Risk Mitigation and risk reduction is the approach and desired outcome when undertaking risk management and associated activities should always be to reduce and mitigate risks.
Mitigation of risks reduces the exposure to a risk or the likelihood of it occurring.
Risk mitigation to cloud-based assessments or environments is most often obtained by implementing additional controls, policies, processes, or procedures or utilizing enhanced technical security features.
Additional access control, vulnerability management, and selection of a specified CSP are examples of risk mitigation or risk reduction.
Risk Management Metrics
Risks must be communicated in a way that is clear and easy to understand. It may also be important to communicate risk information outside the organization.
To be successful in this, the organization must agree to a set of risk-management metrics.
Using a risk scorecard is recommended. The impact and probability of each risk are assessed separately, and then the results are combined to indicate exposure using a five-level scale in each of these quantities:
- Minimal
- Low
- Moderate
- High
- Maximum (or Critical)
Different Risk Mitigation Frameworks
The challenge that having several risk frameworks poses is a significant effort and investment required to perform such risk reviews, along with the time and associated reporting.
The risk frameworks include ISO 31000:2009, ENISA, and NIST.
ISO 31000
As ISO 31000:200916 is a guidance standard that is not intended for certification purposes; implementing it does not address specific or legal requirements related to risk assessments, risk reviews, and overall risk management.
However, implementation and use of the ISO 31000:2009 standard sets out a risk-management framework and process that can assist in addressing organizational requirements and, most importantly, provide a structured and measurable risk-management approach to assist with the identification of cloud-related risks.
ISO 31000:2009 sets out terms and definitions, principles, a framework, and a process for managing risk. Similar to other ISO standards, it lists 11 key principles as a guiding set of rules to enable senior decision-makers and organizations to manage risks, as noted:
- Risk management creates and protects value.
- Risk management is an integral part of the organizational procedure.
- Risk management is part of decision-making.
- Risk management explicitly addresses uncertainty.
- Risk management is systematic, structured, and timely.
- Risk management is based on the best available information.
- Risk management is tailored.
- Risk management takes human and cultural factors into account.
- Risk management is transparent and inclusive.
- Risk management is dynamic, iterative, and responsive to change.
- Risk management facilitates continual improvement and enhancement of the organization.
The foundation components of ISO 31000:2009 focus on designing, implementing, and reviewing risk management.
The overarching requirement and core component of ISO 31000:2009 is the management endorsement, support, and commitment to ensure overall accountability and support.
Similar to the PDCA lifecycle for continuous improvement in ISO 27001:2013, ISO 31000:2009 outlines the requirement for integration and implementation of risk management becoming an embedded component within organizational activities as opposed to a separated activity or function.
From a completeness perspective, ISO 31000:2009 focuses on risk identification, analysis, and evaluation through risk treatment.
By performing the stages of the lifecycle, a proactive and measured approach to risk management should be the result, enabling management and business decision-makers to make informed and educated decisions.
ENISA
ENISA produced “Cloud Computing: Benefits, Risks, and Recommendations for Information Security,” which can be utilized as an effective foundation for risk management.
The document identifies 35 types of risks for organizations to consider, coupled with the top 8 security risks based on likelihood and impact.17
Solution
Following the release of the ENISA document, in May 2011 NIST released Special Publication 800-146, which focuses on risk components and the appropriate analysis of such risks.
Although NIST serves as an international reference for many of the world’s leading entities, it continues to be strongly adopted by the U.S. government and related agency sectors.
