NIST this week released the final version of Managing Information Security Risk: Organizations, Mission, and Information System View (NIST Special Publication 800-39), the “capstone” document of the Joint Task Force Transformation Initiative, Ross said.
The publication is one of five prepared by the task force, headed by Ross, which brings together representatives from NIST, the Department of Defense, and the national intelligence community to revise existing information security publications so a unified information security framework – to implement the Federal Information Security Management Act (FISMA) – can be applied across all federal agencies.
Managing Information Security Risk “brings together an overarching risk-based strategy for organizations and it talks about how the other publications can be integrated into implementing an overall risk management strategy for an organization”, Ross said. “It that sense, it is the most important publication because it brings together everything else.”
The publication presents a three-tier approach to information security risk management. The first tier involves the governance level; the second tier is the mission and business process level; and the third tier is the information systems level.
The final version includes a number of changes from the draft released in December last year. The first change involved a graphical representation of the risk management process across the three tiers, Ross explained. NIST moved the "framing" representation to the middle of the graphic to indicate that it is central to the entire process, rather than one step in a multi-step process that includes assessing, responding to, and monitoring risk.
“Framing is where you establish the context of how organizations manage risk. This is where you do your initial assumptions, constraints, risk tolerances, priorities, and tradeoffs. The other three steps operate in that context”, Ross said.
In addition, NIST changed the name of the publication from Integrated Enterprise-wide Risk Management in order to avoid confusion with the enterprise risk management (ERM) process. Ross explained that ERM is a larger process that involves broader enterprise risks, such as supply chain and legal risks, in addition to information security risks. “So we didn’t want this document to be confused with the higher level ERM process. That’s why we changed the name”, he added. The publication fits into a larger ERM program.
Ross said that the five task force publications are being developed so that they can be applied to DoD and intelligence systems, as well as civilian government agency systems. He noted that the Office of Management and Budget (OMB) has indicated that implementation of NIST standards and guidelines is mandatory, but there is a considerable degree of flexibility for agencies regarding implementation.
Three of the task force publications were previously published (see Infosecurity’s previous coverage for a list). A draft of the fifth publication, Guide to Conducting Risk Assessments (NIST Special Publication 800-30), is expected to be ready by the end of April, Ross said.
The task force is also working on a systems and security engineering guideline that is expected to be available in late 2011 or 2012, Ross continued. In addition, NIST is updating its catalog of security controls for the federal government and is seeking comments from interested parties.