![WHERE DO I GO TO FIND MORE
DETAILS?
• NIST SP 800-30
• NIST SP 800-39 (Organization Level)
• NIST SP 800-160 (Risk Management, Quality Assurance, Quality Management,
Decision Management, Project Assessment and Control Processes)
• NIST SP 800-161
• NIST Interagency Report 8062
• Cybersecurity Framework (Core [Identify Function])](https://image.slidesharecdn.com/rmfv2prepstepzerotask2-171104140753/85/Risk-Management-Strategy-RMF-v2-10-320.jpg)
Risk Management Strategy (RMF v2)
- 1. RISK MANAGEMENT STRATEGY RMF v2 Organizational Preparation Step (“Step Zero”) Task 2
- 2. WHAT ARE RMF AND CSF? • Risk Management Framework (RMF) and Cybersecurity Framework (CSF) are two different sets of guidelines created by NIST for managing information security risk in an agency or enterprise • RMF is an answer to the Federal Information Security Management Act (FISMA) of 2002 requirements, and is required for all federal agencies • CSF came out of Obama’s Executive Order 13636 of February 2013, and is voluntary for Critical Infrastructure businesses (and also used by other private sector companies)
- 3. WHAT HAPPENED TO CAUSE NIST TO CREATE A NEW VERSION OF RMF? • In May, 2017 Executive Order 13800 was signed • EO 13800 requires: • that agency heads manage risk at the agency level and across the Executive Branch • the use of the CSF by agency heads • Increased emphasis on privacy • The current version of RMF does not fully address these concerns
- 4. WHAT NEEDS TO CHANGE IN RMF? • As a result of the analysis of RMF v1 and the EO, these are the primary issues with the current version of RMF: • Doesn’t specify how agency heads should be involved in the process from the beginning • There is no risk management preparation guidance • It doesn’t completely mesh with the CSF • There are no privacy considerations included in it
- 5. HOW EXACTLY IS RMF CHANGING IN V2? • Primarily the addition of a new step (“Step Zero”): Organizational Preparation (13 tasks) • There are also a few more additional tasks added to the other steps • Privacy concerns are addressed in addition to “security” concerns
- 6. WHAT IS ORGANIZATIONAL PREPARATION “STEP ZERO” TASK 2? • Title: Risk Management Strategy • Definition: Establish a risk management strategy for the organization that includes a determination of risk tolerance
- 7. WHO IS RESPONSIBLE FOR DOING TASK 2? Head of Agency or Chief Executive Officer: • Definition: Senior official within an organization with the responsibility to provide security protections commensurate with the risk and magnitude of harm to organizational operations and assets, individuals, other organizations, and the Nation…
- 8. WHAT ARE THE INPUTS AND OUTPUTS? • Potential inputs: • Organizational mission statement • Organizational policies • Organizational risk assumptions, constraints, priorities, and trade-offs • Potential outputs: • Organizational risk management strategy • Statement of risk tolerance
- 9. WHERE DOES THIS TASK FALL IN THE SDLC? • For new systems, during the Initiation phase (concept/requirements definition) • For existing systems, during the Operations/Maintenance phase
- 10. WHERE DO I GO TO FIND MORE DETAILS? • NIST SP 800-30 • NIST SP 800-39 (Organization Level) • NIST SP 800-160 (Risk Management, Quality Assurance, Quality Management, Decision Management, Project Assessment and Control Processes) • NIST SP 800-161 • NIST Interagency Report 8062 • Cybersecurity Framework (Core [Identify Function])
- 11. RISK MANAGEMENT PROCESS • The four components of the Risk Management Process are: • Framing, • Assessment, • Response, and • Monitoring
- 12. NIST SP 800-30: GUIDE FOR CONDUCTING RISK ASSESSMENTS • Defines Risk Management Strategy as one of the outputs from the Risk Management Process Framing component, which becomes an input to the Risk Management Process Assessment component
- 13. NIST SP 800-39: MANAGING INFORMATION SECURITY RISK • Risk Management Strategy is affected by three concepts: • Risk Tolerance • Trust • Organizational Culture
- 14. NIST SP 800-39 (RISK TOLERANCE) • Definition: “Level of risk or degree of uncertainty that is acceptable to organizations” • The degree of risk tolerance is • Indicative of organizational culture • Different for different types of losses • Influenced by the individual risk tolerance of senior leaders • Defines ramifications of risk tolerance decisions • Gives examples of how level of risk tolerance may affect risk assessments and risk responses
- 15. NIST SP 800-39 (TRUST) • Definition: A belief that an entity will behave in a predictable manner in specified circumstances • Entity may be a person, process, object, or combination of those (e.g., hardware component, software module, piece of equipment, site, organization, nation-state) • Based on objective evidence (e.g., testing) or subjective elements (e.g., level of comfort) • Trust between organizations informs risk management strategy
- 16. NIST SP 800-39 (ORGANIZATIONAL CULTURE) • Definition: values, beliefs, and norms that influence the behaviors and actions of members of organizations • Culture is largely affected by senior leaders • Different cultures can exist within an organization and between organizations that work together; this can result in different risk tolerance levels • Direct relationship between culture and how organizations respond to uncertainties • If a risk management strategy is not consistent with culture, it will be difficult to implement
- 17. NIST SP 800-160: SYSTEMS SECURITY ENGINEERING • Systems engineering provides the basic foundation for a disciplined approach to engineering trustworthy secure systems • Five processes inform Risk Management Strategy: • Risk Management Process • Quality Management Process • Quality Assurance Process • Decision Management Process • Project Assessment and Control Process
- 18. NIST SP 800-161: SUPPLY CHAIN RISK MANAGEMENT PRACTICES FOR FEDERAL INFORMATION SYSTEMS AND ORGANIZATIONS • Remember Target? • Risk Management Strategy must incorporate Supply Chain • Outputs from the organization’s risk management process serve as inputs to this process
- 19. NIST INTERAGENCY REPORT 8062: AN INTRODUCTION TO PRIVACY ENGINEERING AND RISK MANAGEMENT IN FEDERAL SYSTEMS • Published in January 2017 • Incorporates privacy into the risk management process (e.g., PII, PHI, etc.) • Privacy needs to be considered in Risk Management Strategy
- 20. CSF: FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY • Framework Core definition: • a set of activities to achieve specific cybersecurity outcomes • Core comprises four elements: • Functions • Categories • Subcategories • Informative References • Functions include: • Identify • Protect • Detect • Respond • Recover • Task 2 of RMFv2 references the Identify function
- 21. CSF IDENTIFY FUNCTION • Purpose: To develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities • One outcome is a Risk Management Strategy (ID.RM)
- 22. SUMMARIZATION • Task 2 is part of the Organizational Preparation step (“Step Zero”), which is entirely new to the publication (SP 800-37) • Task 2 covers Risk Management Strategy as a preparatory step to overall risk management • The purpose of including Task 2 in RMFv2 is to ensure that senior leaders are involved in the risk management process from the very beginning, and determine the risk tolerance of the organization
- 23. REFERENCES • Draft NIST SP 800-37, Revision 2, September 2017 • NIST SP 800-30, Revision 1, September 2012 • NIST SP 800-39, March 2011 • NIST SP 800-160, November 2016 • NIST SP 800-161, April 2015 • NIST IR 8062, January 2017 • Framework for Improving Critical Infrastructure Cybersecurity, v1.0, February 2014
- 24. QUESTIONS?
- 25. AMY NICEWICK, CISSP SalusSec, LLC www.salussec.com