Risk Management
Introduction to the Risk Management Framework
One of the best ways to understand and quantify risk in an organization is to map to one of several available frameworks that helps categorize and assess the risks to operating a system or set of systems within the company. The Risk Management Framework (RMF) is provided by the National Institute of Standards and Technology (NIST) for use by government and non-government organizations. When assessing risk, it helps to address the challenge of providing broad coverage of all the risks that may exist in the environment. It is difficult for any single individual or small group to enumerate every risk that could exist in a software system, and even if they did, the organization would have more confidence in aligning to an industry-produced and validated standard. RMF is such as a standard.
The Risk Management Framework is described in detail in NIST Special Publication (SP) 8000-37, Revision 2 titled “Risk Management Framework for Information Systems and Organizations" (NIST, 2018). It also couples with NIST SP 800-53, which provides an extensive set of security controls (both cyber and physical) in order to project information systems (NIST, 2020). At the heart of the RMF is a six-step cyclical process of continuous improvement in addressing risk. The steps enumerated are Prepare, Categorize, Select, Implement, Access, Authorize, and Monitor. Each part of this process is described in detail and mapped to suggested roles, responsibilities, and tasks. When leveraged in an organization, the RMF along with SP 800-53 controls provide powerful tools to strengthen the security posture of a system or entire organization.
Reflection
The CSOL program’s Risk Management course was one of my favorites in that it allowed me to step back from the detailed technical advisor and implementer view and take a higher-level view of the overall risk posture of the organization. In this course, students had the opportunity to work through the six stages of the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) in the context of providing risk management guidance for a fictitious company that is in the process of assessing risk for a fictional system. The final project, as shown below on this page, is presented to a financial services organization regarding the implementation of a new Enterprise Resource Planning (ERP) system. ERP systems are one of the central organizational data repositories, and therefore, this system was chosen as a representative example.
In the exercise, I had the opportunity to walk through the six RMF stages from the perspective of implementing three NIST SP 800-53 control categories for the chosen system. These categories (which I was able to select) were Access Control, Configuration Management, and System and Information Integrity. These three were chosen as I find each of them quite interesting and the specific controls contained within quite valuable to organizations engaging in the projection of large complex systems (NIST, 2018; NIST, 2020).
Throughout the weekly modules and in the consolidated final assignment, recommendations were made concerning the execution of each of the RMF phases. Of specific interest during the course was the classification phase of the RMF. During classification, an assessment is made of the overall system criticality based on Federal Information Processing Standards (FIPS) Publication 199. Each system under review would be categorized as low, medium, or high in terms of the impact of a potential security incident in the areas of confidentiality, integrity, and availability (NIST, 2004). This early classification phase helps determine the level of resourcing and security controls as applied.
At the other end of the cycle is continuous monitoring. Continuous monitoring describes the phase of the operation of the system in which analysts and administrators must ensure the system stays secure and in operation according to its Authorization to Operation (ATO). Continuous monitoring is a fascinating phase to me in that it takes a proactive approach to monitor and observe the system to make sure that configuration doesn’t drift over time and changes don’t adversely impact security operation.
In conclusion, I believe an understanding of and appreciation for Risk Management policies and practices produces a more effective and efficient cybersecurity professional. It is impossible to individually brainstorm and implement all controls without the help of a framework. By leveraging frameworks like RMF and others, the cybersecurity professional and organization as a whole can rest in a degree of confidence that they have implemented industry-produced and validated best practices. Knowledge of these practices is a great asset to the individual and the cybersecurity team as a whole.
References
NIST. (2004, February). FIPS 199, Standards for Security Categorization Federal Info and Info Sys. Computer Security Resource Center. https://csrc.nist.gov/publications/detail/fips/199/final
NIST. (2018, December). SP 800–37 Rev. 2, RMF: A System Life Cycle Approach for Security and Privacy. Computer Security Resource Center. https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final
NIST. (2020, December). SP 800–53 Rev. 5, Security and Privacy Controls for Info Systems and Organizations. Computer Security Resource Center. https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
One of the best ways to understand and quantify risk in an organization is to map to one of several available frameworks that helps categorize and assess the risks to operating a system or set of systems within the company. The Risk Management Framework (RMF) is provided by the National Institute of Standards and Technology (NIST) for use by government and non-government organizations. When assessing risk, it helps to address the challenge of providing broad coverage of all the risks that may exist in the environment. It is difficult for any single individual or small group to enumerate every risk that could exist in a software system, and even if they did, the organization would have more confidence in aligning to an industry-produced and validated standard. RMF is such as a standard.
The Risk Management Framework is described in detail in NIST Special Publication (SP) 8000-37, Revision 2 titled “Risk Management Framework for Information Systems and Organizations" (NIST, 2018). It also couples with NIST SP 800-53, which provides an extensive set of security controls (both cyber and physical) in order to project information systems (NIST, 2020). At the heart of the RMF is a six-step cyclical process of continuous improvement in addressing risk. The steps enumerated are Prepare, Categorize, Select, Implement, Access, Authorize, and Monitor. Each part of this process is described in detail and mapped to suggested roles, responsibilities, and tasks. When leveraged in an organization, the RMF along with SP 800-53 controls provide powerful tools to strengthen the security posture of a system or entire organization.
Reflection
The CSOL program’s Risk Management course was one of my favorites in that it allowed me to step back from the detailed technical advisor and implementer view and take a higher-level view of the overall risk posture of the organization. In this course, students had the opportunity to work through the six stages of the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) in the context of providing risk management guidance for a fictitious company that is in the process of assessing risk for a fictional system. The final project, as shown below on this page, is presented to a financial services organization regarding the implementation of a new Enterprise Resource Planning (ERP) system. ERP systems are one of the central organizational data repositories, and therefore, this system was chosen as a representative example.
In the exercise, I had the opportunity to walk through the six RMF stages from the perspective of implementing three NIST SP 800-53 control categories for the chosen system. These categories (which I was able to select) were Access Control, Configuration Management, and System and Information Integrity. These three were chosen as I find each of them quite interesting and the specific controls contained within quite valuable to organizations engaging in the projection of large complex systems (NIST, 2018; NIST, 2020).
Throughout the weekly modules and in the consolidated final assignment, recommendations were made concerning the execution of each of the RMF phases. Of specific interest during the course was the classification phase of the RMF. During classification, an assessment is made of the overall system criticality based on Federal Information Processing Standards (FIPS) Publication 199. Each system under review would be categorized as low, medium, or high in terms of the impact of a potential security incident in the areas of confidentiality, integrity, and availability (NIST, 2004). This early classification phase helps determine the level of resourcing and security controls as applied.
At the other end of the cycle is continuous monitoring. Continuous monitoring describes the phase of the operation of the system in which analysts and administrators must ensure the system stays secure and in operation according to its Authorization to Operation (ATO). Continuous monitoring is a fascinating phase to me in that it takes a proactive approach to monitor and observe the system to make sure that configuration doesn’t drift over time and changes don’t adversely impact security operation.
In conclusion, I believe an understanding of and appreciation for Risk Management policies and practices produces a more effective and efficient cybersecurity professional. It is impossible to individually brainstorm and implement all controls without the help of a framework. By leveraging frameworks like RMF and others, the cybersecurity professional and organization as a whole can rest in a degree of confidence that they have implemented industry-produced and validated best practices. Knowledge of these practices is a great asset to the individual and the cybersecurity team as a whole.
References
NIST. (2004, February). FIPS 199, Standards for Security Categorization Federal Info and Info Sys. Computer Security Resource Center. https://csrc.nist.gov/publications/detail/fips/199/final
NIST. (2018, December). SP 800–37 Rev. 2, RMF: A System Life Cycle Approach for Security and Privacy. Computer Security Resource Center. https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final
NIST. (2020, December). SP 800–53 Rev. 5, Security and Privacy Controls for Info Systems and Organizations. Computer Security Resource Center. https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final