|High threat||Avoid this risk OR do deceptions only here||Use expert facilitated analysis or in-depth protection posture assessments - manage attentively - maturity defined or managed||Use systems analysis - manage continuously - involve top management - reassess continuously - maturity optimizing|
|Medium threat||Avoid or accept the added risk and use minimal due diligence approaches OR lightweight initial and periodic reassessments (annual) - Consider deception - maturity initial or repeatable||Use protection posture assessments OR lightweight initial and periodic reassessments (6 months) - manage carefully - sound change control - accreditation process - manage configurations - maturity defined or higher||Use scenario-based analysis - manage tightly - systematic change management - maturity managed or higher|
|Low threat||Use lightweight initial and periodic reassessments (annual) OR minimal due diligence approaches - vulnerability testing - simple approaches - loose controls - minimum cost and effort - limited review process - maturity initial or repeatable||Use lightweight initial and periodic reassessments (9 months) OR if mandated, probabilistic risk analysis or covering approaches - managed configurations and changes - periodic oversight - maturity repeatable or defined||Treat the threat as at least medium and reassess|
|Low consequence||Medium consequence||High consequence|
Typical ICS ratings would be:
|High threat||N/A||Facilities that manufacture fungibles (e.g., paper money, gold coins, etc.), integrated circuits, smart cards, computers, ICS systems for Medium surety applications, and other similar sorts of items.||WMD manufacturing and control facilities, Nuclear power plants, chemical plants with deadly chemicals in high volumes, biological weapons and infectious disease facilities, spacecraft and aerial intelligence systems manufacturing facilities, high explosives and missile systems manufacturing facilities, nuclear material, reprocessing facilities, etc.|
|Medium threat||N/A||Most large-scale manufacturers, car makers, shipyards, etc.||Drug manufacturing, chemical processing plants, fuel processing plants, real-time critical infrastructures (i.e., power and water), medical procedure systems (e.g., MRI machines, X-ray machines, etc.), military aircraft manufacturers, weapons systems manufacturers, etc.|
|Low threat||Part-time local automated office-like systems (e.g., envelope stuffers, copiers, light assembly lines, light-weight sorting facilities, vending machines, automatic photo-developing machines, local pharmacy pill counters, HVAC, elevators, escalators, service stations, etc.)||Packaging plants for dry goods, wood and glass processing plants, metal shops, non-medical and non-toxic testing laboratories, bottling plants, medium volume light manufacturing facilities, automated car parks, amusement parks, home appliance manufacturers, etc.||N/A|
|Low consequence||Medium consequence||High consequence|
Use probabilistic risk assessment or covering approaches: As risks increase, more demands are made on systems to assure the utility of content. For medium risk situations, many things are different. Sound change control and accreditation processes are necessary, configurations should be closely managed, and infrastructure supporting the application should fall under closer scrutiny and management. Probabilistic risk analysis may be used for natural threats, and covering approaches for low threat, medium consequences is also reasonable.
Do lightweight initial and periodic reassessments: Lightweight initial and periodic assessments provide a way to achieve many of the objectives of a protection posture assessment at far lower initial cost. The notion is that, for situations that are likely to change rapidly over time, the cost and delay involved in more in-depth processes is not as good a tradeoff as a series of smaller and faster assessments. This is particularly useful in situations where a protection program is being started up or over the period of a major change. These assessments typically only deal with as-is and future state and don't include gap analysis or transition planning. They are normally done every 3-6 months for the duration of the major changes or until the start-up program becomes mature enough for a more thorough process. If an independent audit process is used to verify factual accuracy of assessments, low risk should reassess annually, and medium risk every 6-9 months.
Use protection posture assessments or expert facilitated analysis: Protection posture assessments and expert facilitated analysis are more suitable as the threats increase. While periodic oversight is acceptable at low threat levels, management must keep tighter reins and review at a higher rate for higher consequence systems or systems under more severe threats.
Use scenario-based analysis or systems analysis: When risks reach into the high end, systemic change management comes into play with system-wide testing associated with every significant change. Management rates increase until individual managers are in real-time control over the highest risk systems. Scenario-based analysis becomes increasingly important and, eventually at the highest risk levels, systems analysis becomes necessary. When risks reach into the high end, systemic change management comes into play with system-wide testing associated with every significant change. Management rates increase until individual managers are in real-time control over the highest risk systems. Scenario-based analysis becomes increasingly important and, eventually at the highest risk levels, systems analysis becomes necessary.
Risk management is the core process underlying reasonable and prudent decisions about information protection. In order to make prudent decisions, a risk management process must be put in place. The question is, what process?