NIST SP 800-39 Appendix H
RISK RESPONSE STRATEGIES
FROM BOUNDARY PROTECTION TO AGILE DEFENSES
Organizations develop risk management strategies as part of the risk framing step in the risk management process described in Chapter Three. The risk management strategies address how organizations intend to assess risk, respond to risk, and monitor risk -- making explicit and transparent the risk perceptions that organizations routinely use in making both investment and operational decisions. As part of organizational risk management strategies, organizations also develop risk response strategies. The practical realities facing organizations today make risk response strategies essential--the realities of needing the mission/business effectiveness offered by information technology, the lack of trustworthiness in the technologies available, and the growing awareness by adversaries of the potential to achieve their objectives to cause harm by compromising organizational information systems and the environments in which those systems operate. Senior leaders/executives in modern organizations are faced with an almost intractable dilemma--that is, the information technologies needed for mission/business success may be the same technologies through which adversaries cause mission/business failure. The risk response strategies developed and implemented by organizations provide these senior leaders/executives (i.e., decision makers within organizations) with practical, pragmatic paths for dealing with this dilemma. Clearly defined and articulated risk response strategies help to ensure that senior leaders/executives take ownership of organizational risk responses and are ultimately responsible and accountable for risk decisions--understanding, acknowledging, and explicitly accepting the resulting mission/business risk.
As described in Chapter Two, there are five basic types of responses to risk: (i) accept; (ii) avoid; (iii) mitigate; (iv) share; and (v) transfer. While each type of response can have an associated strategy, there should be an overall strategy for selecting from among the basic response types. This overall risk response strategy and a strategy for each type of response are discussed below. In addition, specific risk mitigation strategies are presented, including a description of how such strategies can be implemented within organizations.
H.1 OVERALL RISK RESPONSE STRATEGIES
Risk response strategies specify: (i) individuals or organizational subcomponents that are responsible for the selected risk response measures and specifications of effectiveness criteria (i.e., articulation of indicators and thresholds against which the effectiveness of risk response measures can be judged); (ii) dependencies of the selected risk response measures on other risk response measures; (iii) dependencies of selected risk response measures on other factors (e.g., implementation of other planned information technology measures); (iv) implementation timeline for risk responses; (v) plans for monitoring the effectiveness of the risk response measures; (vi) identification of risk monitoring triggers; and (vii) interim risk response measures selected for implementation, if appropriate. Risk response implementation strategies may include interim measures that organizations choose to implement. An overall risk response strategy provides an organizational approach to selecting between the basic risk responses for a given risk situation. A decision to accept risk must be consistent with the stated organizational tolerance for risk. Yet there is still need for a well-defined, established organizational path for selecting one or a combination of the risk responses of acceptance, avoidance, mitigation, sharing, or transfer. Organizations are often placed in situations where there is greater risk than the designated senior leaders/executives desire to accept. Some risk acceptance will likely be necessary. It might be possible to avoid risk or to share or transfer risk, and some risk mitigation is probably feasible. Avoiding risk may require selective reengineering of organizational mission/business processes and forgoing some of the benefits being accrued by the use of information technology organization-wide, perhaps even what organizations perceive as necessary benefits. Mitigating risk requires expenditure of limited resources and may quickly become cost-ineffective due to the pragmatic realities of the degree of mitigation that can actually be achieved. Lastly, risk sharing and transfer have ramifications as well, some of which if not unacceptable, may be undesirable. The risk response strategies of organizations empower senior leaders/executives to make risk-based decisions compliant with the goals, objectives, and broader organizational perspectives.
H.2 RISK ACCEPTANCE STRATEGIES
Organizational risk acceptance strategies are essential companions to organizational statements of risk tolerance. The objective of establishing an organizational risk tolerance is to state in clear and unambiguous terms, a limit for risk--that is, how far organizations are willing to go with regard to accepting risk to organizational operations (including missions, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation. Real-world operations, however, are seldom so simple as to make such risk tolerance statements the end-statement for risk acceptance decisions. Organizational risk acceptance strategies place the acceptance of risk into a framework of organizational perspectives on dealing with the practical realities of operating with risk and provide the guidance necessary to ensure that the extent of the risk being accepted in specific situations is compliant with organizational direction.
H.3 RISK AVOIDANCE STRATEGIES
Of all the risk response strategies, organizational risk avoidance strategies may be the key to achieving adequate risk response. The pragmatic realities of the trustworthiness of information technologies available for use within common resource constraints, make wise use of those technologies arguably a significant, if not the most significant risk response. Wise use of the information technologies that compose organizational information systems is fundamentally a form of risk avoidance--that is, organizations modify how information technologies are used to change the nature of the risk being incurred (i.e., avoid the risk). Yet such approaches can be in great tension with organizational desires and in some cases, the mandate to fully automate mission/business processes. Organizations proactively address this dilemma so that: (i) senior leaders/executives (and other organizational officials making risk-based decisions) are held accountable for only that which is within their ability to affect; and (ii) decision makers can make the difficult risk decisions that may, in fact, be in the best interests of organizations.
H.4 RISK SHARING AND TRANSFER STRATEGIES
Organizational risk sharing strategies and risk transfer strategies are key elements in enabling risk decisions for specific organizational missions/business functions at Tier 2 or organizational information systems at Tier 3. Risk sharing and transfer strategies both consider and take full advantage of a lessening of risk by sharing/transferring the potential impact across other internal organizational elements or with other external organizations--making the case that some other entities are, in fact, wholly (transfer) or partly (share) responsible and accountable for risk. For risk sharing or risk transfer to be effective risk responses, the impact on the local environment (e.g., mission/business processes or information systems) must be addressed by the sharing or transfer (i.e., the focus must be on mission/business success, not assigning blame). In addition, risk sharing and risk transfer activities must be carried out in accordance with intra- and inter-organizational dynamics and realities (e.g., organizational culture, governance, risk tolerance). This explains why risk sharing/transfer strategies are particularly important for the sharing and/or transfer to be a viable risk response option.
H.5 RISK MITIGATION STRATEGIES
Organizational risk mitigation strategies reflect an organizational perspective on what mitigations are to be employed and where the mitigations are to be applied, to reduce information security risks to organizational operations and assets, individuals, other organizations, and the Nation. Risk mitigation strategies are the primary link between organizational risk management programs and information security programs--with the former covering all aspects of managing risk and the latter being primarily a part of the risk response component of the risk management process. Effective risk mitigation strategies consider the general placement and allocation of mitigations, the degree of intended mitigation, and cover mitigations at Tier 1 (e.g., common controls), at Tier 2 (e.g., enterprise architecture including embedded information security architecture, and risk-aware mission/business processes), and at Tier 3 (security controls in individual information systems). Organizational risk mitigation strategies reflect the following:
- Mission/business processes are designed with regard to information protection needs and information security requirements;
- Enterprise architectures (including embedded information security architectures) are designed with consideration for realistically achievable risk mitigations;
- Risk mitigation measures are implemented within organizational information systems and environments of operation by safeguards/countermeasure (i.e., security controls) consistent with information security architectures; and
- Information security programs, processes, and safeguards/countermeasures are highly flexible and agile with regard to implementation, recognizing the diversity in organizational missions and business functions and the dynamic environments in which the organizations operate.
Organizations develop risk mitigation strategies based on strategic goals and objectives, mission and business requirements, and organizational priorities. The strategies provide the basis for making risk-based decisions on the information security solutions associated with and applied to information systems within the organization. Risk mitigation strategies are necessary to ensure that organizations are adequately protected against the growing threats to information processed, stored, and transmitted by organizational information systems. The nature of the threats and the dynamic environments in which organizations operate, demand flexible and scalable defenses as well as solutions that can be tailored to meet rapidly changing conditions. These conditions include, for example, the emergence of new threats and vulnerabilities, the development of new technologies, changes in missions/business requirements, and/or changes to environments of operation. Effective risk mitigation strategies support the goals and objectives of organizations and established mission/business priorities, are tightly coupled to enterprise architectures and information security architectures, and can operate throughout the system development life cycle.
Traditional risk mitigation strategies with regard to threats from cyber attacks at first relied almost exclusively on monolithic boundary protection. These strategies assumed adversaries were outside of some established defensive perimeter, and the objective of organizations was to repel the attack. The primary focus of static boundary protection was penetration resistance of the information technology products and information systems employed by the organization as well as any additional safeguards and countermeasures implemented in the environments in which the products and systems operated. Recognition that information system boundaries were permeable or porous led to defense-in-depth as part of the mitigation strategy, relying on detection and response mechanisms to address the threats within the protection perimeter. In today's world characterized by advanced persistent threats, a more comprehensive risk mitigation strategy is needed--a strategy that combines traditional boundary protection with agile defense.
Agile defense assumes that a small percentage of threats from purposeful cyber attacks will be successful by compromising organizational information systems through the supply chain by defeating the initial safeguards and countermeasures (i.e., security controls) implemented by organizations, or by exploiting previously unidentified vulnerabilities for which protections are not in place. In this scenario, adversaries are operating inside the defensive perimeters established by organizations and may have substantial or complete control of organizational information systems. Agile defense employs the concept of information system resilience--that is, the ability of systems to operate while under attack, even in a degraded or debilitated state, and to rapidly recover operational capabilities for essential functions after a successful attack. The concept of information system resilience can also be applied to the other classes of threats including threats from environmental disruptions and/or human errors of omission/commission. The most effective risk mitigation strategies employ a combination of boundary protection and agile defenses depending on the characteristics of the threat. This dual protection strategy illustrates two important information security concepts known as defense-in-depth and defense-in-breadth.
|Information has value and must be protected. Information systems (including people, processes, and technologies) are the primary vehicles employed to process, store, and transmit such information--allowing organizations to carry out their missions in a variety of environments of operation and to ultimately be successful.|
- 79 There is overlap between the basic risk responses. For example, a shared risk is one that is being accepted by each party in the sharing arrangement, and avoiding risk can be thought of as mitigating risk to zero. Nonetheless, with this understanding of overlap, there is value in addressing each of the five types of risk responses separately.
- 80 In addition to mission/business-driven information protection needs, information security requirements are obtained from a variety of sources (e.g., federal legislation, policies, directives, regulations, and standards).
- 81 Dynamic environments of operation are characterized, for example, by ongoing changes in people, processes, technologies, physical infrastructure, and threats.
- 82 An advanced persistent threat is an adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing/extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders' efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.
- 83 Draft NIST Interagency Report 7622 provides guidance on managing supply chain risk.
- 84 Threat characteristics include capabilities, intentions, and targeting information.
- 85 Defense-in-depth is an information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization.
- 86 Defense-in-breadth is a planned, systematic set of multidisciplinary activities that seek to identify, manage, and reduce risk of exploitable vulnerabilities at every stage of the system, network, or subcomponent life cycle (system, network, or product design and development; manufacturing; packaging; assembly; system integration; distribution; operations; maintenance; and retirement).