Risk Management Framework (SEC 345) - Chromosom3/TechNotes GitHub Wiki

Intro

The Risk Management Framework gives us a process that integrates security, privacy and cyber supply chain risk management activities into a system development lifecycle. The RMF approach takes into account effectiveness, efficiency, and constrains (policies, laws, regulations, etc.). The RMF is designed to be applied to new and older technologies to support organizations of any size in any sector. The seven steps in the RMF are Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor.

Prepare

The first step in the Risk Management Framework is to prepare. This is an important step because it will set you up for success during future steps. Some of the general tasks associated with this step are seen below.

  • Identify and assign roles associated with security and risk
  • Establish a risk management strategy for the organization and determine risk tolerance
  • Perform an organization wide risk assessment
  • Identify business focus and system stakeholders
  • Outline an organization wide strategy for continuous monitoring

Categorize

The second step in the RMF is to categorize. This entails information organizational risk management processes by determining the impact of items relating to CIA. Some of the general tasks associated with this step are seen below.

  • System characteristics documented
  • Systems and information security categorized
  • Review and approve the security categorization results

Select

This step is when you select, tailor and document the controls necessary to protect your systems and organizations based off the risk level determined earlier. Some of the general tasks associated with this step are seen below.

  • Baselines for controls are selected and tailored
  • The controls that were selected were designated as system specific, hybrid, or common
  • Continuous monitoring strategy developed for the system-level

Implement

Once you have selected the relevant security controls you will need to implement them. This step is all about implementing the previously decided upon controls. Some of the general tasks associated with this step are seen below.

  • Implement controls specified in security and privacy plans
  • Update the security and privacy plans as needed to reflect controls that were implemented.

Assess

Following the implementation of relevant security and privacy controls you will need to assess. Specifically, you are assess if the implementations were conducted correctly and are producing the desired outcome. Some of the general tasks associated with this step are seen below.

  • Select an assessor or assessment team
  • Develop a security and privacy assessment plan or plans
  • Review and approve said assessment plan(s)
  • Remediate any issues determined with controls put in place

Authorize

Following all previous steps you will need to provide accountability. This is done by requiring a senior official to determine if the security risk based on the systems and controls in place is acceptable. Some of the general tasks associated with this step are seen below.

  • Create an authorization package
  • Have the senior official make a determination.

Monitor

The final step in the Risk Management Framework is the monitor step. This is when the organization maintains ongoing situational awareness about the security and privacy posture of the system and organization to support risk management decisions. Some of the general tasks associated with this step are seen below.

  • Systems monitored based on monitoring strategy
  • Monitoring data is analyzed and responded to