Effective security demands effective risk assessment

While most of the public attention focused on the Consensus Audit Guidelines has been fairly positive, two key aspects continue to be overlooked that may work against the intention of the CAG to improve baseline security among agencies. The first issue — that the common controls in the CAG, even when automated, do not provide any insight into how effective they are in protecting agencies that employ them — is basically ignored by all of the more than 100 contributors to the effort to date. The second issue is one raised most recently by CAG co-developer John Gilligan as a shortcoming in NIST’s extensive 800-53 security control framework, namely that implementing such a complex control framework requires agencies to conduct effective risk assessments, and (Gilligan says) most agencies lack the resources and expertise to do this.

It seems the implication is that working through close to 200 controls in 800-53 is too overwhelming for agencies, but by focusing on the 20 common controls in the CAG agencies can address the most critical security risks in a consistent way. Less clear is why the controls in the CAG shouldn’t be subject to the same thorough risk assessment as any other controls — perhaps the threats and vulnerabilities they are designed to address are so pervasive that no risk assessment is needed to justify them? If the consensus is that the choice of security measures should be risk-based, then decisions about implementing the 20 common controls should also be risk-based, otherwise you run the risk of replacing appropriate security management practices with regulatory mandates.

A separate but related issue is how agencies can address the gap in their ability to conduct effective risk assessments, if in fact such a gap exists. For its part, NIST has made significant changes in overall security management focus to re-emphasize a risk-based approach (most obviously seen in the relatively new Special Publication 800-39), but NIST’s risk management approach remains centered on information systems, so agencies have little guidance to address enterprise risk management that goes beyond systems and data to include business processes and management practices (the inclusion of a “policy” control in each of the 18 control families in 800-53 is not a substitute for addressing operational practices). The revised 800-53 is itself a step in a less exclusively system-centric approach, with the addition of the provisions in the Program Management control family. Agencies might benefit by referencing the Risk Management practices addresses in the ISO/IEC 27000 series of security management standards, which are often used in coordination with IT management “best pratice” frameworks like ITIL.