Part 2 provides you with a roadmap toward a proactive defense. You’ll see how to manage risks to the confidentiality, integrity, and availability of the information assets your organization depends on. This requires you to have a solid understanding of what risk is (and is not!). We’ll show how information risk management is all about providing a cost-effective integrated defense—a set of interlocking, layered strategies; tactical procedures; and operational details that reduce the potential impact of the occurrence of information risks. Integrating all elements of your information defense posture and strategy is key to making defense in depth work—and not allowing it to become an outmoded and easily avoided set of point defenses. Being proactive means that you take a continuous, forward-looking attitude, mindset, and stance toward information risk; you think ahead of the adversary, think ahead of the risk, and plan, do, check, and act to keep your information systems secure, safe, and resilient. We’ll do this by taking the SSCP’s perspective, as if you as a practitioner have just joined an organization’s information security team. You’ll be learning the ropes for today’s tasks, while examining the larger organizational context that your actions must support. With time, you’ll learn more about the organization’s priorities, challenges, and information risks.
There are many published standards, guidelines, and frameworks available throughout the world that distill the lessons learned from painful experiences into forms that any organization can use. No matter where in the world your organization is located, or what legal or compliance frameworks it may have to abide by, each of these different frameworks and standards has something to offer.
It might be that your organization does not have to participate in any formal risk management or information security compliance program; many small and medium businesses and enterprises (SMBs and SMEs) around the world do not. Don’t let this lull you into thinking that your organization has little at risk. Cyber attackers refer to such organizations as soft targets. Instead, use the library of published risk management and cybersecurity standards as a reference library, as sources of field-tested, proven advice on how you can help improve your organization’s security posture.
Throughout this section we’ll draw heavily from NIST and ISO publications, which by no means suggests that these are the only ones you or your organization should consult. We will broadly follow the outline and structure of NIST Special Publication (SP) 800-37 Rev. 2, Information Systems Security and Privacy Risk Management Framework (RMF), as well as NIST’s Cyber Security Framework (CSF), throughout Part 2.
Chapter 3 shows you integrated information risk management in action from the SSCP’s perspective. We’ll look at how different perspectives on risk lead to making critical risk management decisions and how real-world constraints guide and limit what you can do to manage risks. This broadly reflects NIST SP 800-37’s first two steps.
Chapter 4 will zoom into greater detail as we look at risk mitigation technologies and processes; it will also show how these fit within larger layers of planning, decision making, implementation, monitoring, and adaptation. We’ll use NIST SP 800-37 Rev. 2’s Steps 3 through 7 as our guide.