Corporate Headquarters: 1010 Wayne Avenue, Suite 1150 Silver Spring, Maryland Telephone Facsimile Satellite Office: Coppermine Road, Suite 221 Herndon, Virginia SBA certified 8(a) woman-owned, minority-owned small business e-Gov Risk Portfolio Manager TM Online Tutorial

2  Configuration Tasks  Risk Portfolios  Risk Identification  Risk Response  Security Management Tab  Reports Module This tutorial will provide an overview of the following eGov Risk Portfolio Manager (eGov RPM) functions: eGov Risk Portfolio Manager Functions

3 eGov RPM Configuration Tasks  Locations: Physical sites where people or assets reside  Sources: Reference publications used for risk identification  Assessors: Functions or job positions which identify risks (which may include non-eGov RPM users, e.g. IG Auditors)  Categories: Names for groupings of similar types of risks  Roles: Functional titles assigned to eGov RPM end-users, and risk editing privilege settings for each role  Users: Login IDs, passwords, and portfolio access settings eGov RPM Configuration Definitions include:

4 Locations Portfolios are associated with a physical location, which typically is identified as an office building, data center, or other site where IT assets reside. Administration tab, Locations submenu

5 Sources Sources of risk reduction or risk control objectives are typically written references. Example Sources: Bureau Policy Department Policy OMB Memoranda GAO Report IG Report NIST Guidance

6 Assessors Assessors are typically functional roles performed by people, though a software tool could also be considered a type of “assessor.” Assessors are the individuals (or software tools) that identify risks. eGov RPM’s definition of an assessor associates the function of the assessor with a Source document such as a standard or an audit report. Example Assessors: AssessorApplicable Standard or Source ISSONIST SP Security Tester NIST SP A Project Manager PMI ® PMBOK ® GAO AuditorGAO FISCAM Capital Investment Owner OMB Circular A-11

7 Categories Risk Categories tracked by eGov RPM are chosen by the customer organization, so you can decide which types of risk issues are most important to you to track. Note that you, the customer, decide how granular you want your categories to be. For example, the “NIST ” category shown here could be divided into 3 classes of risks (M-O-T), or 17 families of risks. Example Sources: NIST SP Control Privacy Staffing Budget Physical Security Schedule

8 Roles – The Concept You decide which types of users should have read, write, create, or delete privileges to risk data and related data structures (e.g., security plans, POA&Ms) in eGov RPM. Example Roles: System Owner ISSO Software Tester Auditor Business User State Agency User The term Roles in eGov RPM pertains to the definition of the access privileges of eGov RPM users.

9 Roles – Setting Permissions Role permissions are defined for portfolios, projects, risk entries, administration functions, and reports.

10 Users – Applying the Roles Concept Administration tab, Users submenu Note the custom defined role “Business Analyst.”

11 Review: eGov RPM Configuration Tasks You have completed a review of the six eGov RPM configuration tasks: You are now ready to create portfolios and define your risk control structure!  Locations  Sources  Assessors  Categories  Roles  Users

12 The Risk Module: Portfolios

13 Portfolios – General Concepts Portfolios are simply hierarchical representations of assets or mission activities that may have risks that you wish to monitor. Portfolio folders can represent: –Organization chart entities –Names of IT contracts –Names of networks –Names of IT budget investments –Names of project phases –Names of C&A accreditation boundaries

14 Creating a Portfolio Creating a Portfolio in eGov RPM is simple: 2) Click the new folder icon located in the lower left corner of the page. 1) Click on the Risks tab, and then select the Risk Repository submenu. 3) Enter the name and location of the portfolio you are creating and click Save.

15  NIST SP defines the term “accreditation boundary” as a collection of IT assets under a common direct management control  The Department of Defense (DoD) has used the term “enclave” in a manner similar to NIST’s definition of accreditation boundary  eGov RPM can model complex enclaves or accreditation boundaries through the portfolio representation Portfolios – Certification & Accreditation Example 1

16  In the portfolio at left, we are representing major C&A deliverable activities as portfolios  The idea: Each of the five process activities listed at left will identify risks relevant to the Enclave  The collection of risks from the Enclave’s 5 deliverable areas comprises a good set of risks for the Enclave’s risk assessment Portfolios – Certification & Accreditation Example 2

17 How Many Levels of Portfolios? Recommendation: The “depth” or number of portfolio levels defined in your portfolio hierarchy should be based on the number of different risk owners involved in mitigating identified risks. Multiple risk owners  Multiple portfolios recommended Few risk owners  Fewer portfolios recommended

18 The Risk Module: Risk Identification

19 Theory 101: What is a Risk?  A risk, in the most abstract sense, is the probability that a business objective will not be met  IT security risks (usually) pertain to the probability of Confidentiality, Integrity, or Availability objectives not being met Examples using NIST SP families: Confidentiality ObjectivesIntegrity ObjectivesAvailability Objectives Access controls (AC) Identification and Authentication (IA) Systems and Communications protection (SC) Awareness and Training (AT) Audit and Accountability (AU) Certification, Accreditation and Security Assessments (CA) Configuration Management (CM) Media Protection (MP) Physical and Environmental protection (PE) Planning (PL) Risk Assessment (RA) System and Information Integrity (SI) Contingency Planning (CP) Incident Response (IR) Maintenance (MA) Risk Assessment (RA) System and Services Acquisition (SA) System and Communication protection (SC) System and Information Integrity (SI)

20 Example Risk Record Note the use of categories, sources, and assessors

21 Resources: Probability and Impact Information Resources tab, Risk Quantification submenu

22 The Risk Module: Risk Response

23 Risk Response Alternatives Response alternatives for identified risks include:  Mitigate (i.e., resolve) the risks locally  Transfer the risks to another organization for mitigation (i.e., this is a variation of Mitigating the risks)  Create Plans of Actions and Milestones (POA&M) entries for risks requiring unplanned or additional resources to mitigate  Identify the risks as risk acceptance candidates for an authorizing official, e.g., Designated Approving (or Approval) Authority (DAA), for approval as “accepted risks”

24 Risk Mitigation Example The Mitigation Plan is the second tab of risk entries

25 POA&M Example The POA&M entry is the third tab of risk entries

26 The Security Management Tab

27 Security Categorization Analysis eGov RPM automates NIST SP security categorization:

28 eGov RPM Security Test and Evaluation (ST&E) The SP A module of eGov RPM automates ST&E reporting:

29 SSP Creation Tasks  Navigate to the Security Management tab, Security Plan submenu  Select a portfolio you are associating with the SSP  Define the FIPS 199 Impact Rating of the portfolio, and click the Update button in the lower left part of the SSP page  Enter the SSP’s System Identification information (as required by NIST SP Revision 1)  Identify the applicable software, hardware, and architecture products that provide functionality required by NIST SP controls  Enter text for the Management, Operational, and Technical control sections The steps involved in creating an SSP in eGov RPM are as follows:

30 SSP System Identification Section FIPS 199 rating Asset (the C&A package’s portfolio) identification Security Management tab, Security Plan submenu

31 Identifying Products that Implement SSP Controls Management Controls, Control Menu, Product List

32 Identifying Products (continued) Steps: 1.Click New 2.Enter vendor info 3.Click Save 4.Select applicable controls 5.Click Save

33 Adding Attachments (Evidence) to SSP Controls Steps: 1.In SSP module, click on Control Menu 2.Select Upload Document

34 The Reports Module

35 Reports Tab Functionality The Reports Tab contains two submenus:  Report Generation, which contains eleven types of reports having varying degrees of detail  The Executive Dashboard, which contains several graphical depictions of risk data meant for summarizing risk status for management

36 Two Executive Dashboard Reports Risk Probability Matrix: Pie Chart Distribution:

37 The Risk Summary Executive Dashboard Report

38 If you need additional information on eGov Risk Portfolio Manager, please contact e-Management at or e-Management Contact Information