by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : October 30, 2012
TIERED RISK MANAGEMENT APPROACH TIER 3 INFORMATION SYSTEM Environment of operation TIER 2 MISSION / BUSINESS PROCESS Information and information ows TIER 1 ORGANIZATION Governance STRATEGIC RISK TACTICAL RISK • Multi-tier organizationwide risk management • Implemented by the risk executive (function) • Tightly coupled to enterprise architecture and information security architecture • System development life cycle focus • Disciplined and structured process • Flexible and agile implementation 16 October 30, 2012 FCW.COM RISK MANAGEMENT agement, but overall, the government is behind the curve. A recent Ponemon Institute study of risk-based security management in the United States, which included input from government organizations, noted that more than three-quarters of respon- dents had a signi cant commitment to RBSM, but less than half actually have a program in place. A third of respondents have no RBSM strategy. "Lots of organizations want to do RBSM, and they realize the importance of it," said Larry Ponemon, the institute s chairman. "But there s either resistance internally from people who are reluctant to move out of their comfort zones, or they just don t have the right resources to make it happen systematically. What youoftenendupwithisakindofa hodgepodge approach to it." Chris Kennedy, principal security architect and senior program man- ager at Northrop Grumman Informa- tion Systems Civil Systems Division, said he believes most federal agencies understand what risk management is, but "it s just one of those things that s really tough to operationalize." "The challenge is that IT has been traditionally managed in agencies as a mission enabler, and there hasn t been the level of cross-pollination between the mission owner and IT system oper- ators to manage risk appropriately," he said. "Someone needs to work the pri- ority of the mission to establish the appropriate risk management frame- work around the systems." The rst step in developing a risk management program is to get every- one to agree on what the risks are, which is more complicated than it sounds. In the older approach to secu- rity, the risks were associated with the network and attached systems, and identifying them was the responsibil- ity of the IT department. With enterprise risk management, many communities own the business processes that are at risk, and with the rise of cloud computing, they will increasingly have responsibility for the IT services that are delivered. However, each of them might have very different ideas of what the risks are and how to de ne them. "If you want to develop a cohesive risk management strategy, you have to develop a centralized risk register that everyone can refer to, and that means also having a common nomenclature for risk," said Torsten George, vice president of worldwide marketing and products at Agiliance, a company that provides risk management solutions. "If you try to do that later, then the accuracy of the data that comes back to you will vary, and the trend data that helps you predict your security needs going forward will be impacted," George added. NIST s Ross described this as a need for a second front in government to inte- grate cybersecurity and risk manage- ment processes into the mainstream. "I do think the understanding for all of this is there, but the systemic prob- Source: National Institute of Standards and Technology
October 15, 2012
November 15, 2012