Risk Management Framework - morgan-hanrahan/Tech-Journal GitHub Wiki

Brief Description of RMF

An RMF for Information Systems and Organizations is NIST SP 800-37 revision 2. With the primary objective of preparing businesses to carry out risk management operations over a life cycle, it outlines the RMF and provides instructions on how to apply it to information systems.

Appendix E

Step 1: Prepare

The prepare step's objective is to carry out crucial tasks at the organizational, mission, and information system levels to help the organization get ready to manage its security and privacy threats.

Step 2: Categorize

By identifying the negative effects on organizational operations and assets, people, other organizations, and the nation with regard to the loss of confidentiality, integrity, and availability of organizational systems and the information processed, stored, and transmitted by those systems, the Categorize step serves to inform organizational risk management processes and tasks.

Step 3: Select

The Select step's objective is to choose, customize, and record the controls required to safeguard the information system and organization in proportion to the risk to organizational operations and assets, people, other organizations, and the country.

Step 4: Implement

Implement the controls outlined in the security and privacy strategies for the system and the organization, and record the premises of the control implementation in a baseline configuration.

Step 5: Assess

Examines to see that the controls chosen for implementation are done so appropriately, are functioning as intended, and are achieving the expected result in terms of meeting the security and privacy requirements for the system and the organization.

Step 6: Authorize

Establish organizational accountability by mandating that a top management official decide whether the security and privacy risk (including supply chain risk) to organizational operations and assets, people, other organizations, or the Nation based on the usage of a system is acceptable.

Step 7: Monitor

Keep an ongoing situational knowledge of the organization's and information system's privacy and security posture to support risk management decisions.