TWM Associates, Inc., (TWM) has extensive experience with Risk Management Framework perspectives.
TWM has assisted organizations in developing risk frameworks to aid in determining the level at which certain risks within the organization can be accepted. TWM’s approach to developing a risk framework includes helping to identify the greatest risks to the organization, and determining the most practical solutions to mitigate those risks. Implementing a Risk Management Framework under the newer NIST Special Publication 800-37 is about properly identifying the security controls allocated to the various components of the information system as system-specific, hybrid, or common controls in accordance with the information security architecture developed by the organization. Security controls are typically traceable to the security requirements established by the organization to ensure that the requirements are fully addressed during design, development, and implementation of the information system. The organization’s appetite for risk then defines the extent those controls are implemented to. The risk management framework is then tailored to be acceptable to the organization, implementable by the organization, and testable by the organization. Implementing controls for the sake of controls is not cost-effective nor of value to the organization. TWM works with the organizations to help them identify those minimum controls necessary to bring their organization to an acceptable risk level as defined by the organization and to ensure the controls are cost-effective and testable.