Your organization adopts the NIST FARM risk management approach to frame, assess, respond to, and monitor risks that arise from a variety of sources or tiers such as information systems, business processes, or the organization. As a CISO, you are considering the governance structures from the organizational perspective to address risk. Which of the following is not your primary concern?
A. Strategies for internal development and external acquisition of IT products
B. Risk management strategy
C. Approaches to replacing legacy information systems
D. Enterprise Architecture

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Enterprise Architecture.

Source: NIST SP 800-39

Risk Management Strategy

When you are considering the governance structures from the organizational perspective, you are in the process of thinking about or developing the risk management strategy that directs the framing, assessing, responding, and monitoring processes.

You have to consider the following factors, but not limited to them, to develop a risk management strategy:

• Organizational governance structure
• Financial posture
• The legal and regulatory environment
• Investment strategy
• Culture
• Trust relationships established within and among organizations

Investment strategy

The investment strategy is a change from vulnerability and patch management to a longer-term strategy addressing information security gaps such as the lack of information technology products with the trustworthiness necessary to achieve information system resilience in the face of advanced persistent threats.

Investment strategies can include organizational approaches to:

• (i) replacing legacy information systems (e.g., phasing items in gradually, replacing entirely);
• (ii) outsourcing and using external providers of information systems and services; and
• (iii) internal development vs. acquisition of commercially available information technology products.

Source: NIST SP 800-39

Enterprise Architecture

Tier 1 addresses risk from an organizational perspective. Tier 1 implements the first component of risk management (i.e., risk framing), providing the context for all risk management activities carried out by organizations. Tier 1 risk management activities directly affect the activities carried out at Tiers 2 and 3.

For example, the missions and business functions defined at Tier 1 influence the design and development of the mission/business processes created at Tier 2 to carry out those missions/business functions. Tier 1 provides a prioritization of missions/business functions which in turn drives investment strategies and funding decisions, thus, affecting the development of enterprise architecture (including embedded information security architecture) at Tier 2 and the allocations and deployment of management, operational, and technical security controls at Tier 3.

Source: NIST SP 800-39