An advanced risk framework

- [Instructor] NIST, in December 2018, issued revision 2 to their original special publication on risk: SP 800-37: Risk Management Framework. The Risk Management Framework provides a disciplined, structured, and flexible process for managing security and privacy risk. It covers information security categorization, control selection, implementation, and assessment, system and common control authorizations, and continuous monitoring of risks. The Risk Management Framework considers risk at three levels: information systems risk, mission or business process risk, and whole of business risk. The risk management process involves preparation of the necessary risk material needed to carry out risk management. And then a six-stage process of categorization, selection, implementation, assessment, authorization, and monitoring. The prepare stage of the framework involves seven actions, three of which are risk-related and four controls-related. They are: assign people to risk management roles; prepare the risk management context, also known as the risk strategy; complete an organization-wide risk assessment; establish control baselines according to the standards relevant to the organization; identify common controls and prioritize them according to the potential impact of an attack; and develop the plan for monitoring control effectiveness. The categorize phase overlaps somewhat with the prepare phase, as it requires a full review of the IT systems in use, particularly identifying the system characteristics and the information they process and store. The next step is to determine the impact levels to confidentiality, availability, and integrity. And the final step is to get business endorsement or authorization of the three impact classification levels. The select stage requires that controls are selected and tailored to the specific system environment, to mitigate all risks to the system that are beyond risk appetite. This is judged by determining the risk level, and then now identifying from the risk context whether controls are required. The steps in the select stage are: control selection, either by adopting a baseline set of controls, by a custom set of controls driven by the risk assessments, or by a combination of both; control tailoring to suit the operating environment; control allocation to systems, ensuring that the specific business requirements for security in that system are met across people, process, and technology; documenting the controls for each system in a system security plan; developing and implementing the approach to continuous monitoring of control effectiveness; and gain business approval of the system security plans and continuous monitoring process. The next stage is to implement the controls that have been identified for the system, and maintain the system security plans accordingly. The assess stage is about through-life assessment of the system to ensure that controls are effective, and there is no evidence of a breach. There are seven steps in this stage of the risk management life cycle: assess a selection based on candidate qualifications and target knowledge; develop the plan for the assessment; and carry out the assessment plan for the controls; report on the control effectiveness, providing findings and recommendations; remediate any findings that can be immediately rectified; and develop an overall plan of action for findings that can't be immediately rectified. The purpose of the authorize stage is to provide organizational accountability, by requiring a senior manager to determine if the security and privacy risk represented by the overall set of risk management activities and plans is acceptable. This stage has five steps: for developing the submission, management review additional risk management response to any issues raised; approval of decisions for each system; and an authorization report. The final stage is monitoring. This is a key stage of the framework which provides the ongoing situational awareness about the security and privacy posture of the information system and the organization in support of risk management decisions, and includes some of the above stages. It has seven steps: the systems and environment are monitored for any changes that might occur, in-flight assessments are performed as required, any issues identified are responded to, risk management documents are maintained, and security and privacy risks are reported regularly, authorizations are given to systems as required, and systems are securely disposed of when no longer required.