Security & Privacy Risk Management Model (SP-RMM)

The concept of creating the SP-RMM was to create an efficient methodology to identify, assess, report and mitigate risk. This project was approached from the perspective of asking the question, “How should I management risk?” and was a collaboration between ComplianceForge and the Secure Controls Framework (SCF). The SP-RMM takes a holistic approach to controls, risks and threats as a way to reduce or eliminate the traditional Fear, Uncertainty and Doubt (FUD) that makes many risk assessments meaningless. The SP-RMM is free to use and is licensed under the Creative Commons licensing model.

Security & Privacy Risk Management Model

All organizations have a need to manage risk. Most organizations are compelled to management risk and these requirements come from a broad range of statutory, regulatory and contractual origins. Regardless of your industry, requirements to manage cybersecurity risk exist and failing to manage risk could leave your organization exposed to liabilities from non-compliance:

In risk management, the old adage of “the path to hell is paved with good intentions” is very applicable. The reason for this is all too often, risk management personnel are tasked with generating risk assessments and creating the questions to ask in those assessments without having a centralized set of organization-wide cybersecurity and privacy controls to work from. This generally leads to risk teams making up risks and asking questions that are not supported by the organization’s policies and standards. For example, an organization is an “ISO shop” that operates an ISO 27002-based Information Security Management System (ISMS) to govern its policies and standards, but its risk team is asking questions about NIST SP 800-53 or 800-171 controls that are not applicable to the organization. This scenario of “making up risks” points to a few security program governance issues:

Security & Privacy Risk management Model  

SP-RMM: Risk Management Steps

The SP-RMM is designed to have a "start to finish" approach to risk management, where risk management is broken down into 16 steps (these correspond to the infographic shown above - click the graphic to see a larger version).

1. IDENTIFY RISK MANAGEMENT PRINCIPLES
It is necessary to identify one or more risk management principles that will form the basis of how the entity approaches its risk management processes. The alignment with risk management principles must support the entity's policies and standards for risk management objectives.

Common risk frameworks include:

2. IDENTIFY, IMPLEMENT & DOCUMENT CRITICAL DEPENDENCIES. 
This is a multi-step process that involves identifying, implementing and documenting the critical dependencies that are necessary to legitimately identify, assess and manage risk:

2A. RISK MANAGEMENT DEPENDENCIES
It is vitally important to establish the fundamental risk management dependencies. These need to be standardized entity-wide or the entity will be hampered by conflicting definitions and expectations:

2B. TECHNOLOGY DEPENDENCIES
In order to support risk management processes, it is necessary to establish the technology dependencies that affect risk management decisions:

2C. BUSINESS DEPENDENCIES
In order to support risk management processes, it is necessary to establish the business dependencies that affect risk management decisions:

3. FORMALIZE RISK MANAGEMENT PRACTICES
Document a formal Risk Management Program (RMP) that supports the entity's policies & standards. The RMP is meant to document the program-level guidance that defines the "who, what, why, when & how" about the entity's specific risk management practices.

4. ESTABLISH A RISK CATALOG
It is necessary to develop a risk catalog that identifies the possible risks that affect the entity. In the context of the SP-RMM, “risk” is defined as:

In the context of this definition of risk, it is important to define underlying components of this risk definition:

With this understanding of what risk is, the Secure Controls Framework (SCF) contains a catalog of third-two (32) risks that are directly mapped to each of the SCF’s controls.

 cybersecurity risk catalog

5. ESTABLISH A THREAT CATALOG
It is necessary to develop a threat catalog that identifies possible natural and man-made threats that affect the entity's security & privacy controls. In the context of the SP-RMM, “threat” is defined as:

This threat catalog is sorted by natural and man-made threats:

cybersecurity threat catalog

6. ESTABLISH A CONTROLS CATALOG
It is necessary to develop a catalog of security and privacy controls that addresses the entity's applicable statutory, regulatory and contractual obligations. Risks must map to the entity's security & privacy controls. Ideally, the controls are weighted since not all security & privacy controls are equal.

Note: The SCF has built-In Control Weighting Values [1-10], a maturity model and the SCF controls written in question format.

7. DEFINE CAPABILITY MATURITY MODEL (CMM) TARGETS
It is necessary for an entity to define “what right looks like” for the level of maturity it expects for deployed security and privacy controls. This is generally defined by aligning with a Capability Maturity Model (CMM). While there are several to choose from, the SCF’s Security & Privacy Capability Maturity Model (SP-CMM) contains control-level criteria for each of the levels of the maturity model.

Maturity model criteria should be used by the organization as the benchmark to evaluate security and privacy controls.

SCF capability maturity model

8. PERFORM RISK ASSESSMENTS
With the previous steps addressed, an assessor will leverage those deliverables (e.g., Risk Management Program (RMP), threat catalog, risk catalog, controls catalogs, etc.) to implement a functional capability to assess risk across the entity. That documented assessment criteria from the previous steps exists to guide the assessor when performing risk assessments.

Assessing risks in the context of the SP-RMM applies to various assessment scenarios:

9. ESTABLISH THE CONTEXT FOR ASSESSING RISKS
Now that a methodology exists to assess risk, it is necessary for the assessor to establish the context of the Security & Privacy Risk Environment (SPRE). The SPRE is the overall operating environment that is in scope for the risk assessment. This is where the threats, risks and vulnerabilities affect the entity’s protection measures.

An assessor can generally find this information in a well-documented System Security & Privacy Plan (SSPP). If the scoping is incorrect, the context will likely also be incorrect, which can lead to a misguided and inaccurate risk assessment.

10. CONTROLS GAP ASSESSMENT
Based on the applicable statutory, regulatory and contractual obligations that impact the SPRE, the entity is expected to have an applicable set of controls to cover those needs. That set of controls identifies the in-scope requirements that must be evaluated to determine what risk exists. This is generally considered to be a “gap assessment” where the assessor:


11. ASSESS RISKS
When the control deficiencies are identified, the assessor must utilize an entity-accepted method to assess the risk in the most objective method possible. Methods for assessing a control for deficiencies is generally defined as either:

In most cases, it is not feasible to have an entirely quantitative assessment, so assessments should be expected to include semi-qualitative or qualitative aspects.

There are multiple methods to actually assess and calculate risk. The SP-RMM leverages work done in this area by ComplianceForge’s Risk Management Program (RMP) to simplify risk management practices.

cybersecurity risk matrix

12. DETERMINE RISK
At the end of the day, risk needs to be understandable. This is generally why risk is bucketed into a set of pre-defined categories. The SP-RMM leverages the following categories of risk, based on the ComplianceForge RMP:

Before a risk report can be documented, it is very important to clarify if the results of the assessment are “inherent risk” or “residual risk” since those have entirely different meanings and implications. Some people want to see both inherent and residual risk, while some people just want to be presented with residual risk. That is why it is important to understand what story the risk scores tell:

You can read more about the differences in calculating inherent and residual risk in the CALCULATING RISK: INHERENT RISK VS RESIDUAL RISK section of this document.

13. PRIORITIZE & DOCUMENT RISKS
Once risk has been identified, it is necessary to prioritize and document the identified risk(s). Generally, risk is prioritized by one of the following:

Every entity is different in how it documents risk. The following methodologies are commonly used:

14. IDENTIFY THE APPROPRIATE MANAGEMENT AUDIENCE
It is an unfortunate and common problem within risk management to run across individuals who are directly impacted by risk and simply say, “I accept the risk” with the intent to “wish away” the risks away so that the project/initiative can proceed without having to first address deficiencies. This is why it is critically important that as part of an entity’s program to manage risk that various levels of management are identified with varying authority, each with a pre-described ability to make risk management decisions. This helps prevent low-level managers from recklessly accepting risk that should be reserved for more senior management.

A common tiered structure for risk management decisions includes:

15. MANAGEMENT DETERMINES RISK TREATMENT
Risk management is a management decision:

Common risk treatment options include:

Right or wrong, management is ultimately able to decide how risk is to be handled. Where this benefits security, technology and privacy personnel is the “get out of jail” documentation that quality risk assessments and risk management can provide. Instead of executive leadership hanging blame on the CIO or CISO, quality risk management documentation can prove that reasonable steps were taken to identify, assess, report and mitigate risk, which firmly puts the responsibility back on the management team of the team/department/line of business that “owns” the risk.

16. IMPLEMENT & DOCUMENT RISK TREATMENT
When managing risk, it should be kept as simple as possible. Realistically, risk treatment is either “open” or “closed” but it can sometimes be useful to provide more granularity into open items to assist in reporting on risk management activities:

Calculating Risk: Inherent Risk vs Residual Risk

It is possible to use a straightforward method to calculate risk using SP-RMM. Both Inherent Risk & Residual Risk map into the SP-RMM Risk Matrix (graphic shown below.

STEP 1: CALCULATE THE INHERENT RISK
To determine the inherent risk, calculate the Occurrent Likelihood (OL) by the Impact Effect (IE).

STEP 2: ACCOUNT FOR CONTROL WEIGHTING
Not all security and privacy controls are equal, so it is important to apply weighting to the importance of controls. The SCF contains pre-defined control weightings that can be edited for an entity’s unique requirements. This Control Weighting (CW) is multiplied by the inherent risk score from Step 1.

STEP 3: ACCOUNT FOR MATURITY LEVEL TARGETS
The next step is meant to determine a weighted maturity score that takes control maturity into account. The more mature a control is, the greater the risk should be reduced. Maturity Level (ML) is multiplied by the value determined in Step 2.

STEP 4: ACCOUNT FOR MITIGATING FACTORS TO DETERMINE RESIDUAL RISK
The final step is to account for Mitigating Factors (MF), which can be compensating controls or other process/technology considerations that mitigate risk, specific to the identified threats.

The end calculation to determine residual risk is: OL * IE * CW * ML * MF

Leveraging the by ComplianceForge’s Risk Management Program (RMP) structure, it is straightforward to translate the calculated value of the residual risk score into a user-friendly risk category:Security & Privacy Risk management Model Calculations

 

SP-RMM: Applicability To NIST 800-171 & CMMC

An immediate need for many organizations is compliance with NIST SP 800-171 and the Cybersecurity Maturity Model Certification (CMMC). The Security & Privacy Risk Management Model (SP-RMM) is a tool that can be used to address the following requirements:

CMMC PROCESSES & PRACTICES

These CMMC processes and practices are directly impacted by the SP-RMM:

"CMMC 2.0" PRACTICES (LEVELS 1 & 2)

NIST SP 800-171 CONTROLS

These NIST SP 800-171 controls are directly impacted by the SP-RMM:

Browse Our Products

  • Digital Security Program (DSP)

    Digital Security Program (DSP)

    ComplianceForge

    Digital Security Program (DSP) - Enterprise-Class, Hybrid Framework For Cybersecurity & Privacy The DSP is an enterprise-class solution for cybersecurity & privacy documentation consisting of thirty-three (33) domains that defines a modern,...

    $9,500.00
    Choose Options
  • Cybersecurity Standardized Operating Procedures (CSOP) Template - Digital Security Program (DSP) Version

    Procedures (CSOP) - DSP & SCF Version

    ComplianceForge

    Cybersecurity Standardized Operating Procedures (CSOP)  DSP | SCF Version Until now, developing a template to provide worthwhile cybersecurity procedures is somewhat of a "missing link" within the cybersecurity documentation industry. The...

    $5,825.00
    Choose Options
  • NIST 800-171 Compliance Program (NCP). This is a bundle of products that are specific to NIST 800-171 and CMMC 2.0 compliance - policies, standards, procedures, SSP & POA&M templates. Editable CMMC 2.0 Level 2 (old Level 3) policies, standards, procedures, SSP & POA&M templates.

    NIST 800-171 Compliance Program (NCP): CMMC Level 2

    ComplianceForge

      UPDATED FOR CMMC 2.0   NIST SP 800-171 & CMMC "Easy Button" Solution - Editable & Affordable Cybersecurity Documentation We listened to our customers and created the NIST SP 800-171 Compliance Program (NCP), based on...

    $8,950.00
    $8,950.00
    $5,200.00
    Choose Options
  • C-SCRM Compliance Bundle 2: DSP-CSOP-RMP-CRA-VPMP-IIRP-COOP-SBC-IAP-SPBD-CBP-CSCRMSIP-DPP

    C-SCRM Bundle 2: DSP version (SCF alignment)

    ComplianceForge

    Cybersecurity Supply Chain Risk Management (C-SCRM) Bundle #2 - DSP Version (45% discount) This is a bundle that includes the following thirteen (13) ComplianceForge products that are focused on operationalizing Cybersecurity Supply Chain Risk...

    $45,350.00
    $45,350.00
    $24,439.00
    Choose Options
  • DSP Bundle 1: DSP-CSOP

    DSP Bundle 1: Policies, Standards, Procedures & Controls

    ComplianceForge

    Digital Security Plan (DSP) Bundle #1 - SCF-Aligned Policies, Standards & Procedures (25% Discount) This is a bundle that includes the following two (2) ComplianceForge products that are focused on operationalizing the Secure Controls Framework...

    $15,325.00
    $15,325.00
    $11,494.00
    Choose Options
  • DSP Bundle 2: DSP-CSOP-RMP-CRA-VPMP-IIRP-C-SCRM SIP

    DSP Bundle 2: Enhanced Digital Security Documentation

    ComplianceForge

    Digital Security Plan (DSP) Bundle #2 - ENHANCED DIGITAL SECURITY (35% Discount) This is a bundle that includes the following seven (7) ComplianceForge products that are focused on operationalizing the Secure Controls Framework (SCF): Digital...

    $26,850.00
    $26,850.00
    $17,453.00
    Choose Options
  • DSP Bundle 3: DSP-CSOP-RMP-CRA-VPMP-IIRP-CSCRMSIP-SPBD-COOP-SBC-IAP-CBP-DPP

    DSP Bundle 3: Robust Digital Security Documentation

    ComplianceForge

    Digital Security Plan (DSP) Bundle #3 - ROBUST DIGITAL SECURITY (45% Discount) This is a bundle that includes the following thirteen (13) ComplianceForge products that are focused on operationalizing the Secure Controls Framework (SCF): Digital...

    $45,350.00
    $45,350.00
    $24,943.00
    Choose Options
  • NIST 800-171 Compliance Bundle 4: ROBUST DSP-CSOP-SSP-IIRP-C-SCRM SIP-RMP-CRA-VPMP-SPBD-COOP-SBC-IAP-CBP

    Bundle 4: CMMC Level 3 (DSP/SCF)

    ComplianceForge

    NIST 800-171 & CMMC 2.0 Compliance Bundle #4 - EXPERT  CMMC 2.0 Levels 1-3  (45% discount) This is a bundle that includes the following thirteen (13) ComplianceForge products that are focused on operationalizing NIST SP 800-171...

    $43,240.00
    $43,240.00
    $23,782.00
    Choose Options
  • Privacy Bundle 2: DSP-CSOP-RMP-CRA-VPMP-IIRP-SBC-IAP-SPBD-CBP-CSCRMSIP-DPP

    Privacy Bundle 2: DSP version (SCF alignment)

    ComplianceForge

    Privacy Bundle #2 - DSP Version (45% discount) This is a bundle that includes the following twelve (12) ComplianceForge products that are focused on operationalizing the cybersecurity and privacy principles: Cybersecurity & Data Protection Program...

    $41,500.00
    $41,500.00
    $22,825.00
    Choose Options

Find Out Exclusive Information On Cybersecurity