Addressing Risk Using the New Enterprise Security Risk Management Cycle

Author: Kumaragunta Harisaiprasad, CISA, APP, ISO 22301 LI, ISO 27001 LA, ISO 9001 LA, Six Sigma Green Belt
Date Published: 16 September 2020
Related: Risk IT Framework, 2nd Edition | Print | English

Enterprise Security Risk Management (ESRM) is a holistic security program designed to identify and prioritize assets and risk to mitigate those risk areas. ESRM bridges security professionals and asset owners in making informed decisions through the ESRM cycle.

The ESRM cycle shown in figure 1 is based on new ESRM guidelines from ASIS, 1 which were drafted based on globally established and accepted risk management principles, implemented by identifying, evaluating and mitigating the security risk areas of an enterprise to reach its business objectives. Practicing ESRM helps an enterprise improve the maturity of its security process. This cycle can be initiated after understanding an enterprise’s context. Understanding the context involves understanding the mission, vision, core values, operating environment (i.e., physical, nonphysical and logical) and stakeholders. This helps security professionals identify the risk areas that restrict the organization in achieving its goals and objectives. The ESRM cycle includes four processes:

  1. Identifying and prioritizing assets—Anything that adds value to the organization is defined as an asset. Assets are owned by asset owners who are responsible for mitigating risk areas of assets to an acceptable level for the organization. Assets should be valued and prioritized based on the organization’s goals and objectives. The value of the asset could be based on cost or replacement cost of the asset or operational and reputational impact of unavailability.
  2. Identifying and prioritizing risk—This involves conducting risk assessment for the assets by identifying risk based on the enterprise risk assessment methodology. The methodology should involve determining risk level based on threats, vulnerabilities, impact, probabilities and value of assets. Risk level is determined for the identified risk and matched with the risk acceptable value. Risk areas that exceed the acceptable value are called high risk and risk that match or are below acceptable value are called low/acceptable risk. The processes of identifying high risk areas and listing them in order for mitigation is called prioritizing risk.
  3. Mitigating the prioritized risk—Controls that are determined high risk need to be brought to an acceptable level. This process is called risk mitigation. Risk mitigation is one type of risk treatment; the other three types are accept, avoid and transfer. In risk acceptance, risk scenarios are accepted based on an organization’s risk tolerance level/risk appetite. Risk can be transferred through insurance and outsourcing. Avoidance of risk is accomplished by changing or ceasing certain operations. In risk mitigation, the probability or impact of risk is reduced by additional controls such that the risk level gets reduced to an acceptable level. Examples of risk mitigation measures include electronic access controls, video surveillance, security awareness training and data loss prevention (DLP).
  4. Continuous improvement of the security program—The ESRM cycle is based on an iterative approach of assessment, mitigation and monitoring to continuously improve the four processes. Investigations and analysis, information sharing and incident response contribute to continuous improvement. Incident response is a process of responding to incidents and tracking them until their resolution as per the defined timelines. Continuous improvement can be analyzed by tracking incidents over a period of time and comparing the incidents that occurred and the resolution time with the previous cycle. Lessons learned from incidents should also be fed back into the security program through its continuous improvement process.

Figure 1

Emerging risk can be determined through investigation and analysis. In this process, root causes are identified, mitigation controls are devised and prioritized and response time is monitored.

ESRM HELPS AN ENTERPRISE IMPROVE THE MATURITY OF ITS SECURITY PROCESS.

Sharing of security information with asset owners and stakeholders forms an important part of the continuous improvement process. This helps security professions send and receive information from asset owners, which contributes to continuous improvement.

ESRM addresses mitigating risk from physical security, cybersecurity, information security, loss prevention, organizational resilience, brand protection, travel risk, supply chain security, business continuity, crisis management, threat management, fraud risk management and workplace violence prevention. Its approach is shown in figure 1.

The ESRM program for an organization can be started with an assessment using the ASIS ESRM maturity assessment tool, 2 where the rating for various categories is based on the current people, process and governance scores. The current people and process scores are shown in figure 2.

Figure 2

A governance score consists of a risk rating and thresholds set by the enterprise risk governance committee. The assessment tool consists of different categories that include program strategy, program governance, understanding and awareness, program implementation and application, program management and advancement, and alignment of security risk mitigation activity. Each category has different controls and, for each control, a people score, process score and governance score between one and five should be given to get the enterprise score. The values and definitions of an enterprise score are shown in figure 3. An average score for each of the six categories is given for people, processes and governance, respectively, by the online tool. The current level score and the recommended level is also provided by the tool for each of the six categories. Areas covered under each of the six categories include:

  1. Program strategy—This includes the security department’s mission, goals and a formal commitment to using ESRM and communicating it to the relevant stakeholders. Strategy involves adopting a formal risk model (e.g., International Organization for Standardization [ISO], COBIT ® , American National Standards Institute [ANSI]), allotting resources and developing skills for implementation.
  2. Program governance—This includes instituting a governance committee, setting up acceptable risk limits for the enterprise, defining scope and communicating the maturity levels.
  3. Understanding and awareness—Awareness training should be given to executives, leaders of all functions and departments, security personnel, and third-party personnel under scope.
  4. Program implementation and application—This involves identifying assets and their owners, prioritizing assets, determining impact, evaluating risk levels and documenting risk mitigation plans.
  5. Program management and advancement—This includes reviewing and updating risk mitigation plans and status reports at regular intervals and delivering them to asset owners, executive management and the security department.
  6. Alignment of security risk mitigation activity—This includes developing and defining roles and responsibilities and monitoring and communicating risk mitigation activities and incident management.

Figure 3

Periodic reviews and audits help assess the status of ESRM and continuous improvement. Communications with external and internal stakeholders on the performance of risk management make the governance process of an enterprise effective.

ISO 27005 is a standard for information security risk management, which describes how risk should be assessed and managed and provides a risk matrix to determine risk levels of various risk areas. ISO 31000 and the Committee of Sponsoring Organizations of the Treadway Commission (COSO) only discuss risk management and principles for an enterprise. 3 ESRM specifically addresses managing security risk areas of an enterprise, and this framework is designed in such a way that it can integrate well with the enterprise risk management framework. This is because an enterprise score from the ESRM maturity assessment tool uses defined people and process scores and leaves the governance score to be defined by the particular enterprise. None of the other standards have a provision to determine the risk management rating at an enterprise level. This helps an enterprise assess the maturity level of security risk management and determine the road ahead through the ESRM tool.

The results of a simulated enterprise that has used the ESRM tool and completed the survey is shown in figure 4.

Figure 4

The enterprise score is calculated and the current average score of each category determined. In this example, even though the enterprise score is in the desired level, the enterprise did not achieve the recommended score in the program implementation and application category and achieved an above-recommended score in understanding and awareness (figure 4). The ESRM survey not only calculates the overall enterprise score, but it also informs which area an enterprise needs to improve and what level the enterprise has achieved in each category. From this, an enterprise can revise and implement strategies to improve its ESRM and achieve required scores of performance.

Endnotes

1 Professional Standards Board; “Guideline: Enterprise Security Risk Management,” ASIS International, September 2019
2 ASIS International; “ESRM Maturity Assessment Survey,” https://www.asisonline.org/publications-resources/esrm/esrm-survey/
3 International Organization for Standardization, ISO 31000:2018 Risk Management—Guideline, Switzerland, February 2018, https://www.iso.org/standard/65694.html

Harisaiprasad Kumaragunta, CISA, APP, ISO 22301 LI, ISO 27001 LA, ISO 9001 LA, Six Sigma Green Belt

Is an associate consultant with Mahindra Special Services Group with more than 12 years of experience in the industry. He is the ISACA ® New Delhi (India) Chapter leader and social media chair. He is also a topic leader for the ISACA Certified Information Systems Auditor ® (CISA ® ) online forum. He is a frequent contributor to blogs and has published articles related to the information security domain in ISACA Now, COBIT Focus and the ISACA ® Journal. He conducts user awareness training, internal auditor training, International Organization for Standardization ISO 27001 audits, regulatory audits, third-party audits, internal audits, IT audits, risk assessments and implements ISO 27001, among other tasks. He can be contacted at harisaiprasad@gmail.com.