'Non' Tech Journal 2 - JadenGil/Jaden-Tech-Journal GitHub Wiki

Types Of Bias

Motivational Bias:

  • "Filter" that changes what say/do from what you believe

Cognitive Bias:

  • Unconscious factors that can distort beliefs

Nonverbal Bias:

  • Preferring to scrap your own opinion in favor of the groups opinion

Affinity Bias:

  • This tends to occur when we see someone feel we have an affinity with. For example, this could happen when you learn that someone attended the same school or college as you or if they grew up in the same town as you

Halo/Horns effect:

  • Halo is when we see on good thing about a person and let that have a significant effect on our decision-making

  • Horns is the opposite effect

Similarity Bias:

  • Surrounding yourself with like-minded people by default because we as people generally prefer to work with folks we agree with

Contrast Effect:

  • Comparing the skills and attributes of other individuals to the skills and attributes required for that job

Attribution Bias:

  • When we really want to do something we will blame failure on external factors like the people we're working with

Confirmation Bias:

  • When passing judgment on another person we will subconsciously look for evidence to back up our personal opinions of that person. This is because we so badly want to believe we're right that we convince ourselves that we made the proper assessment

Conformity Bias:

  • This tends to occur wen a positive or negative evaluation is made on a person based on appearance, body language, or the way they dress

Risk Management Framework

The Risk Management Framework (RMF) is a structured process developed by the National Institute of Standards and Technology (NIST) to help organizations manage risks to their information systems and data. It provides a comprehensive approach to identifying, assessing, mitigating, and monitoring risks throughout the system development lifecycle.

Appendix E:

Appendix E of the RMF document provides guidance on security control baselines. It outlines the process for selecting and tailoring security controls based on an organization's specific risk environment and operational requirements.

Step 1: Prepare

Description: In this step, the organization establishes the foundation for the RMF process, including defining the scope, establishing the risk management strategy, and determining the roles and responsibilities of stakeholders.

Tasks:

Define the system boundaries and scope of the assessment.

Identify key stakeholders and their roles in the RMF process.

Develop a risk management strategy outlining objectives, constraints, and priorities.

Step 2: Categorize

Description: This step involves categorizing the information system and the information processed, stored, and transmitted by the system based on factors such as impact levels and potential threats.

Tasks:

Identify the information processed by the system.

Determine the impact levels (low, moderate, high) associated with the loss of confidentiality, integrity, and availability of the information.

Document the system categorization results.

Step 3: Select

Description: Here, the organization selects appropriate security controls based on the system categorization, considering factors such as the organization's risk tolerance, operational requirements, and applicable laws and regulations.

Tasks:

Review and select security controls from the NIST Special Publication 800-53 catalog.

Tailor the selected controls to align with organizational requirements and operational environment.

Document the rationale for control selection and tailoring decisions.

Step 4: Implement

Description: This step involves implementing the selected security controls within the information system and documenting how the controls are deployed and configured.

Tasks:

Develop and implement policies, procedures, and technical measures to enforce the selected security controls.

Configure hardware, software, and other system components to support the implementation of security controls.

Document the implementation of security controls and any deviations from the baseline configuration.

Step 5: Assess

Description: The organization conducts a comprehensive assessment of the security controls to ensure they are implemented correctly and operating effectively to mitigate identified risks.

Tasks:

Perform security control assessments using appropriate assessment methods and tools.

Evaluate the effectiveness of security controls in addressing identified risks.

Document assessment results, including findings and recommendations for improvement.

Step 6: Authorize

Description: This step involves reviewing the security assessment results and making an authorization decision based on the organization's risk tolerance and acceptance of residual risks.

Tasks:

Review the security assessment reports and associated documentation.

Make an authorization decision based on the assessment findings and risk posture.

Document the authorization decision and any conditions or limitations imposed on system operation.

Step 7: Monitor

Description: In this final step, the organization continuously monitors the security controls and the overall security posture of the information system to identify and respond to changes in the risk environment.

Tasks:

Establish a continuous monitoring program to track changes in the system and the risk environment.

Collect and analyze security-related data to assess the effectiveness of security controls.

Report on security status and performance to relevant stakeholders and decision-makers.

By following these seven steps, organizations can effectively manage risks to their information systems and maintain a robust security posture in an ever-evolving threat landscape.