Rodney Petersen
Government Relations Officer
Security Task Force Coordinator
EDUCAUSE

Definition(s) of Risk Management & Risk
Impact(s) of Risk
Enterprise Risk Management
ERM Frameworks
DHS Risk Management Framework
NIST Risk Assessment Framework
STF Risk Assessment Framework

Risk management is a scientific approach to dealing with pure risks by anticipating possible accidental losses and designing and implementing procedures that minimize the occurrence of loss or the financial impact of the losses that do occur. ( Fundamentals of Risk and
Insurance, Vaughan and Vaughan)
Meaning: Risk as uncertainty concerning the occurrence of a loss.

Risk = Vulnerability x Threat x Impact
*Probability
Vulnerability = An error or a weakness in the design, implementation, or operation of a system.
Threat = An adversary that is motivated to exploit a system vulnerability and is capable of doing so
Impact = the likelihood that a vulnerability will be exploited or that a threat may become harmful .
*Probability = likelihood already factored into impact .

Strategic –
Goals of the Organization
Operational –
Processes that Achieve Goals
Financial –
Safeguarding Assets
Compliance –
Laws and Regulations
Reputational –
Public Image

Severity
High Transfer Avoid
Low Accept Accept/Transfer
Low High
Frequency

Enterprise Risk Management (ERM)
A process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. (COSO)
A rigorous approach to assessing and addressing the risks from all sources that threatent he achievement of an organization’s strategic objectives. In addition, ERM identifies those risks that represent corresponding opportunities to exploit for competitive advantage.
(Tillinghast-Towers Perrin consultancy group)
Any issue that impact an organization’s ability to meet its objectives. ( Developing A Strategy to Manage
Enterprisewide Risk in Higher Education , NACUBO)

COSO’s ERM – Integrated Framework
Australia/New Zealand Standard – Risk
Management
ISO Risk Management Draft Standard
The Combined Code and Turnbull
Guidance
A Risk Management Standard by the
Federation of European Risk Management
Associations (FERMA)

Committee of Sponsoring Organizations of the Treadway Commission (COSO)

Entity objectives can be viewed in the context of four categories:
•
• Strategic
Operations
• Reporting
• Compliance
ERM considers activities at all levels of the organization:
• Enterprise-level
• Division or subsidiary
• Business unit processes
Committee of Sponsoring Organizations of the Treadway Commission (COSO)

Australia/New Zealand Standard
(ASS/NZS 4360:2004) – Risk Management

Risk assessment
Does the company have clear objectives and have they been communicated so as to provide effective direction to employees on risk assessment and control issues?
For example, do objectives and related plans include measurable performance targets and indicators?
Are the significant internal and external operational, financial, compliance and other risks identified and assessed on an ongoing basis? These are likely to include the principal risks identified in the Operating and
Financial Review.
Is there a clear understanding by management and others within the company of what risks are acceptable to the board?

A Risk Management Standard by the Federation of European
Risk Management Associations (FERMA)

Risk Management Framework for
Critical Infrastructure Protection
National Infrastructure Protection Plan, 2006

SP 800-37 / SP 800-53A
MONITOR
Security Controls
Continuously track changes to the information system that may affect security controls and reassess control effectiveness
SP 800-37
AUTHORIZE
Information System
Determine risk to agency operations, agency assets, or individuals and, if acceptable, authorize information system operation
SP 800-53A
ASSESS
Security Controls
Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements)
Starting Point
FIPS 199 / SP 800-60
CATEGORIZE
Information System
Define criticality /sensitivity of information system according to potential impact of loss
FIPS 200 / SP 800-53
SELECT
Security Controls
Select baseline (minimum) security controls to protect the information system; apply tailoring guidance as appropriate
SP 800-53 / SP 800-30
SUPPLEMENT
Security Controls
Use risk assessment results to supplement the tailored security control baseline as needed to ensure adequate security and due diligence
SP 800-70
IMPLEMENT
Security Controls
Implement security controls; apply security configuration settings
SP 800-18
DOCUMENT
Security Controls
Document in the security plan, the security requirements for the information system and the security controls planned or in place

Purpose of Framework: to provide a high-level overview on the subject of conducting a risk assessment of information systems within higher education.
Points to Consider:
 Risk Assessment (RA) is an ongoing process
 RA requires strong commitment from senior administration and collaboration between cross-functional units
 RA is part of strategic and continuity planning
 RA requires planning and strategy that systematically increases the scope
 RA needs to become a part of the culture of the university community
 Effective Risk Management (RM) practices require a "risk aware" culture
 Effective RM can provide the basis for prioritizing and resolving possible funding conflicts
 policy supporting ongoing risk assessment should be developed

Phase 0: Establish Risk Assessment Criteria for the Identification and Prioritization of Critical
Assets (a one-time process)
Phase 1: Develop Initial Security Strategies
Phase 2: Technological View - Identify
Infrastructure Vulnerabilities
Phase 3: Risk Analysis - Develop Security
Strategy and Plans

Goal: to quickly establish the overall criteria for the identification of critical data assets and their appropriate priority level and to obtain senior management's perspective on issues of strategic importance.
Process 1: Establish Risk Assessment Criteria
Process 2: Apply the Critical Asset Criteria to
Classify Data Collections and Related
Resources

Goal: Once the information assets have been classified, strategic planning for the rest of the risk management process can begin. Vulnerabilities can be identified, and the process of mitigating the threats that can exploit those vulnerabilities can begin. An institution can decide to specifically focus on the very highest risks, or it may decide to focus first on mitigating risks broadly (or both).
The mere process of bringing management together to discuss the organization's strategy about risk mitigation can be extremely fruitful.
Process 1: Strategic Perspective - Senior Management
Process 2: Operational Perspective - Departmental
Management
Process 3: Practice Perspective – Staff
Process 4: Consolidated View of Security Requirements

Goal: To identify areas of potential exposure associated with the systems architecture.
Process 1: Evaluation of Key Technology
Components
Process 2: Evaluation of Selected
Technology Components

Goal: After identifying key information systems resources and evaluating the degree of vulnerability with the systems, quantitatively determine the level of risk associated with each system and system component. This information may then be used to prioritize the allocation of resources to ensure appropriate mitigation of the highest risks and to make appropriate management decisions about the degree of risk that the organization will be willing to accept.
Process 1: Risk Assessment
Steps
1. Assess the potential impact of threats (and vulnerabilities) to critical assets (qualitative and/or quantitative)
2. Evaluate the likelihood of occurrence of the threats (high, medium, low)
3. Create a consolidated analysis of risks, based on the impact value to critical assets and the likelihood of occurrence
Process 2: Protection Strategy and Mitigation Plans

It is important to note that this is a process that has no finish line. While a risk assessment - the process of identifying and quantifying risks - might take place on an infrequent basis (e.g., annually), the risk management process - the ongoing process of mitigating the risks to the organization - should be ingrained into the institution's culture to be most effective.