Given the scenario provided below in $2\mathrm{.}4,$ identify the level of the risk assessment you will perform. Your risk assessment may cover multiple tiers.

$2\mathrm{.}4$ APPLICATION OF RISK ASSESSMENTS

As stated previously, risk assessments can be conducted at all three tiers in the risk management

hierarchy$$organization level, mission$/$business process level, and information system level.

Figure $4$ illustrates the risk management hierarchy defined in NIST Special Publication $800-39,$

which provides multiple risk perspectives from the strategic level to the tactical level. Traditional

risk assessments generally focus at the Tier $3$ level $($i$.$e$.,$ information system level$)$ and as a result,

tend to overlook other significant risk factors that may be more appropriately assessed at the Tier

$1$ or Tier $2$ levels $($e$.$g$.,$ exposure of a core mission$/$business function to an adversarial threat based

on information system interconnections$).$

FIGURE $4$: RISK MANAGEMENT HIERARCHY

Risk assessments support risk response decisions at the different tiers of the risk management

hierarchy. At Tier $1,$ risk assessments can affect, for example: $($i$)$ organization$-$wide information

security programs, policies, procedures, and guidance; $($ii$)$ the types of appropriate risk responses

$($i$.$e$.,$ risk acceptance, avoidance, mitigation, sharing, or transfer$)$; $($iii$)$ investment decisions for

information technologies$/$systems; $($iv$)$ procurements; $($v$)$ minimum organization$-$wide security

controls; $($vi$)$ conformance to enterprise$/$security architectures; and $($vii$)$ monitoring strategies and

ongoing authorizations of information systems and common controls. At Tier $2,$ risk assessments

can affect, for example: $($i$)$ enterprise architecture$/$security architecture design decisions; $($ii$)$ the

selection of common controls; $($iii$)$ the selection of suppliers, services, and contractors to support

organizational missions$/$business functions; $($iv$)$ the development of risk$-$aware mission$/$business

processes; and $($v$)$ the interpretation of information security policies with respect to organizational

information systems and environments in which those systems operate. Finally, at Tier $3,$ risk

assessments can affect, for example: $($i$)$ design decisions $($including the selection, tailoring, and

supplementation of security controls and the selection of information technology products for

organizational information systems$)$; $($ii$)$ implementation decisions $($including whether specific

information technology products or product configurations meet security control requirements$)$;

and $($iii$)$ operational decisions $($including the requisite level of monitoring activity, the frequency

of ongoing information system authorizations, and system maintenance decisions$).$

TIER $1$

ORGANIZATION

TIER $2$

MISSION $/$ BUSINESS PROCESSES

TIER $3$

INFORMATION SYSTEMS

$-$ Inter$-$Tier and Intra$-$Tier

Communications

$-$ Feedback Loop for

Continuous Improvement

TACTICAL RISK

STRATEGIC RISK

$-$ Traceability and Transparency of

Risk$-$Based Decisions

$-$ Organization$-$Wide

Risk Awareness

Special Publication $800-30$ Guide for Conducting Risk Assessments

$\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_$

CHAPTER $2$ PAGE $18$

Risk assessments can also inform other risk management activities across the three tiers that are

not security$-$related. For example, at Tier $1,$ risk assessments can provide useful inputs to: $($i$)$

operational risk determinations $($including business continuity for organizational missions and

business functions$)$; $($ii$)$ organizational risk determinations $($including financial risk, compliance

risk, regulatory risk, reputation risk, and cumulative acquisition risk across large$-$scale projects$)$;

and $($iii$)$ multiple$-$impact risk $($including supply chain risk and risk involving partnerships$).$ At

Tier $2,$ risk assessments can provide the same useful inputs to operational, organizational, and

multiple$-$impact risks, specific to mission$/$business processes. At Tier $3,$ risk assessments can

inform assessments of cost$,$ schedule, and performance risks associated with information systems,

with information security experts coordinating with program managers, information system

owners, and authorizing officials. This type of coordination is essential within organizations in

order to eliminate silos and$/$or stove$-$piped activities that produce less than optimal or inefficient

information technology and security solutions$$thus affecting the ability of organizations to carry

out assigned missions$/$business functions with maximum efficiency and cost$-$effectiveness.

It is important t