Risk Management Framework (RMF): Overview + Best Practices

Nearly every business needs to meet some kind of compliance requirement. You might be using your compliance posture to build customer trust or be in a heavily regulated industry like healthcare or financial services. In either case, most compliance mandates require you to understand your risk tolerance before putting controls in place to mitigate the leftover risk. 

Identifying, assessing, and analyzing risk can be overwhelming for many companies. You may struggle with knowing where to start or how to set goals. However, a risk management framework enables you to create repeatable processes that allow you to define, review, and mitigate IT risks to more effectively set and monitor controls. 

What is Risk Management Framework?

A risk management framework (RMF) is a set of practices, processes, and technologies that enable an organization to identify, assess, and analyze risk to manage risk within your organization.

A building block for any strong compliance program, a risk management framework typically follows these steps:

• Identify

• Assess

• Analyze

• Determine risk tolerance

• Implement controls

• Monitor and update

NIST

The National Institute of Standards and Technology (NIST) Risk Management Framework sets out a risk-based approach for governing security, privacy, and cyber supply chain risk management. The NIST RMF consists of the following seven steps:

• Prepare: activities that set the stage for managing security and privacy risks

• Categorize: using an impact analysis to organize the systems and information they process, store, and transmit

• Select: determining the controls that will protect the systems and data

• Implement: deploying controls and documenting activities

• Assess: determining whether the implemented controls work as intended and produce the desired results

• Authorize: having a senior official authorize the system to operate

• Monitor: reviewing controls to ensure they continue to mitigate risks as intended

COBIT 

Established by ISACA (previously known as the Information Systems Audit and Control Association), the COBIT Framework focuses on enterprise governance and consists of these primary principles:

• Principle 1: Meeting stakeholder needs

• Principle 2: Covering the enterprise end to end

• Principle 3: Applying a single integrated framework

• Principle 4: Enabling a holistic approach

• Principle 5: Separating governance from management

COBIT groups the governance and management objectives into the following five domains:

Evaluate, Direct, and Monitor (EDM): Governing body evaluates strategic options, directs senior management, and monitors achievement.

Align, Plan, and Organize (APO): Management addresses organization, strategy, and supporting activities.

Build, Acquire, and Implement (BAI): Management treats the definition, acquisition, and implementation of solutions, integrating them into business processes.

Deliver, Service, and Support (DSS): Management addresses services, operational delivery, and their supports, including security.

Monitor, Evaluate, and Assess (MEA): Management monitors performance and ensures that the program meets internal targets, internal control objectives, and external requirements. 

5 Components of RMF 

At first glance, the NIST RMF and COBIT appear different, mainly because they use different terminology. 

For example, NIST takes you through discrete steps based on technology assets, while COBIT focuses on leadership’s responsibilities. The difference between the two models focuses on NIST being process-oriented and COBIT being oversight-oriented. However, fundamentally, they both still require the same five components. 

Governing Risk

Everyone in your organization plays a role in mitigating risk. Governance is the practice of defining and assigning responsibilities so that everyone knows what they need to do and has the skills to do it. 

For example, governing risk includes:

• Assigning oversight responsibilities.

• Establishing employee policies.

• Reviewing documents proving people followed approved practices and procedures.

Identifying Risk

Before doing anything else, you need to identify your organization’s risks. You can do this from a strategic level or an asset-focused level. For example, you might think in terms of the following risks:

• Compliance

• Financial

• Legal

If you’re focusing on technologies, you might focus more on the following risks:

• IT

• Operational

• Data breach

However, your technology and strategic risks are interrelated in a digitally transformed business—meaning either approach will have similar results. 

Measuring Risk

After identifying risks, you need to measure their impact on your organization. At a very high level, measuring risk usually involves the following equation:

Risk = [Likelihood of an adverse event] X [Impact to the business]

While that might seem like simple math, the reality is more complex. The likelihood of an adverse event can depend on multiple factors, while the impact can be fines or loss of brand value and reputation.

Mitigating Risk

To protect yourself, you need to find ways to reduce the impact arising from an adverse event. Some examples of risk mitigation strategies include:

• Implementing technical controls

• Creating contingency plans

• Establishing processes and procedures

Monitoring and Reporting Risk

In an ever-changing world, your risk is going to evolve. With each change, you need to monitor your organization’s risk mitigation controls to ensure they maintain the accepted level of risk. 

In addition, you need to ensure that you report your monitoring outcomes to the appropriate responsible parties, like your senior leadership or board of directors. 

Some things to monitor and report on might include new:

• Regulations impacting your organization.

• Internal technologies that enable business processes.

• Technologies enabling better customer experiences.

RMF in 6 Steps

Regardless of the RMF you choose, you still need to engage in the same six basic steps. 

1. Set Business Objectives and Goals

Your risks primarily arise from the choices you make for your organization. Every new technology you add that enables business operations also creates a new risk. For example, a Software-as-a-Service (SaaS) application used for collaboration also increases the number of access points that threat actors can use during an attack. 

Your strategic business and compliance goals need to align so that you can make informed risk decisions. 

2. Set Risk Tolerance 

Every organization has a different risk tolerance. After your impact analysis, you need to decide whether to:

• Accept a risk: Benefit outweighs the impact, and mitigation is cost prohibitive.

• Refuse a risk: Impact outweighs the benefit, and mitigation is cost prohibitive. 

• Transfer a risk: Benefit outweighs the impact, but you can reduce the impact by offloading some risk. 

• Mitigate a risk: Benefit outweighs the impact, and you can put controls in place that reduce the likelihood of the adverse event. 

For example, purchasing insurance helps you transfer some of the risk. If a cyber attack happens, then the insurance company’s payment covers the financial risk. 

Identify, Categorize, and Catalog Assets

You can’t protect what you don’t know you have. After aligning your strategic business and compliance objectives, you need to identify and catalog all assets, including:

• Data

• Devices

• Users

• Storage locations

• Applications

• Networks

Once you identify and catalog everything, you need to categorize them based on their risks. For example, if you collect, store, or transmit personally identifiable information (PII) or credit card data, then that data poses a high risk. Any devices, users, storage locations, applications, or networks that access, process, or transmit this data are also a high risk. Ultimately, this drives the rest of your risk management processes. 

Do a Risk Impact Analysis 

After categorizing the assets based on the risk they pose, you need to consider how a data breach impacting these assets will affect your organization. It’s important to remember that this is different from the pure risk review you did when categorizing them. 

For example, PII is a high risk because::

• Cybercriminals want to steal it.

• Regulations require you to protect it.

• Customers trust you with it.

However, the impact analysis goes deeper than this. Consider these factors when engaging in the impact analysis:

• Cost to respond to an incident

• Cost to notify people impacted by an incident

• Lost revenue from customer churn

• Fines for noncompliance

Implement and Monitor Mitigating Controls

Often, this step is the most difficult. Your security controls can be based on either their type or purpose. 

Six basic security controls you need to consider are:

• Physical

• Administrative

• Technical

• Preventive

• Detective

• Corrective

The first three focus on how you protect. The second three focus on what they’re used for. For example, you might have a technical control for managing user access to systems, networks, and applications. However, this could also be a preventive control that seeks to mitigate the risk associated with unauthorized attacker access. 

The most challenging part is monitoring, enforcing, and maintaining the control’s effectiveness. Your IT environment is continuously changing. For example, your developers might spin up a container and then spin it back down later. They need to do this as part of their jobs. On the other hand, it’s often difficult to:

• Identify the cloud-based resource in real-time.

• Ensure appropriate configurations.

• Assign a responsible party to the resource.

If you’re monitoring to ensure the controls remain in place, you can enforce them when you find something missing. For example, if you’re monitoring your environment, you can identify the new asset which allows you to review configurations and access controls. If you notice a problem, you can enforce the controls to maintain a robust security and compliance posture.

Report to Leadership and Board of Directors

As part of a strong compliance posture, your leadership and board of directors needs to know that your security program functions as intended. Most compliance mandates require that leadership and the board review IT security so that they can understand how well the organization manages risk. 

In some cases, like for SOC 2 compliance, management and boards are required to provide evidence proving that the organization complies with internal controls. If the attestation proves false, then they can be held responsible. 

When reporting your compliance posture, you need to make sure that everyone understands the identified risks, the mitigating controls, and the controls’ ability to work as intended. 

Using Software to Organize Your Risk Management Processes

For most companies, maturing their risk management processes is challenging. Many organizations start with spreadsheets that document their risk and controls. However, as the organization grows and matures, its compliance program also needs to mature. 

Risk management software can streamline many manual processes, giving you predictable, consistent results. Using automation to map your controls to the risk management framework you choose reduces the time spent and allows employees to focus on more critical activities. In addition, it enables you to continuously monitor the controls to enforce them as necessary. 

At Drata, we believe that when you strengthen your security posture, you also improve your compliance posture. Using Drata’s Risk Management solution, you can draw from our library of threat-based risks mapped to various frameworks, including HIPAA, NIST Cybersecurity Framework, NIST 800-171, and ISO 27001. 

To see how Drata can help you manage risk, contact us today for a demo.