Secure, Compliant & Resilient Risk Management Model (SCR-RMM)

The SCR-RMM integrates risk management with business planning at three levels: strategic, operational, and tactical. Each level has distinct risk management considerations and decision-making authority. If you worry about having to preface risk management discussions with, “Please don't shoot the messenger!” then the SCR-RMM can be an additional layer of protection for your professional reputation. Where the SCR-RMM benefits security, technology and privacy personnel is the potential “get out of jail” documentation that quality risk assessments and risk management practices can provide. Just like with compliance documentation, if risk management discussions are not documented then risk management practices do not exist.

Instead of executive leadership hanging blame on the CIO or CISO, quality risk management documentation can prove that reasonable steps were taken to identify, assess, report and mitigate risk. This type of documentation can provide evidence of due diligence and due care on the part of the CIO/CISO/CRO, which firmly puts the responsibility back on the management of the team/department/line of business that “owns” the risk.Based on the applicable statutory, regulatory and contractual obligations that impact the scope of a risk assessment, an organization is expected to have an applicable set of cybersecurity and data privacy controls to cover those needs.

Key Takeaways - Risk Management Model (SCR-RMM)

The SCR-RMM is a risk management model that places controls at the center of all GRC activities.
Controls are the nexus of a cybersecurity program since policies, standards, procedures, metrics, threats, and risks all map to controls.
The model enables holistic risk management at the control level rather than at the system or business process level alone.
Risk and threat catalogs are mapped directly to SCF controls, creating a clear chain from threat to safeguard.
The SCR-RMM is a free resource from the Secure Controls Framework.

Controls-Centric Risk Management

The SCR-RMM Model

The Secure, Compliant & Resilient Risk Management Model (SCR-RMM) is built directly into the Secure Controls Framework (SCF). The concept of creating the SCR-RMM was to create an efficient methodology to identify, assess, report and mitigate risk. This project was approached from the perspective of asking the question, “How should I management risk?” and was a collaboration between ComplianceForge and the SCF.

The SCR-RMM takes a holistic approach to controls, risks and threats as a way to reduce or eliminate the traditional Fear, Uncertainty and Doubt (FUD) that makes many risk assessments meaningless. The SCR-RMM is free to use and is licensed under the Creative Commons licensing model. This means that when a control is assessed, you simultaneously understand its compliance status (via policies and standards), its operational effectiveness (via procedures and metrics), and its risk posture (via threats and risks mapped to that control).

Managing Risk

Cybersecurity Risk Management Requirements

All organizations have a need to manage risk. Most organizations are compelled to management risk and these requirements come from a broad range of statutory, regulatory and contractual origins. Regardless of your industry, requirements to manage cybersecurity risk exist and failing to manage risk could leave your organization exposed to liabilities from non-compliance:

NIST 800-171 & CMMC

Protecting CUI in Nonfederal Information Systems and Organizations is found in multiple sections of NIST SP 800-171 & CMMC, requiring risk to be periodically assessed.

Federal Trade Commission (FTC) Act

Section 5 of the FTC Act (15 U.S. Code § 45) deems unfair or deceptive acts or practices in or affecting commerce to be unlawful - poor security practices are covered under this requirement and not managing cybersecurity risk is an indication of poor security practices.

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS #12.2 requires companies to perform a formal risk assessment.

Health Insurance Portability and Accountability Act (HIPAA)

The HIPAA Security Rule (45 C.F.R. §§ 164.302 – 318) requires companies to conduct an accurate & thorough assessment of potential risks.

Gramm-Leach-Bliley Act (GLBA)

The Safeguards Rule of GLBA (16 C.F.R. §§ 314) requires companies to identify and assess risks to customer information.

Massachusetts MA 201 CMR 17.00

Section# 17.03(2)(b) requires companies to "identify & assess" reasonably-foreseeable internal and external risks.

Oregon Identity Theft Protection Act

Section 646A.622(2)(d)(B)(ii) requires companies to assess risks in information processing, transmission & storage.

In risk management, the old adage of “the path to hell is paved with good intentions” is very applicable. The reason for this is all too often, risk management personnel are tasked with generating risk assessments and creating the questions to ask in those assessments without having a centralized set of organization-wide cybersecurity and privacy controls to work from. This generally leads to risk teams making up risks and asking questions that are not supported by the organization’s policies and standards. For example, an organization is an “ISO shop” that operates an ISO 27002-based Information Security Management System (ISMS) to govern its policies and standards, but its risk team is asking questions about NIST SP 800-53 or 800-171 controls that are not applicable to the organization. This scenario of “making up risks” points to a few security program governance issues:

If the need for additional controls to cover risks is legitimate, then the organization is improperly scoped and does not have the appropriate cybersecurity and privacy controls to address its applicable statutory, regulatory, contractual or industry-expected practices.
If the organization is properly scoped, then the risk team is essentially making up requirements that are not supported by the organization’s policies and standards.

SCR-RMM Process

Cybersecurity Risk Management Requirements

The SCR-RMM breaks risk management down into 17 distinctive steps, providing coverage from start to finish. This spans from establishing risk management principles through implementing and documenting risk treatment.

Level

Name

Description

Identify Risk Management Principles

Establish the foundational risk management principles that will govern the organization's approach.

Identify, Implement & Document Critical Dependencies

Identify risk management dependencies (2A), technology dependencies (2B), and business dependencies (2C).

Formalize Risk Management Practices

Establish formal, documented risk management practices integrated into business-as-usual activities.

Establish a Risk Catalog

Define the applicable risks based on control deficiencies, organized by grouping (Access Control, Asset Management, Business Continuity, Exposure, Governance, Incident Response, Situational Awareness, Supply Chain).

Establish a Threat Catalog

Identify natural threats (5A) and man-made threats (5B) that affect the ability of controls to exist or operate properly.

Establish a Controls Catalog

Define the applicable set of cybersecurity and data privacy controls based on statutory, regulatory, and contractual obligations.

Define CMM Targets

Set Capability Maturity Model targets for the organization's controls using the SCR-CMM.

Define Assessment Rigor

Select the appropriate rigor level: Standard (8A), Enhanced (8B), or Comprehensive (8C).

Establish Context for Assessing Risks

Establish the organizational and environmental context for the risk assessment.

Conformity Assessment (Controls Gap Assessment)

Conduct the gap assessment against the controls catalog to identify deficiencies.

Control Assessment Methods & Findings

Apply assessment methods (11A), methodologies (11B), and document assessment findings (11C).

Determine Risk Exposure

Calculate Impact Effect (12A), Occurrence Likelihood (12B), Inherent Risk (12C), and Residual Risk (12D).

Prioritize & Document Identified Deficiencies

Prioritize findings based on risk exposure and document all identified deficiencies.

Risk Determination: Report on Conformity (ROC)

Categorize results as: Strictly Conforms (14A), Conforms (14B), Significant Deficiency (14C), or Material Weakness (14D).

Identify the Appropriate Management Audience

Determine which level of management has legitimate authority for risk decisions.

Management Determines Risk Treatment

LOB management decides: reduce, avoid, transfer, or accept the risk.

Implement & Document Risk Treatment

Cybersecurity and data protection practitioners implement and document the selected treatment.

Applicability

SCR-RMM: Applicability To NIST 800-171 & CMMC

An immediate need for many organizations is compliance with NIST SP 800-171 and the Cybersecurity Maturity Model Certification (CMMC). The SCR-RMM is a tool that can be used to address the following NIST SP 800-171 requirements:

3.11.1

Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.

3.11.2

Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

3.11.3

Remediate vulnerabilities in accordance with risk assessments.

3.12.1

Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.

3.12.2

Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.

3.12.3

Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.