The risk management process minimizes the impact of threats realized and provides a foundation for effective management decision making. Thus, it is very important that risk management be a part of the system development life cycle. As defined in NIST SP 800-30, risk management is comprised of three processes;
- Risk assessment
- Risk mitigation
- Evaluation and assessment
These processes should be performed during each of the five phases of the SDLC.
|S.No.||SDLC||Phase||Risk Management Activities|
|1||Phase 1 – Initiation||The need for an IT system is expresses and the purpose and scope of the IT system is documented.||Identified risks are used to support the development of the system requirements, including security requirements, and a security concept of operations (strategy)|
|2||Phase 2 – Development or Acquisition||The IT system is designed, purchased, programmed, developed, or otherwise constructed.||The risks identified during this phase can be used to support the security analyses of the IT system that may lead to architecture and design tradeoffs during system development.|
|3||Phase 3 – Implementation||The system security features should be configured, enabled, tested, and verified||The risk management process supports the assessment of the system implementation against its requirements and within its modeled operational environment. Decisions regarding risks identified must be made prior to system operation.|
|4||Phase 4 – Operation or Maintenance||The system performs its functions. Typically the system is being modified on an ongoing basis through the addition of hardware and software and by changes to organizational processes,policies, and procedures.||Risk management activities are performed for periodic system re authorization (or re accreditation) or whenever major changes are made to an IT system in its operational, production environment (e.g., new system interfaces)|
|5||Phase 5 – Disposal||This phase may involved the disposition of information, hardware, and software, Activities may include moving archiving, discarding, or destroying information and sanitizing the hardware and software.||Risk management activities are performed for system components that will be disposed of or replaced to ensure that the hardware and software are properly disposed of, that residual data is appropriately handled, and that system migration is conducted in a secure and systematic manner|
Roles of Key Personnel in the Risk Management Process
To be effective, risk management must be supported by management and information system security practitioners. Some of the key personnel that should actively participate in the risk management activities are:
- Senior management – Provide the required resources and meet responsibilities under the principal of due care.
- Chief information officer (CIO) – Considers risk management in IT planning, budgeting, and meeting system performance requirements.
- System and information owners – Ensure that controls and services are implemented to address information system confidentiality, integrity, and availability.
- Business and functional managers – Make trade-off decisions regarding business operations and IT procurement that affect information security.
- Information system security officer (ISSO) – Participates in applying methodologies to identify, evaluate, and reduce risks to the mission-critical IT systems.
- IT security practitioners – Ensure the correct implementation of IT system information system security
- Security awareness trainers – Incorporate risk assessment in training programs for the organization’s personnel.