Risk Management
The fundamental goals of cybersecurity are to manage the risk to information and information systems since they are subject to threats that can have adverse effects on organizational operations, assists, and individuals. Threats can compromise the confidentiality, integrity, and availability of information processed, stored, or transmitted by those systems.
National Institute of Standards and Technology (NIST) developed the Risk Management Framework (RMF) to help organizations manage the risks of operating information systems more quickly, efficiently, and effectively. The RMF provides a disciplined, structured, and flexible process for managing security and privacy risk that includes Figure 1. information security categorizations, control selection, implementation, and assessment; systems and common control authorizations; and continuous monitoring (Ross, 2018). RMF helps organizations gauge its acceptance of risk to its operations and assets, and it is the responsibility of senior management to consider the security controls in pursuit of profits ethically. Figure 1 shows the six steps of the RMF along with the NIST special publications that are related to each of the six steps.
For my final project, I chose a fictional Supply Chain Management (SCM) system to illustrate how to apply the six steps in RMF to mitigate the risks. The PDF for the final project can be accessed from the below link
Reflection
This course helped me understand the NIST Risk Management Framework (RMF) that is used to improve information security and risk management processes. RMF is the result of a Joint Task Force Transformation Initiative Interagency Working Group. Every agency of the U.S. government now required to integrate it into its processes. Private organizations are now creating new guidance for compliance with the RMF.
I included my final project as the artifact to illustrate how to apply the six steps of RMF to a Supply Chain Management (SCM) system to manage and mitigate risk.
A brief description of RMF steps and the supporting NIST Publication are discussed below.
-
Categorization
-
Select
-
Implementing
-
Assess
-
Authorize
-
Continuous Monitoring
Categorization is the first step in RMF, which involves a thorough analysis of the organization’s business processes to identify the type of information that will be processed, stored, or transmitted. This helps in establishing the initial baseline of security controls for protecting information systems and organizations. There are two NIST Special Publications. (SP) that support this step FIPS 199 – Standards for Security Categorization of Federal Information and Information Systems and SP 800-60 – Guide for Mapping Types of Information and Information Systems to Security Categories.
The select step provides the standards and guidance for selecting appropriate security controls to help reduce system vulnerability and minimize risk. The FIPS 200 – Minimum Security Requirements for Federal Information and Information Systems, and SP 800-53 Rev 3 – Recommended Security Controls for Federal Information Systems and Organizations are used as a starting point for determining the required controls that will be implemented to reduce threats and manage risks from operating information systems. The key activities involved in the security control selection process are risk assessment, identify standard controls, select the baseline controls, and document the selected controls in the security plan.
The implementing step is where the security controls are implemented. It is a critical part of the RMF since it a!ects the security state and risk posture of the entire organization. The three NIST SP documents that support this step are NIST SP 800-53 – Recommended Security Controls for Federal Information Systems and Organizations, NIST SP 800-53A – Guide for Assessing the Security Controls in Federal Information systems, and NIST SP 800-70 – Security Configuration checklists Program for IT Products – Guidance for Checklist Users and Developers. The implementation of security controls is based on the assessment of risk, organization-specific security requirements, threat information, and cost-benefit analyses.
The assess step determines the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome to meeting the security requirements for the system. The supporting NIST publication for this step is NIST SP 800-53A Rev 4 – Recommended Security Controls for Federal Information Systems and Organizations. During the assessment step, the Security Assessment Report is produced and used in making an authorized decision.
The authorize step is where the management decision is made to allow operation of an information system and to explicitly accept the risk to organizational operations, assets, and individuals. The NIST publication that supports this step is NIST SP 800-37 Rev 2 – Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Lifecycle Approach. A prioritized approach to risk mitigation should be adopted throughout the organization since most information systems have more vulnerabilities than available resources can address.
Continuous monitoring is the final step in the RMF. Its primary goal is to determine the security controls in the information system continue to be e!ective over time in light of the unavoidable changes to hardware, software, and firmware that occur in the systems, as well as changes in the environment in which the system operates. The supporting NIST publication for this is NIST SP 800-37 Rev 2 – Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Lifecycle Approach and NIST SP 800-53A – Guide for Assessing the Security Controls in Federal Information systems. Continuous monitoring provides on-going, up-to-date information about an organization’s security state and enables them to make credible, risk-based decisions NIST (n.d). The knowledge I gained from this course will help in developing information security standards and guidelines within my organization. It also allows me to be ethical when implementing the framework since it requires a high degree of precision in determining risk, mitigating threats, and maintaining accountability.
References
- NIST (n.d). Applying the Risk Management Framework to Federal Information Systems. Retrieved from https://csrc.nist.gov/CSRC/media/Projects/Risk- Management/images-media/rmf-training/index.html
- Risk Management Framework for information Systems and Organizations. (2018, December). Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
- Ross. R. (2018, May 9). RMF (Risk Management Framework) 2.0. Retrieved from https://csrc.nist.gov/CSRC/media/Presentations/RMF-2-0-Risk-Management- Framework-Simplify-Inno/images-media/sp800-37r2-ipd-rollout-DOJ- 20180509.pdf
- Security and Privacy Controls for Information Systems and Organizations. (2017, August). Retrieved from https://csrc.nist.gov/CSRC/media//Publications/sp/800- 53/rev-5/draft/documents/sp800-53r5-draft.pdf
Risk Management Related Links
- FIPS Pub 199: Standards for Security Categorization of Federal Information and Information Systems
- FIPS PUB 200. Minimum Security Requirements for Federal Information and information Systems
- NIST Special Publication 800-53A Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations
- Risk Management Framework for information Systems and Organizations
- RMF 2.0 by Dr. Ron Ross
- RMF 2.0 Prep Step Deep Dive by Ms. Dempsey and Ms. Lefkovitz
- Security and Privacy Controls for Information Systems and Organizations
- Volume II: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories