Traditional Risk Management Framework

Risk Management (also referred to as Traditional Risk Management) is a weapon used by CISO’s to identity risk (issues, security gaps, potential breach areas) in an organizations information systems and services. The Risk Management Framework provides a process that integrates security and risk management activities into a development life cycle. For the most part the risk framework is centered on IT systems but can also incorporate applicable local and international privacy laws, as well as regulatory compliance obligations. It insures that the IT systems can meet those objectives and provides a foundation for IT security related activities.


 Categorize the system and the information processed, stored, and transmitted by that system based on an impact analysis.

 Select an initial set of baseline security controls for the system based on the security categorization; tailoring and supplementing the security control baseline as needed based on organization assessment of risk and local conditions.

 Implement the security controls and document how the controls are deployed within the system and environment of operation. 

 Assess the security controls using appropriate procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

 Authorize system operation based upon a determination of the risk to organizational operations and assets, individuals, other organizations and the Nation resulting from the operation of the system and the decision that this risk is acceptable.

 Monitor and assess selected security controls in the system on an ongoing basis including assessing security control effectiveness, documenting changes to the system or environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to appropriate organizational officials .