Alternatives to Assess, Control, Monitor, Respond
The Assess, Control, Monitor & Respond process is not a ground breaking or revolutionary concept. Instead, it is a simplification and derivation of several existing methodologies for quality control and risk. For example, the FFIEC promotes the adoption of "a cyclical, process-oriented approach to business continuity planning" based on four steps:
- Business Impact Analysis;
- Risk assessment;
- Risk management;
- Risk monitoring and testing.
COSO has established the following structure for Enterprise Risk Management (ERM):
- Internal Environment – The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.
- Objective Setting – Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.
- Event Identification – Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes.
- Risk Assessment – Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis.
- Risk Response – Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.
- Control Activities – Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
- Information and Communication – Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.
- Monitoring – The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.
As can be seen there are many similarities between the COSO framework and the one advocated on this site. The only significant difference is a lack of emphasis in the COSO framework on a response stage when deficiencies of failures are identified.
|COSO notes that "Enterprise risk management is not strictly a serial process, where one component affects only the next. It is a multidirectional, iterative process in which almost any component can and does influence another." COSO reinforces this point by integrating these components with standard corporate objectives as represented by the complex, three dimensional image on the right. The observation is correct, information security is a complex field where one element can have multiple impacts across the framework. However, there is a tendency for information security officers to become swept up in these inter-relationships and become lost or overwhelmed. In order to minimize confusion, this Web site advocates a sequential approach in order to keep the focus on the process. Keep it simple - just Assess, Control, Monitor and Respond.
As further support to the KISS approach, it is intriguing to note how closely Assess, Control, Monitor and Respond aligns with the Total Quality Management concepts of:
- Plan Conduct an inventory of the process, identify the deficiencies and identify solutions
- Do Implement the changes in a test or prototype environment
- Check Monitor the test and make modifications
- Act Implement the changes as part of the standard processes within the business
Referred to as "PDCA"
ISO 27001 takes this one step further and applies PDCA to the process for Information Security Management Systems (ISMS). Note, the IS Framework advocated on this site and PDCA are virtualy the same in concept.
A further refinement of the PDCA approach is evidenced in the Six Sigma quality model of DMAIC:
- Define the process improvement goals that are consistent with customer demands and enterprise strategy.
- Measure the current process and collect relevant data for future comparison.
- Analyze to verify relationship and causality of factors. Determine what the relationship is, and attempt to ensure that all factors have been considered.
- Improve or optimize the process based upon the analysis using techniques like Design of Experiments.
- Control to ensure that any variances are corrected before they result in defects. Set up pilot runs to establish process capability, transition to production and thereafter continuously measure the process and institute control mechanisms.
The similarities between these approaches and the Assess, Control, Monitor and Respond process strongly suggests that risk management and quality management are essentially the same - both guide the business to decisions on the optimal use of resources to minimize expenses (losses). They also guide the business to improving revenue through improved service (protection of customer assets).
The following sources provide further alternatives:
- CERT's OCTAVE method
- COBIT. COBIT uses a methodology based on:
- The Information Security Forum FIRM methodology.
- The NIST Risk Management Guide for Information Technology Systems. This methodology is based on:
- System Characterization
- Threat Identification
- Vulnerability Identification
- Control Analysis
- Likelihood Determination
- Impact Analysis
- Risk Determination
- Control Recommendations
- Results Documentation
The next section describes the role of Information Security within the Framework.
©2009 ISRMC, LLC