IA OM® as an Enterprise Risk Management Metric

1. Introduction

Ting and Comings [1] described how to use the Information Assurance (IA) Object Measurement (OM^®) metric as a tool to measure the monitoring step (Step 6) described in the United States (U.S.) National Institute of Standards and Technology’s (NIST) Risk Management Framework (RMF)

The RMF is described in detail in NIST Special Publication (SP) 800-37, available from: http://csrc.nist.gov/ publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf

Risk management is concerned with the identification of risks, the avoidance, mitigation, transference, or sharing of unacceptable risks, and the acceptance of risks that are within an organization’s risk tolerance. However, just as with information system controls within NIST’s RMF, it is necessary to monitor the risk posture of systems, maintaining an ongoing assessment of the level of risk they represent within and to an organization. This risk posture changes with changes to the hardware and software employed by the organization, as well as when patches and updates are released that are intended to be applied to deployed software. Changes can also occur from vulnerabilities identified with no patch available, or when new types of information are allowed on a previously authorized or accredited information system. Different types of information are of varying interest to an organization or adversary. More valuable information generally has a higher impact on the organization when it is compromised

Compromise is used in this chapter to indicate a loss of confidentiality, integrity, or availability of the information.

The IA OM^® metric is a good choice for use as an enterprise risk management metric, as described in this chapter, due to its versatility as a management metric. This metric:

• Measures information security risk management activities within an organization;

• Shows organizational senior management where their organization currently stands with respect to its risk management strategy, and its monitoring plan; and

• Demonstrates to senior management how such metrics can be used over time to track and improve their organization’s ability to meet its overall risk management strategy and risk monitoring plan.

2. Risk management

Risk management focuses on understanding and managing risks to an organization. This chapter focuses on information security (also referred to as information assurance (IA)) risks. Wheeler [3] in his book on risk management stated that “The goal of risk management is to maximize the output of the organization (in terms of services, products, revenue, [mission accomplishment], and so on), while minimizing the chance for unexpected outcomes”. This goal is best accomplished through the use of an established, proven framework for managing information security risks to organizations. This chapter proposes an approach based on the structure provided by the NIST.

The approach described by the NIST is used in this chapter due to several factors. First, the NIST approach has been developed to be consistent with and harmonize with international standards to the extent appropriate. These international standards include those of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC)

The NIST risk management structure is aligned with ISO/IEC 3100, Risk Management – Principles and Guidelines; 31010, Risk Management – Risk Assessment Techniques; 27001, Information technology – Security techniques – Information Security Management Systems – Requirements; and 27005, Information Technology – Security Techniques – Information Security Risk Management Systems.

The approach described by the NIST is based on a 4-step process, used within a 3-tiered structure. The 3-tiered structure is used to depict the principal functional areas within an organization as they relate to risk management decision-making – the organization, mission/business process, and information systems Tiers – described in Section 2.2. The risk management process and the 4-steps in the process – frame, assess, respond, and monitor – are described in Section 2.3.

2.2. 3-Tiered risk management structure

When addressing information security risk management activities, the NIST and other authors divide organizations into three levels [17, 20]. The NIST [17] identifies these tiers as the:

1. Organization;

2. Mission/Business Process; and

3. Information Systems.

Each tier has different organizational risk management responsibilities. However, despite their different perspectives and roles, they all use the same 4-step risk management process described in Section 2.3 for risk management actives within their Tier. This 3-tiered structure is depicted in Figure 1.

2.2.1. Organization tier

At the organization tier, risk to the entire organization is considered and managed. Part of the responsibility for managing risk throughout the organization is the process of “risk framing”, establishing the context within which all organizational risk management activities will be conducted [17]. Risk framing establishes the governance framework from which are derived the risk management activities and the risk tolerance of the organization. Other activities occurring at Tier 1 include:

• Establishment and prioritization of activities and programs at the Mission/Business Tier;

• Determination of organization-wide common controls

  Common controls are security controls implemented in a way that they are available to information systems across the organization. Common controls can be “inherited” by a system, meaning that the system itself does not need to implement the control the system can leverage/use the control as implemented by the organization.

  ; and

• The Risk Executive (Function)

  The Risk Executive (Function) is an individual or office responsible for considering risk across the organization, to include mission, business, and security risks, balancing them appropriately for the organization, and making recommendations to decision-makers within the organization based on their risk determinations.

  recommended by the NIST is established in and is located within the organization at this level [17].

The Risk Executive (Function) (REF) is an individual or group within the organization that serves in an advisory role to organizational decision makers at all 3-tiers. The REF does not make decisions for the organization; rather it informs decision makers about the risks to the system, network, and the organization that may result from a particular risk decision. The REF considers risk from a holistic perspective, considering mission and business risks, in addition to security risks. This risk consideration is done with an organization-wide perspective, allowing the REF’s recommendations to evaluate the potential impact of accepting risks in one area or system on other systems or the organization.

2.2.2. Mission/business process tier

Tier 2 is where the mission/business processes necessary to implement the strategic goals and objectives established at Tier 1 are defined and prioritized [17]. This is also where the types of information required, the information sensitivity, and information flows necessary to support the Tier 1 goals and objectives is determined [17]. The IT enterprise architecture is defined and established at this tier, to include the implementation of the common controls identified in Tier 1. The decisions and activities at this tier have a direct effect on the activities undertaken at Tier 3.

2.2.3. Information systems tier

Tier 3 is where the information systems that support the organization reside. The decisions and prioritizations established in Tiers 1 and 2 are implemented in information systems at this tier. The activities required for each of the steps in the Risk Management Framework (RMF)

The RMF is described in detail in NIST Special Publication (SP) 800-37, available from:

http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf and the system development life cycle

The system development life cycle established by the NIST is described in NIST SP 800-64, Security Considerations in the System Development Life Cycle, Oct. 2008 [23].

are performed here, to ensure each information system meets its technical, mission, and security requirements. In this tier, “information system owners, common control providers, system and security engineers, and information system security officers make risk-based decisions regarding the implementation, operation, and monitoring of organizational information systems” [17].

3. IA OM^®

The metrics or results derived from the IA OM^® methodology are meaningful to the organization because the measurements themselves are “tied directly to questions that are important to the organization”[21]. The results are also useful to organizational management since they indicate the degree to which specific information security risk management goals are being met as action is taken to improve an organization’s overall information security posture in terms of its information security objectives [1]. In this instance IA OM^® can be conceptually expressed as providing a measure of the degree to which the organization’s information security risk management objectives are being met [1].

The creators of the OM^® methodology, Donaldson and Siegel [21, 22], have 20+ years of professional software engineering experience at Science Applications International Corporation (SAIC) and in the Department of Defense (DoD). The OM^® methodology enables one “to measure software products and software systems development processes in everyday terms familiar and – therefore meaningful – to your organization” [21]. The OM^® methodology measures software products and software systems development processes as part of a continual process improvement exercise. The OM^® framework derives its effectiveness as a “management process” tool in that the OM^® Index, akin to the Consumer Price Index, folds in a number of individual measurements into a single overall value [1, 22]. The OM^® Index can also be deconstructed to gain insight into the elements comprising the index value. By looking at trends in the index values, it is possible to determine the effect or outcome of changes within the organization.

The OM^® quantifies software product“goodness” and software process“goodness”, where an object (i.e., an attribute, component, or activity) is measured through its characteristics. “For products, these characteristics are called attributes; for processes, these characteristics are called components and activities” [22]. Software product “goodness” is the degree to which the product satisfies the customer and meets the customer’s requirements. Software process “goodness” is a measure of the product creation process’ ability to consistently and reliably create good quality products within budget [1].

The IA OM^® metric can be used with existing organizational objectives or industry best practices. However, industry best practices are not appropriate for many organizations, and as described in Section 2.1.1, are often not sufficient in and of themselves to meet the an organization’s requirements. Each organization must determine what is most appropriate for its needs. This is best accomplished when requirements are evaluated in the context of their budget and a thorough risk analysis [7]. Evaluating an organization’s information security risk management posture, based on how well its systems comply with the organization’s information security risk management objectives, provides a metric with greater versatility and applicability across a wider range of organizations [1].

Implementing IA OM^® at an organizational level provides Senior Management with a high-level or strategic-level view of where its organization’s risk management program stands and how well it is meeting its stated information security risk management objectives. IA OM^® is the OM^®

^{OM® was developed by Donaldson and Siegel, SAIC, [}21^{] to evaluate system development life cycle (SDLC) processes.}

• Quantitatively determine the degree of risk identified within an organization’s information security risk management program;

• Characterize the organization’s risk management policy elements as they are applied to its information security risk management program for IA OM^® evaluation;

• Determine the weighting factors, based on a determination of the relative importance of each component, for the identified characteristics of the organization’s risk management strategy and policy;

• Periodically present the results of the evaluation, the current risk management posture of the enterprise, in a balanced scorecard-like format that is familiar and easy to understand and interpret by Senior Management;

• Analyze the metrics data, identify the strengths and weaknesses of proposed metrics approaches; and

• Suggest areas for future assessment and evaluation.

IA OM^® will help answer Senior Management’s questions regarding the state of their organization’s information security risk management program enabling them to determine their organization’s current risk posture, identify areas needing improvement, and prioritize the allocation of organizational resources in addressing identified risks.

Any effective risk management program requires periodic monitoring and re-assessment, including risk monitoring at the organization, mission/business process, and, information systems Tiers. The components of risk management at these multiple-tier levels are specifically identified

NIST SP 800-39 [17], Managing Information Security Risk, describes the fundamentals of risk management in Chapter 2 and the process for framing, assessing, responding and monitoring risk in Chapter 3.

• Tier 1 – Addresses risk from an organizational perspective by establishing and implementing governance structures including: 1) Establishment and implementation of a risk executive (function); 2) Establishment of a risk management strategy including a determination of organizational risk tolerance; and 3) Development of organization-wide investment strategies for information resources and information security.

• Tier 2 – Addresses risk from mission/business process perspective by designing, developing, and implementing the processes supporting the mission/business functions defined at Tier 1 including: 1) Risk aware processes designed to manage risk according to the risk management strategy defined at Tier 1 and explicitly accounting for risk in evaluating the mission/business activities and decisions at Tier 2; 2) Implementing an enterprise architecture, and, 3) Establishing an information security architecture as an integral part of the organization’s enterprise architecture.

• Tier 3 – Addresses risk from an information system perspective, guided by risk context, risk decisions and risk activities at Tiers 1 and 2, risk management activities (i.e. activities at each step of the Risk Management Framework (NIST SP 800-37 [2]) and in the systems development life cycle (NIST SP 800-64 [23])

These three Tiers, properly integrated, provide the capability to establish a strong, risk-based security infrastructure for an organization.

Risk management monitoring must be conducted at all three Tiers, making sure that all key activities are performed properly within each Tier and across Tiers [17]. Monitoring at the information systems level must take into account those controls that are “common” to an organization or enterprise [2]. Common controls are those controls that are established by an organization itself, or an element within an organization, and are made available for use by other elements and information systems within the organization. It is often not possible for an individual system owner to monitor common controls – such monitoring must be provided by the Common Control Provider.

With monitoring taking place at many levels within the organization, the need for an enterprise-wide risk management solution is even greater. Without a big-picture view of the information security risk posture of the systems within an organization, there may be systems operating that are creating significant risks to the organization without anyone in a position to address the problems realizing a problem exists.

At the Tier 1 and 2 levels, the concept of common controls is not the same as at Tier 3, however, there is still the need to ensure that organizational guidance and organizational functions remain aligned. When strategies, policies, and other organization-level guidance changes, the changes need to ripple through the organization – updating policies, programs, investments, etc. to ensure they remain in alignment with the top-level guidance.

IA OM^® addresses these needs by aggregating the results of risk monitoring programs occurring throughout the organization, rolling them up, and presenting them as a set of summary statistics indicating where an organization stands with respect to remaining within its:

• Overall risk tolerance

• Risk tolerance within organizational elements

• Risk tolerance for individual systems

Applied this way, IA OM^® allows Senior Management to readily assess their current information security risk management posture and determine whether it fits within their risk tolerance. It also identifies those areas, programs, and systems of greatest risk to the organization – allowing Senior Management to quickly and easily prioritize their remediation efforts.

4. Using IA OM^® as an enterprise risk management metric

The process for using IA OM^® as an enterprise risk management metric involves a number of steps. The overall steps in the process, as adapted from the OM^® process, are:

1. Decide what questions you need or want answers to regarding your organization’s risk management program;

2. Identify the organizational assets, processes, or operations that need to be measured to answer the questions from step 1;

3. Identify any characteristics and sub-activities of the organizational assets, processes, or operations to be measured from step 2;

4. Define an activity value scale for each activity or sub-activity in terms that make sense within the organization;

5. Determine the current value (or location along the value scale) for each activity or sub-activity being measured;

6. Calculate the value for each asset, process, or operation identified in Step 2 using the formulas provided in Section 4.4 and the activity (or sub-activity) values from step 5. Weighting factors are selected based on the organization’s determination of the relative importance of the activities;

7. Combine the values for each activity (asset, process, or operation) into an overall IA OM^® index value to be reported and analyzed.

These steps and activities are applied to organizational risk management using IA OM^®, resulting in a metric that provides:

• The ability to evaluate the risk posture of a specific organizational asset, process, or operation;

• A set of organizational assets;

• All activities within a risk management tier; or

• Risk management activities across tiers.

This process is shown in Figure 2 [24] using an activity from an organization’s personnel security process as an example. The individual process steps are examined in more detail in Sections 4.1 – 4.7.

4.2. Steps 2 and 3 – Identify assets, processes, or operations to measure

Now that the questions to be answered have been identified, the next step is to identify the assets, processes, or operations that can be measured to obtain answers to those questions. For example, to determine the effectiveness of an organization’s common control strategy, you could examine:

• The common controls called for in the common controls strategy/policy;

• Their alignment with current organizational goals and objectives; and

• Their utilization.

An example analysis of Tier 1 risk monitoring activities, their components, and their subcomponents is provided in Figure 3. The common controls assets are presented as Characteristic_n in the right hand branch of the figure. These characteristics and subcharacteristics will also be referred to as diagnostic areas, where diagnostic area 1 (da₁) is equivalent to characteristic₁; da₂ is equivalent to characteristic₂; and so forth. The subcharacteristics for each area follow a similar numbering scheme where, for example, subcharacteristic₁₁ is equivalent to da₁₁ and so forth. This is done to simplify the abbreviations used in the equations in Steps 6 and 7.

It is important to remember that the identification of organizational assets, processes, and operations are organization-specific. This is one of the strengths of the IA OM^® process, since it enables the abstraction of these key activities – specifically identified by the organization as being of interest – into a metric that shows Senior Management where their organization stands with respect to its risk management strategy and policies. If low level technical metrics exist, they can be combined and abstracted into the IA OM^® process. Metrics produced through the use of the IA OM^® process can be deconstructed into their component areas, allowing Senior Management to identify the areas needing attention. If further improvement in their risk management program is required, the IA OM^® and its component measures can be used to track and improve the organization’s risk posture over time.

4.3. Steps 4 and 5 – Define activity value scales and determine activity values

Activity value scales used for IA OM^® activities are normally scoped to range between 0 and 1. This makes comparison easy and allows them to be aggregated and rolled-up into measures that are easy to use and understand. Also, these values can be readily seen as percentages to further enhance their understanding. However it is perfectly acceptable to have more important characteristics have values greater than 1 if desired to indicate their relative importance to the organization. Alternatively, the relative importance of different characteristics/subcharacteristics can be accounted for using the weighting factors discussed in Steps 6 and 7.

For activities that can only assume a specific set of values (e.g., Yes/No, or high, moderate, and low), the value scales can be adapted to accommodate them. For example, with a binary set, like Yes and No, it is common to use Yes = 1, and No = 0. Sets like high, moderate, and low could be represented with high = 1, moderate = 0.5, and low = 0. It would also be possible to decide that high = 0.9 (since even high is not definite like “yes”), moderate = 0.5, and low = 0.1 (since low is also not definite like “no”). The decision on value scales is made by the organization and is made to maximize the utility and understandability of the measurements in the context of their organization.

Continuing with the example of the effectiveness of an organization’s common controls strategy, value scales for each of the three subcomponents can be defined, and values determined for each of the subcharacteristics assigned as shown in Figure 4. Each subcharacteristic/diagnostic area (da_ij) will be evaluated separately and then combined in Step 6 to provide an overall value for each characteristic or top-level diagnostic area (da_i). These values are then combined in Step 7 to provide an overall IA OM Index Value.

4.5. Step 7 – Calculate the IA OM® index

Calculating an IA OM® index provides a concise, high-level assessment of the enterprise risk management posture of the organization. The IA OM index, in this case referred to as the IA risk management index, or IARMIndex, is defined in terms of:

1. Diagnostic areas

2. Diagnostic criteria for each diagnostic area

3. Diagnostic criterion value scales

All of these items are provided in the fishbone diagram provided as Figure 5. A weighting factor can be applied to each characteristic/diagnostic area. As noted above, the weighting factor is an organizationally defined value indicating the relative importance to the organization of the particular characteristic. In this example the IARMIndex is normalized to one (i.e., ranges between zero and one). In all cases, value scales are defined in terms familiar to corporate management.

The process for calculating the IARMIndex is shown in Equation 2. For activity element characteristics, the IARMIndex

Taken and adapted from Donaldson & Siegel [22] (p. 420).

is normalized to one:

Equation 2 – Calculating the IARMIndex value:

IARMIndex=∑i=1nwi2dai2∑i=1nwi2(max[dai])2E3

Where:

da_i=diagnostic area (characteristic)

n= number of attributes

w_i = weighting factor for attribute da_i

max [da_i] = maximum value of da_i

Using the values from above and the organizationally defined weightings as shown in Table 3:

Weightings	Characteristics/ diagnostic areas
w1 = 2	da1 = 0.25
w2 = 1	da2 = 0.25
w3 = 1	da3 = 0.65

Table 3.

Weightings and Characteristics Values

Results in a value for IARMIndex = 0.35

5. Conclusion

The need to initially assess, and then conduct ongoing monitoring of an organization’s overall risk posture, the risk posture of its assets, processes, and systems has been clearly established. The more valuable the information, asset, activity, or operation, the greater the need to increase the frequency of monitoring activities to ensure these resources are not compromised, or to identify and respond to any compromises as quickly as possible. This chapter shows how the IA OM^® metric herein described provides an enterprise-wide risk management metric that can integrate synergistically with other risk management tools and efforts within an organization to provide monitoring personnel and decision-makers with the timely, accurate, and useful information they need to perform their functions and ensure their organization’s mission and business functions are protected. IA OM^® not only provides a metric targeted to organizational senior management, but one that can be used by decision-makers at all levels in the organization to ensure the processes and assets they are responsible for are protected in a way that aligns with the risk management strategy of the organization.

David R. Comings, Ph.D., CISSP, CRISC, Tenacity Solutions, Inc., United States of America, Dr. Comings specializes in information security, risk management, and strategic planning particularly for customers within the U.S. Government. Dr. Comings earned his doctorate at the University of Fairfax and his Master of Arts at the University of Pittsburgh.

Wendy W. Ting, Ph.D., CISSP, CISM, Department of Defense, United States of America, Dr. Ting specializes in performance metrics, cross domain information-sharing solutions, information security and systems security engineering. Dr. Ting earned her doctorate at the University of Fairfax and her Master of Science at the University of Maryland.