**3. IA OM®**

212 Risk Management – Current Issues and Challenges

investing in particular missions or business areas.

address risk as identified in NIST SP 800-39 [17] are:

risk to a level acceptable to the organization;

Determine how effective its risk response measures are;

positions where the risk is avoided;

*2.3.3. Risk response* 

organization.

*2.3.4. Risk monitoring* 

an organization to:

mission/business functions;

changes their risk postures [17].

3. Prioritizing the identified risks according to their severity to the organization [3, 17].

Risk assessments can and should be conducted at every Tier of the organization. However, the objectives of risk assessments conducted at different Tiers will reflect the differences in responsibility and objectives for the Tier being assessed [17]. For example, a risk assessment at Tier 3, the Information Systems Tier, will go into considerable technical detail on a specific information system and the risks involved in its operation. Whereas a risk assessment at Tier 1, the Organization Tier, may address information systems from the perspective of the organization's enterprise architecture or common control framework, but will not go into significant technical detail, nor will it address a specific information system. However, a Tier 1 risk assessment will address business risks, and the risks involved in

Responding to risk involves deciding on and implementing a course of action to address the risk within the organization. The options available to the organization for risk response are defined in the organization's risk management strategy. The courses of action available to

2. Avoid – eliminate the activities or technologies resulting in risk that exceeds the organization's risk tolerance, or reposition the activities or technologies into areas or

3. Mitigate – apply security controls, safeguards, or process re-engineering to reduce the

4. Transfer or Share – shifting all or part of the liability for risk, respectively, to another

Risk monitoring is conducted on an ongoing basis to ensure that the organization's risk posture remains within the organization's risk tolerance. The risk monitoring process allows

Ensure compliance with national laws, regulations, organizational policies, and

Identify changes to organizational assets or their operating environments that result in

Risk monitoring activities are normally conducted on a periodic basis, with the period determined in accordance with the organization's risk management strategy and the sensitivity of the information or business process being protected [16, 17]. Monitoring risk and changes to operating environments includes identifying changes to the threat environment, and determining whether a change in the threat environment requires a

1. Accept – take no action when the risk is within the organization's risk tolerance;

The metrics or results derived from the IA OM® methodology are meaningful to the organization because the measurements themselves are "tied directly to questions that are important to the organization"[21] . The results are also useful to organizational management since they indicate the degree to which specific information security risk management goals are being met as action is taken to improve an organization's overall information security posture in terms of its information security objectives [1]. In this instance IA OM® can be conceptually expressed as providing a measure of the degree to which the organization's information security risk management objectives are being met [1].

The creators of the OM® methodology, Donaldson and Siegel [21, 22], have 20+ years of professional software engineering experience at Science Applications International Corporation (SAIC) and in the Department of Defense (DoD). The OM® methodology enables one "to measure software products and software systems development processes in everyday terms familiar and – therefore meaningful – to your organization" [21]. The OM® methodology measures software products and software systems development processes as part of a continual process improvement exercise. The OM® framework derives its effectiveness as a "management process" tool in that the OM® Index, akin to the Consumer Price Index, folds in a number of individual measurements into a single overall value [1, 22]. The OM® Index can also be deconstructed to gain insight into the elements comprising the index value. By looking at trends in the index values, it is possible to determine the effect or outcome of changes within the organization.

The OM® quantifies software *product* "goodness" and software *process* "goodness", where an object (i.e., an attribute, component, or activity) is measured through its characteristics. "For products, these characteristics are called attributes; for processes, these characteristics are called components and activities" [22]. Software product "goodness" is the degree to which the product satisfies the customer and meets the customer's requirements. Software process "goodness" is a measure of the product creation process' ability to consistently and reliably create good quality products within budget [1].

The IA OM® metric can be used with existing organizational objectives or industry best practices. However, industry best practices are not appropriate for many organizations, and as described in Section 2.1.1, are often not sufficient in and of themselves to meet the an organization's requirements. Each organization must determine what is most appropriate for its needs. This is best accomplished when requirements are evaluated in the context of their budget and a thorough risk analysis [7]. Evaluating an organization's information security risk management posture, based on how well its systems comply with the organization's information security risk management objectives, provides a metric with greater versatility and applicability across a wider range of organizations [1].

IA OM®

 Tier 1 – Addresses risk from an organizational perspective by establishing and implementing governance structures including: 1) Establishment and implementation of a risk executive (function); 2) Establishment of a risk management strategy including a determination of organizational risk tolerance; and 3) Development of organization-

wide investment strategies for information resources and information security. Tier 2 – Addresses risk from mission/business process perspective by designing, developing, and implementing the processes supporting the mission/business functions defined at Tier 1 including: 1) Risk aware processes designed to manage risk according to the risk management strategy defined at Tier 1 and explicitly accounting for risk in evaluating the mission/business activities and decisions at Tier 2; 2) Implementing an enterprise architecture, and, 3) Establishing an information security architecture as an

 Tier 3 – Addresses risk from an information system perspective, guided by risk context, risk decisions and risk activities at Tiers 1 and 2, risk management activities (i.e. activities at each step of the Risk Management Framework (NIST SP 800-37 [2]) and in

These three Tiers, properly integrated, provide the capability to establish a strong, risk-

Risk management monitoring must be conducted at all three Tiers, making sure that all key activities are performed properly within each Tier and across Tiers [17]. Monitoring at the information systems level must take into account those controls that are "common" to an organization or enterprise [2]. Common controls are those controls that are established by an organization itself, or an element within an organization, and are made available for use by other elements and information systems within the organization. It is often not possible for an individual system owner to monitor common controls – such monitoring must be

With monitoring taking place at many levels within the organization, the need for an enterprise-wide risk management solution is even greater. Without a big-picture view of the information security risk posture of the systems within an organization, there may be systems operating that are creating significant risks to the organization without anyone in a

At the Tier 1 and 2 levels, the concept of common controls is not the same as at Tier 3, however, there is still the need to ensure that organizational guidance and organizational functions remain aligned. When strategies, policies, and other organization-level guidance changes, the changes need to ripple through the organization – updating policies, programs,

IA OM® addresses these needs by aggregating the results of risk monitoring programs occurring throughout the organization, rolling them up, and presenting them as a set of summary statistics indicating where an organization stands with respect to remaining

investments, etc. to ensure they remain in alignment with the top-level guidance.

integral part of the organization's enterprise architecture.

the systems development life cycle (NIST SP 800-64 [23])

based security infrastructure for an organization.

provided by the Common Control Provider.

within its:

position to address the problems realizing a problem exists.

as an Enterprise Risk Management Metric 215

Implementing IA OM® at an organizational level provides Senior Management with a high-level or strategic-level view of where its organization's risk management program stands and how well it is meeting its stated information security risk management objectives. IA OM® is the OM®10 metric created by Donaldson and Siegel [21] adapted to information security and information security risk management activities as IA OM®11. The IA OM® metric can be used to:


IA OM® will help answer Senior Management's questions regarding the state of their organization's information security risk management program enabling them to determine their organization's current risk posture, identify areas needing improvement, and prioritize the allocation of organizational resources in addressing identified risks.

Any effective risk management program requires periodic monitoring and re-assessment, including risk monitoring at the organization, mission/business process, and, information systems Tiers. The components of risk management at these multiple-tier levels are specifically identified12 and encompass the following:

<sup>10</sup> OM® was developed by Donaldson and Siegel, SAIC, [21] to evaluate system development life cycle (SDLC) processes.

<sup>11</sup> See Ting and Comings [1] for a complete description of IA OM®.

<sup>12</sup> NIST SP 800-39 [17], *Managing Information Security Risk*, describes the fundamentals of risk management in Chapter 2 and the process for framing, assessing, responding and monitoring risk in Chapter 3.

 Tier 1 – Addresses risk from an organizational perspective by establishing and implementing governance structures including: 1) Establishment and implementation of a risk executive (function); 2) Establishment of a risk management strategy including a determination of organizational risk tolerance; and 3) Development of organizationwide investment strategies for information resources and information security.

214 Risk Management – Current Issues and Challenges

The IA OM® metric can be used with existing organizational objectives or industry best practices. However, industry best practices are not appropriate for many organizations, and as described in Section 2.1.1, are often not sufficient in and of themselves to meet the an organization's requirements. Each organization must determine what is most appropriate for its needs. This is best accomplished when requirements are evaluated in the context of their budget and a thorough risk analysis [7]. Evaluating an organization's information security risk management posture, based on how well its systems comply with the organization's information security risk management objectives, provides a metric with

Implementing IA OM® at an organizational level provides Senior Management with a high-level or strategic-level view of where its organization's risk management program stands and how well it is meeting its stated information security risk management objectives. IA OM® is the OM®10 metric created by Donaldson and Siegel [21] adapted to information security and information security risk management activities as IA OM®11. The IA OM® metric can be used to: Quantitatively determine the degree of risk identified within an organization's

Characterize the organization's risk management policy elements as they are applied to

 Determine the weighting factors, based on a determination of the relative importance of each component, for the identified characteristics of the organization's risk

 Periodically present the results of the evaluation, the current risk management posture of the enterprise, in a balanced scorecard-like format that is familiar and easy to

Analyze the metrics data, identify the strengths and weaknesses of proposed metrics

IA OM® will help answer Senior Management's questions regarding the state of their organization's information security risk management program enabling them to determine their organization's current risk posture, identify areas needing improvement, and prioritize

Any effective risk management program requires periodic monitoring and re-assessment, including risk monitoring at the organization, mission/business process, and, information systems Tiers. The components of risk management at these multiple-tier levels are

10 OM® was developed by Donaldson and Siegel, SAIC, [21] to evaluate system development life cycle (SDLC)

12 NIST SP 800-39 [17], *Managing Information Security Risk*, describes the fundamentals of risk management in Chapter 2

its information security risk management program for IA OM® evaluation;

greater versatility and applicability across a wider range of organizations [1].

information security risk management program;

understand and interpret by Senior Management;

Suggest areas for future assessment and evaluation.

specifically identified12 and encompass the following:

11 See Ting and Comings [1] for a complete description of IA OM®.

and the process for framing, assessing, responding and monitoring risk in Chapter 3.

the allocation of organizational resources in addressing identified risks.

management strategy and policy;

approaches; and

processes.


These three Tiers, properly integrated, provide the capability to establish a strong, riskbased security infrastructure for an organization.

Risk management monitoring must be conducted at all three Tiers, making sure that all key activities are performed properly within each Tier and across Tiers [17]. Monitoring at the information systems level must take into account those controls that are "common" to an organization or enterprise [2]. Common controls are those controls that are established by an organization itself, or an element within an organization, and are made available for use by other elements and information systems within the organization. It is often not possible for an individual system owner to monitor common controls – such monitoring must be provided by the Common Control Provider.

With monitoring taking place at many levels within the organization, the need for an enterprise-wide risk management solution is even greater. Without a big-picture view of the information security risk posture of the systems within an organization, there may be systems operating that are creating significant risks to the organization without anyone in a position to address the problems realizing a problem exists.

At the Tier 1 and 2 levels, the concept of common controls is not the same as at Tier 3, however, there is still the need to ensure that organizational guidance and organizational functions remain aligned. When strategies, policies, and other organization-level guidance changes, the changes need to ripple through the organization – updating policies, programs, investments, etc. to ensure they remain in alignment with the top-level guidance.

IA OM® addresses these needs by aggregating the results of risk monitoring programs occurring throughout the organization, rolling them up, and presenting them as a set of summary statistics indicating where an organization stands with respect to remaining within its:


Applied this way, IA OM® allows Senior Management to readily assess their current information security risk management posture and determine whether it fits within their risk tolerance. It also identifies those areas, programs, and systems of greatest risk to the organization – allowing Senior Management to quickly and easily prioritize their remediation efforts.

IA OM®

1) Employee job description

resourcing are met

job description

2 2 0.7 0.6 0.65 2

*IARMIndex*

**IA OM**® **Process**<sup>13</sup> **Steps Examples**

security policy?

1. Decide what questions you want answered

2. Identify the organizational

3. Identify any characteristics or sub-activities of the

4. Define an activity value scale for each activity or sub-activity 5. Determine the current value (or location along the value scale) for each activity or sub-activity

 Associate observable events with value scale numbers

Measure each characteristic

7. Combine the values for each activity (asset, process, or operation) into an overall IAIndex value14 to be reported

substituting measured values into the appropriate IA OM®

**Figure 2.** IA OM Process with Personnel Security Process Example

13 Adapted from interview with Stanley G. Siegel on Jan. 7, 2004 [24]. 14 This equation and its components are described in Section 4.5.

6. Calculate an index by

equation

and analyzed

1

from step 2

assets, processes, or operations that need to be measured to answer the questions from step

organizational assets, processes, or operations to be measured

as an Enterprise Risk Management Metric 217

Am I complying with my organization's personnel

2) Employee information security training

1) Extent to which security in job definition and

1) Number of requirements fulfilled in employees'

2) Date that employee trained records in training

1) Filled positions addressed 7 of the 10 employee's security requirements called out (Value = 0.7) 2) The employees' training log showed that 1 employee did not receive training

2 2

*i i*

*w da*

2 2

(max[ ])

*i i*

*w da*

1

*i n*

*n*

1

*i*

log that employee received

*PersonnelSecurityComplianceIndex*

2) Actual fraction of employees trained with respect to entire organization
