There are many reasons to adopt one or more of the popular standard risk frameworks to manage risk associated with cyber security, finance, data privacy, services, legal, operations and more across the enterprise. Broad sectors of industry, government and infrastructure must follow specific requirements such as the National Institute of Science and Technology (NIST), Risk Management Framework (RMF), Cybersecurity Framework (CSF), Protecting Controlled Unclassified Information in Nonfederal Systems (NIST SP 800-171/ DoD CMMC), and GSA and DHS frameworks for cloud providers (FedRAMP) and Trusted Internet Connections (TIC). Then there are the others like International Standards Organization (ISO 31000) that the Canadian Federal Government is adopting as a foundation to continuous risk management. High risk organizations may voluntarily adopt one or more of these frameworks, based on the advanced persistent threat of well-funded and motivated adversaries, and the huge legal, reputational and financial impacts of detrimented confidentiality, integrity or availability they can inflict.
Digital transformation allows organizations to minimize the time and effort required to implement requirements, rapidly authorize systems, review and monitor risk, and provide continuous risk visibility to the key stakeholders. Organizations most effectively manage the risk management process lifecycle through implementing a single enterprise-wide workflow automation platform, that connects, Risk, Compliance, Security, IT, service and Operations management, HR, employees, Finance, Programs, and Facilities.
Regulated spaces are required to practice mature, high assurance programs that frame, assess, respond and monitor mitigations against the likelihood and impact from adversarial, financial, weather, personnel and other risks through a complex programmatic approach. These risks can be internal, such in mishandling sensitive data or allowing an unauthorized outsider access to a system or facility. They can be external, with adversaries attempting to gain advantage, through cyber-attacks, theft or other means. They can also be weather or acts of nature that are impossible to fully predict. As enterprises recognize the onslaught of risks they face, the selection, implementation, and management of framework(s) to follow is a confusing and challenging burden.
Implementations start with an inundation of ownership and the collection of information: documentation, assessments, resources, processes, and procedures. Supervising risk as a lifecycle is a never-ending babysitting job of responsibility for managing packages, addressing findings, testing, reviewing data and attestations for a single framework - multiple frameworks make it exponentially more complex. Industry across the globe is struggling with how to effectively handle risk management given the surge in remote workers, and our increased reliance on digital technology. The silos of data and tools they have to work with may seem like an insurmountable hurdle. Less mature organizations struggle even more to adapt to the test once apply to many methodology, that refers to the ability to test a single control and apply that result to many policies. There is no one that comes to work every day excited to manage risk through email, spreadsheets, antiquated tools, and GRC/IRM systems and programs with custom coded workarounds. Because of these legacy traditions, it’s no wonder that many mature organizations take months or even years to authorize a system commensurate with the intent of the regulatory initiatives, mandates, and contractual obligations imposed on them. Adversaries, the weather, and Murphy’s law don’t care that you are re-attesting a third of your assertions a year, and in three years when you have gone full cycle you might be caught up. Continuous monitoring is only a contingency plan to mitigate impacts to the current authorization. Continuous authorization allows you to respond quickly when major incidents, patches, changes or a crisis occurs, and automatically implement the necessary changes to mitigate the risk, update the documentation and assessments, and effectively communicate so ensure stakeholders react.
There is no need to wait for some futuristic sci-fi world where one day we evolve into the next maturation of Continuous Authorization and Monitoring (CAM). It is simply understanding that connecting and making the world of work, work better for people is the solution to breaking down silos and achieving a holistic view of risk. When an enterprise’s strategic mission and objectives are operationalized on a single workflow platform, we can achieve rapid authorization in a fraction of time we do now. Continuous authorization maturity is obtained by shifting away from a point in time annual reviews and enabling the operations to automate an ongoing implementation and review of the security and risk management activities. A risk management digital transformation empowers the enterprise to fortify against the risks we control, accept, defer and inherit daily.
Learn more about ServiceNow risk management at www.servicenow.com/risk or https://www.servicenow.com/products/risk-management.html
Watch the Ask the Experts: A New Paradigm for RMF Automation to see how ServiceNow can help you achieve risk management digital transformation.
3 Comments
