How Cloud Can Facilitate Risk Management

Grazed from BankInfoSecurity. Author: Eric Chabrow.

Ron Ross, the NIST IT security and risk guru, sees cloud computing as a vehicle to help organizations implement an information risk management framework.

Ross, senior computer scientist and fellow at the National Institute of Standards and Technology, says in an interview that the costs of automated tools needed to implement the information risk management framework could be offset by savings realized by the use of cloud computing services.

The interview is part of an Information Security Media Group webinar by Ross entitled Risk Management Framework: Learn from NIST. An excerpt from that interview is presented here…

A key element of the information risk management involves enterprise architecture, which can be accomplished, in part, through cloud computing by allowing organizations to standardize, optimize and consolidate their IT infrastructure, Ross says.

"When you translate that, it means you kind of build a leaner, meaner infrastructure, which hopefully can save significant amounts of money for an organization to deploy," Ross says in the interview. "Cloud computing can save a number of resources. That’s where I would start. Because if you could reduce the digital footprint, it allows us to manage complexity, we can save money on the IT infrastructure, and then possibly reinvest some of that money into strong cybersecurity measures to include some of the automated tools."

In the webinar, Ross shares his insights on how to:

• Understand the current cyber threats to all public and private sector organizations.
• Develop a multi-tiered risk management approach built upon governance, processes and information systems.
• Implement NIST’s risk management framework, from defining risks to selecting, implementing and monitoring information security controls.

Ross, lead author of NIST Special Publication 800-37 – the bible of risk assessment and management, specializes in security requirements definition, security testing and evaluation and information assurance. He leads NIST’s Federal Information Security Management Act Implementation Project, which inclutdes the development of key security standards and guidelines for the federal government and critical information infrastructure.

He also heads the Joint Task Force Transformation Initiative Working Group, a joint partnership with NIST, Defense Department, intelligence community and Committee on National Security Systems, to develop a unified information security framework for the federal government.

Ross serves as the architect of the risk-management framework that integrates the suite of NIST security standards and guidelines into a comprehensive enterprise security program.