Presentation is loading. Please wait.

Presentation is loading. Please wait.

Corporate Headquarters: 1010 Wayne Avenue, Suite 1150 Silver Spring, Maryland 20910 301.565.2988 Telephone 301.565.2995 Facsimile Satellite.

Similar presentations

Presentation on theme: "Corporate Headquarters: 1010 Wayne Avenue, Suite 1150 Silver Spring, Maryland 20910 301.565.2988 Telephone 301.565.2995 Facsimile Satellite."— Presentation transcript:


2 Corporate Headquarters: 1010 Wayne Avenue, Suite 1150 Silver Spring, Maryland 20910 301.565.2988 Telephone 301.565.2995 Facsimile Satellite Office: 13800 Coppermine Road, Suite 221 Herndon, Virginia 20171 SBA certified 8(a) woman-owned, minority-owned small business e-Gov Risk Portfolio Manager TM Online Tutorial

3 2  Configuration Tasks  Risk Portfolios  Risk Identification  Risk Response  Security Management Tab  Reports Module This tutorial will provide an overview of the following eGov Risk Portfolio Manager (eGov RPM) functions: eGov Risk Portfolio Manager Functions

4 3 eGov RPM Configuration Tasks  Locations: Physical sites where people or assets reside  Sources: Reference publications used for risk identification  Assessors: Functions or job positions which identify risks (which may include non-eGov RPM users, e.g. IG Auditors)  Categories: Names for groupings of similar types of risks  Roles: Functional titles assigned to eGov RPM end-users, and risk editing privilege settings for each role  Users: Login IDs, passwords, and portfolio access settings eGov RPM Configuration Definitions include:

5 4 Locations Portfolios are associated with a physical location, which typically is identified as an office building, data center, or other site where IT assets reside. Administration tab, Locations submenu

6 5 Sources Sources of risk reduction or risk control objectives are typically written references. Example Sources: Bureau Policy Department Policy OMB Memoranda GAO Report IG Report NIST Guidance

7 6 Assessors Assessors are typically functional roles performed by people, though a software tool could also be considered a type of “assessor.” Assessors are the individuals (or software tools) that identify risks. eGov RPM’s definition of an assessor associates the function of the assessor with a Source document such as a standard or an audit report. Example Assessors: AssessorApplicable Standard or Source ISSONIST SP 800-37 Security Tester NIST SP 800-53A Project Manager PMI ® PMBOK ® GAO AuditorGAO FISCAM Capital Investment Owner OMB Circular A-11

8 7 Categories Risk Categories tracked by eGov RPM are chosen by the customer organization, so you can decide which types of risk issues are most important to you to track. Note that you, the customer, decide how granular you want your categories to be. For example, the “NIST 800-53” category shown here could be divided into 3 classes of risks (M-O-T), or 17 families of risks. Example Sources: NIST SP 800-53 Control Privacy Staffing Budget Physical Security Schedule

9 8 Roles – The Concept You decide which types of users should have read, write, create, or delete privileges to risk data and related data structures (e.g., security plans, POA&Ms) in eGov RPM. Example Roles: System Owner ISSO Software Tester Auditor Business User State Agency User The term Roles in eGov RPM pertains to the definition of the access privileges of eGov RPM users.

10 9 Roles – Setting Permissions Role permissions are defined for portfolios, projects, risk entries, administration functions, and reports.

11 10 Users – Applying the Roles Concept Administration tab, Users submenu Note the custom defined role “Business Analyst.”

12 11 Review: eGov RPM Configuration Tasks You have completed a review of the six eGov RPM configuration tasks: You are now ready to create portfolios and define your risk control structure!  Locations  Sources  Assessors  Categories  Roles  Users

13 12 The Risk Module: Portfolios

14 13 Portfolios – General Concepts Portfolios are simply hierarchical representations of assets or mission activities that may have risks that you wish to monitor. Portfolio folders can represent: –Organization chart entities –Names of IT contracts –Names of networks –Names of IT budget investments –Names of project phases –Names of C&A accreditation boundaries

15 14 Creating a Portfolio Creating a Portfolio in eGov RPM is simple: 2) Click the new folder icon located in the lower left corner of the page. 1) Click on the Risks tab, and then select the Risk Repository submenu. 3) Enter the name and location of the portfolio you are creating and click Save.

16 15  NIST SP 800-37 defines the term “accreditation boundary” as a collection of IT assets under a common direct management control  The Department of Defense (DoD) has used the term “enclave” in a manner similar to NIST’s definition of accreditation boundary  eGov RPM can model complex enclaves or accreditation boundaries through the portfolio representation Portfolios – Certification & Accreditation Example 1

17 16  In the portfolio at left, we are representing major C&A deliverable activities as portfolios  The idea: Each of the five process activities listed at left will identify risks relevant to the Enclave  The collection of risks from the Enclave’s 5 deliverable areas comprises a good set of risks for the Enclave’s risk assessment Portfolios – Certification & Accreditation Example 2

18 17 How Many Levels of Portfolios? Recommendation: The “depth” or number of portfolio levels defined in your portfolio hierarchy should be based on the number of different risk owners involved in mitigating identified risks. Multiple risk owners  Multiple portfolios recommended Few risk owners  Fewer portfolios recommended

19 18 The Risk Module: Risk Identification

20 19 Theory 101: What is a Risk?  A risk, in the most abstract sense, is the probability that a business objective will not be met  IT security risks (usually) pertain to the probability of Confidentiality, Integrity, or Availability objectives not being met Examples using NIST SP 800-53 families: Confidentiality ObjectivesIntegrity ObjectivesAvailability Objectives Access controls (AC) Identification and Authentication (IA) Systems and Communications protection (SC) Awareness and Training (AT) Audit and Accountability (AU) Certification, Accreditation and Security Assessments (CA) Configuration Management (CM) Media Protection (MP) Physical and Environmental protection (PE) Planning (PL) Risk Assessment (RA) System and Information Integrity (SI) Contingency Planning (CP) Incident Response (IR) Maintenance (MA) Risk Assessment (RA) System and Services Acquisition (SA) System and Communication protection (SC) System and Information Integrity (SI)

21 20 Example Risk Record Note the use of categories, sources, and assessors

22 21 Resources: Probability and Impact Information Resources tab, Risk Quantification submenu

23 22 The Risk Module: Risk Response

24 23 Risk Response Alternatives Response alternatives for identified risks include:  Mitigate (i.e., resolve) the risks locally  Transfer the risks to another organization for mitigation (i.e., this is a variation of Mitigating the risks)  Create Plans of Actions and Milestones (POA&M) entries for risks requiring unplanned or additional resources to mitigate  Identify the risks as risk acceptance candidates for an authorizing official, e.g., Designated Approving (or Approval) Authority (DAA), for approval as “accepted risks”

25 24 Risk Mitigation Example The Mitigation Plan is the second tab of risk entries

26 25 POA&M Example The POA&M entry is the third tab of risk entries

27 26 The Security Management Tab

28 27 Security Categorization Analysis eGov RPM automates NIST SP 800-60 security categorization:

29 28 eGov RPM Security Test and Evaluation (ST&E) The SP 800-53A module of eGov RPM automates ST&E reporting:

30 29 SSP Creation Tasks  Navigate to the Security Management tab, Security Plan submenu  Select a portfolio you are associating with the SSP  Define the FIPS 199 Impact Rating of the portfolio, and click the Update button in the lower left part of the SSP page  Enter the SSP’s System Identification information (as required by NIST SP 800-18 Revision 1)  Identify the applicable software, hardware, and architecture products that provide functionality required by NIST SP 800-53 controls  Enter text for the Management, Operational, and Technical control sections The steps involved in creating an SSP in eGov RPM are as follows:

31 30 SSP System Identification Section FIPS 199 rating Asset (the C&A package’s portfolio) identification Security Management tab, Security Plan submenu

32 31 Identifying Products that Implement SSP Controls Management Controls, Control Menu, Product List

33 32 Identifying Products (continued) Steps: 1.Click New 2.Enter vendor info 3.Click Save 4.Select applicable controls 5.Click Save

34 33 Adding Attachments (Evidence) to SSP Controls Steps: 1.In SSP module, click on Control Menu 2.Select Upload Document

35 34 The Reports Module

36 35 Reports Tab Functionality The Reports Tab contains two submenus:  Report Generation, which contains eleven types of reports having varying degrees of detail  The Executive Dashboard, which contains several graphical depictions of risk data meant for summarizing risk status for management

37 36 Two Executive Dashboard Reports Risk Probability Matrix: Pie Chart Distribution:

38 37 The Risk Summary Executive Dashboard Report

39 38 If you need additional information on eGov Risk Portfolio Manager, please contact e-Management at 301.565.2988 or e-mail e-Management Contact Information

Download ppt "Corporate Headquarters: 1010 Wayne Avenue, Suite 1150 Silver Spring, Maryland 20910 301.565.2988 Telephone 301.565.2995 Facsimile Satellite."

Similar presentations

Ads by Google