There are a number of approaches to managing risk. Managing risk is a complex process and requires the input from the whole organization. There are three tiers associated with the respective portions of the organization:
- Tier 1 – Organizational Level – At this level, risk is assessed from an organizational perspective with mitigation strategies such as governance and holistic strategies involving risk tolerance, monitoring and oversight.
- Tier 2 – Mission/Business Process – Risk is assessed from the processes associated with the mission/business and is guided by the decision from Tier 1.
- Tier 3 – Information System – The risk associated with information systems is evaluated and guided by the decisions from Tiers 1 & 2. The selection of security controls leverages those outlined in NIST SP 800-53.
The risk management process begins early in the System Development Life Cycle (SDLC). A majority of the work of the RMF is done at Tier 3.