Risk management (RM) is
|“||[a] process for anticipating problems and taking appropriate steps to mitigate risks and minimize their impact on program commitments. It involves identifying and documenting risks, categorizing them based on their estimated impact, prioritizing them, developing risk mitigation strategies, and tracking progress in executing the strategies.||”|
|“||a management approach designed to reduce the risks inherent in a given project. It encompasses the total process of identifying, controlling, and eliminating or minimizing uncertain events that may affect system resources. It includes risk analysis, cost benefit analysis, selection, implementation and testing, security evaluation of safeguards, and overall security review.
It also allows system owners to balance the operational and economic costs of protective measures to achieve gains in mission capability by protecting the IT systems and data that support their organization's missions.
Risk management is
|“||[t]he process of managing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system, and includes: (i) the conduct of a risk assessment; (ii) the implementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for the continuous monitoring of the security state of the information system.||”|
|“||[t]he process of conducting a risk assessment, implementing a risk mitigation strategy, and employing of techniques and procedures for the continuous monitoring of the security state of the information system. Risk management incorporates threat an and vulnerability analyses, and considers mitigations provided by security controls planned or in place — synonymous with risk analysis.||”|
|“||[t]he identification, assessment, and mitigation of probabilistic security events (risks) in information systems to a level commensurate with the value of the assets protected.||”|
Risk management is
|“||[t]he comparison and analysis of the relative threat (intent and capability to collect the information); the vulnerability of the asset; the cost and administrative burden of possible countermeasures; and the value of the asset used to determine the appropriate level of protection to control and reduce the risk of compromise or disclosure to acceptable levels. Risk management allows the acceptance of risk in the security process based upon a cost-benefit analysis.||”|
An organization's risk management process is designed to protect the organization and its ability to perform its mission, not just its IT assets.
Effective risk management enables an organization to accomplish its mission(s) by
- Better securing the IT systems that store, process, or transmit organizational information
- Enabling management to make well-informed risk management decisions to justify the expenditures that are part of an IT budget
- Assisting management in authorizing (or accrediting) IT systems on the basis of the supporting documentation resulting from the performance of risk management.
- Major Automated Information Systems: Selected Defense Programs Need to Implement Key Acquisition Practices, at 12.
- NIST, FIPS 200, Adapted.
- Cybersecurity A Primer for State Utility Regulators, App. B.
- Practices for Securing Critical Information Assets, Glossary, at 57.
- Glossary of Security Terms, Definitions, and Acronyms, at 210.
- OMB Circular No. A-130, the Computer Security Act of 1987, and the Government Information Security Reform Act of 2000 require that an IT system be authorized prior to operation and reauthorized at least every three years thereafter.