regulatory and contractual obligations that impact the scope of a risk assessment, an organization is expected to have an applicable set of cybersecurity and privacy controls to cover those needs. That set of controls identifies the in-scope requirements that must be evaluated to determine what risk exists. This is generally considered to be a “gap assessment” where the assessor:
Evaluates those controls based on the entity's THREAT CATALOG to identify current or potential control deficiencies; and
Utilize the RISK CATALOG to identify the applicable risks, based on the identified control deficiencies.
Risks vs Threats vs Vulnerabilities
Risks, threats and vulnerabilities are commonly misunderstood. Fundamentally, vulnerability and risk management practices exist to achieve a minimum level of protection for an organization, which equates to a reduction in the total risk due to the protections offered by implemented controls. This can be conceptualized as a "risk management ecosystem" as it pertains to an organization's overall cybersecurity & data protection efforts. These ecosystem components have unique meanings that need to be understood to reasonably protect people, processes, technology and data, as shown below:
Risk Management: The Path To Hell Is Paved With Good Intentions
In risk management, the old adage is applicable that “the path to hell is paved with good intentions.” Often, risk management personnel are tasked with creating risk assessments and questions to ask without having a centralized set of organization-wide cybersecurity and privacy controls to work from. This generally leads to risk teams making up risks and asking questions that are not supported by the organization’s policies and standards. For example, an organization is an “ISO shop” that operates an ISO 27002-based Information Security Management System (ISMS) to govern its policies and standards, but its risk team is asking questions about NIST SP 800-53 or 800-171 controls that are not applicable to the organization.
This scenario of “making up risks” points to a few security program governance issues:
If the need for additional controls to cover risks is legitimate, then the organization is improperly scoped and does not have the appropriate cybersecurity and privacy controls to address its applicable statutory, regulatory, contractual or industry-expected practices.
If the organization is properly scoped, then the risk team is essentially making up requirements that are not supported by the organization’s policies and standards.
The SP-RMM takes a holistic approach to controls, risks and threats as a way to reduce or eliminate the traditional Fear, Uncertainty and Doubt (FUD) that makes many risk assessments meaningless.
Risk Management Basics
The most important concept to understand in cybersecurity and privacy-related risk management is that the cybersecurity and IT departments generally do not “own” risk. The reality of the situation is that risk management is a business management decision, where the cybersecurity and privacy functions primarily serve as a mechanism to educate those business stakeholders on identified risks and provide possible risk treatment solutions. Right or wrong, business management is ultimately able to decide how risk is to be handled.
Where the Security & Privacy Risk Management Model (SP-RMM) exists is to help cybersecurity and privacy functions create a repeatable methodology to identify, assess, report and mitigate risk. This is based on the understanding that the responsibility to approve a risk treatment solution rests with the management of the team/department/line of business that “owns” the risk. The SP-RMM is meant to guide the decision to one of these common risk treatment options:
Reduce the risk to an acceptable level;
Avoid the risk;
Transfer the risk to another party; or
Accept the risk
It is a common problem for individuals who are directly impacted by risk to simply say, “I accept the risk” and wish the risk away so that the project/initiative can proceed without having to first address deficiencies. This is why it is critically important that as part of a risk management program to identify the various levels of management who have the legitimate authority to make risk management decisions. This can help prevent low-level managers from recklessly accepting risk that should be reserved for more senior management.
Security & Privacy Risk Management Model (SP-RMM) - "Start To Finish" Steps
The SP-RMM breaks risk management down to 16 steps. Please download the guide for the overview and you can click on the image below for a PDF version of the SP-RMM infographic.
Calculating Inherent & Residual Risk With The SP-RMM)
The SP-RMM provides a clear method to calculate both inherent and residual risk. Please download the guide for the overview and you can click on the image below for a PDF version of the SP-RMM infographic.