Risk Management Framework

Slides:



Advertisements
Similar presentations
ENTITIES FOR A UN SYSTEM EVALUATION FRAMEWORK 17th MEETING OF SENIOR FELLOWSHIP OFFICERS OF THE UNITED NATIONS SYSTEM AND HOST COUNTRY AGENCIES BY DAVIDE.
Advertisements

Module N° 4 – ICAO SSP framework
Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.
Software Quality Assurance Plan
NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.
DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.
Near Real Time Risk Management Transforming the Certification and Accreditation Process ISSA-Baltimore Chapter Meeting May 28, 2008 Dr. Ron Ross.
4/29/2009Michael J. Cohen1 Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.
Connecting People With Information DoD Net-Centric Services Strategy Frank Petroski October 31, 2006.
Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Office of Inspector General (OIG) Internal Audit
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE , Fall Security Strategies.
Certified Business Process Professional (CBPP®) Exam Overview
Purpose of the Standards
Federal IT Security Professional - Manager FITSP-M Module 1.
NIST SP , Revision 1 Applying Risk Management to Information Systems (Transforming the Certification and Accreditation Process) A Tutorial February.
1 IT Security Awareness, Training and Education Trends Dan Costello Policy Analyst OMB.
A District Perspective Thomas Purwin, Jersey City Public Schools
Security Assessments FITSP-M Module 5. Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass.
Enterprise Architecture
Complying With The Federal Information Security Act (FISMA)
Information Technology Audit
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Dr. Ron Ross Computer Security Division Information Technology Laboratory Defending the United States.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
SEC835 Database and Web application security Information Security Architecture.
Laboratory Biorisk Management Standard CWA 15793:2008
Information Systems Security Computer System Life Cycle Security.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Security Standards Promoting Trust, Transparency, and Due Diligence E-Gov Washington Workshop.
Security Assessments FITSP-A Module 5
N-Wave Shareholders Meeting May 23, 2012 N-Wave Security Update Lisa
TEL2813/IS2820 Security Management
Organize to improve Data Quality Data Quality?. © 2012 GS1 To fully exploit and utilize the data available, a strategic approach to data governance at.
NIST Special Publication Revision 1
Roles and Responsibilities
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
SENG521 (Fall SENG 521 Software Reliability & Testing Software Product & process Improvement using ISO (Part 3d) Department.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
UNCLASSIFIED DITSCAP Primer. UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 2 DITSCAP* Authority ASD/C3I Memo, 19 Aug 92 –Develop Standardized C&A Process DODI.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Integrated Enterprise-wide Risk Management Protecting Critical Information Assets and Records FIRM Forum.
What is a Business Analyst? A Business Analyst is someone who works as a liaison among stakeholders in order to elicit, analyze, communicate and validate.
MD Digital Government Summit, June 26, Maryland Project Management Oversight & System Development Life Cycle (SDLC) Robert Krauss MD Digital Government.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Managing Risk in New Computing Paradigms Applying FISMA Standards and Guidelines to Cloud Computing Workshop.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
It is imperative that leaders and managers at all levels understand their responsibilities and are held accountable for managing information security risk.
Authorizing Information Systems FITSP-A Module 6.
SecSDLC Chapter 2.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Information Security IBK3IBV01 College 3 Paul J. Cornelisse.
Evaluate Phase Pertemuan Matakuliah: A0774/Information Technology Capital Budgeting Tahun: 2009.
Search Engine Optimization © HiTech Institute. All rights reserved. Slide 1 Click to edit Master title style What is Business Analysis Body of Knowledge?
Company LOGO. Company LOGO PE, PMP, PgMP, PME, MCT, PRINCE2 Practitioner.
The NIST Special Publications for Security Management By: Waylon Coulter.
Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Principles of Information Security, Fourth Edition Chapter 1 Introduction to Information Security Part II.
SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.
The Risk Management Framework (RMF)
Introduction for the Implementation of Software Configuration Management I thought I knew it all !
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
TechStambha PMP Certification Training
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Presentation transcript:

Risk Management Framework FITSP-M Module 3 Risk Management Framework FITSP-M Module 3 - Risk Management Framework

Leadership “…Through the process of risk management, leaders must consider risk to U.S. interests from adversaries using cyberspace to their advantage and from our own efforts to employ the global nature of cyberspace to achieve objectives in military, intelligence, and business operations… “ - The National Strategy For Cyberspace Operations Office Of The Chairman, Joint Chiefs Of Staff, U.S. Department Of Defense FITSP-M Module 3 - Risk Management Framework

FITSP-M Exam Module Objectives Application Security Contingency Planning Data Security Planning Risk Assessment Security Assessments and Authorization FITSP-M Module 3 - Risk Management Framework

Risk Management Framework Overview Section A: SP 800-37r1 Evolution of Risk Management International and National Standards Components of Risk Management Section B: Risk Management Framework (RMF) Characteristics of RMF The Fundamentals of RMF Section C: Roles & Responsibilities Section D: Steps in the RMF Process FITSP-M Module 3 - Risk Management Framework

Section A SP 800-37r1 - Guide for Applying the Risk Management Framework to Federal Information Systems FITSP-M Module 3 - Risk Management Framework

Evolution of Risk Management SP 800-37 updated Revision 1 From Guidelines for C&A of Federal Information Systems to Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach SP 800-39 supersedes SP 800-30 From Risk Management Guide for Information Technology Systems to Managing Information Security Risk Organization, Mission and Information System View FITSP-M Module 3 - Risk Management Framework

Risk Management Approach FITSP-M Module 3 - Risk Management Framework

Risk Management Redefined FITSP-M Module 3 - Risk Management Framework

Harmonization of International and National Standards ISO/IEC 31000 - Risk management – Principles and guidelines ISO/IEC 31010 - Risk management – Risk assessment techniques ISO/IEC 27001 - Information technology – Security techniques – Information security management systems – Requirements ISO/IEC 27005 - Information technology – Security techniques – Information security risk management systems FITSP-M Module 3 - Risk Management Framework

SP 800-37r1 – Risk Management Framework (RMF) Section B SP 800-37r1 – Risk Management Framework (RMF) FITSP-M Module 3 - Risk Management Framework

Risk Management Framework and the SDLC FITSP-M Module 3 - Risk Management Framework

Risk Management Framework Traditional C&A   Risk Management Framework Phase Task Subtask Step Initiation 1: Preparation. Information System Description 1.2 Security Categorization 1.1 1.3 Information System Registration Threat Identification Vulnerability Identification Security Control Identification 2.1 Common Control Identification 2.2 Security Control Selection 3.1 Security Control Implementation 3.2 Security Control Documentation 2.3 Monitoring Strategy Initial Risk Determination 2: Notification Notification Planning And Resources 3: SSP Analysis, Update, And Acceptance. Security Categorization Review System Security Plan Analysis System Security Plan Update System Security Plan Acceptance 2.4 Security Plan Approval FITSP-M Module 3 - Risk Management Framework

Risk Management Framework Traditional C&A   Risk Management Framework Phase Task Subtask Step Certification 4: Security Control Assessment Documentation Supporting Materials Methods And Procedures 4.1 Assessment Preparation Security Assessment 4.2 Security Control Assessment Security Assessment Report 4.3 5: Security Certification Documentation Findings And Recommendations 4.4 Remediation Actions System Security Plan Update POAM Preparation 5.1 Plan of Action and Milestones Accreditation Package Assembly 5.2 Security Authorization Package Accreditation 6: Accreditation Decision Final Risk Determination 5.3 Risk Determination Risk Acceptability 5.4 Risk Acceptance 7: Security Accreditation Documentation Security Accreditation Package Transmission Continuous Monitoring 8: Configuration Management Documentation Of Information System Changes 6.1 Information System and Environment Changes Security Impact Analysis 9: Control Monitoring Security Control Selection 2.3 Monitoring Strategy (sorta) Selected Security Control Assessment 6.2 Ongoing Security Control Assessments 10: Status Reporting And Documentation 6.4 Key Updates POAM Update 6.3 Ongoing Remediation Actions Status Reporting 6.5 Security Status Reporting  RMF 6.6  Ongoing Risk Determination and Acceptance  RMF 6.7 Information System Removal and Decommissioning FITSP-M Module 3 - Risk Management Framework

FITSP-M Module 3 - Risk Management Framework

FITSP-M Module 3 - Risk Management Framework

FITSP-M Module 3 - Risk Management Framework

FITSP-M Module 3 - Risk Management Framework

FITSP-M Module 3 - Risk Management Framework

Fundamentals of RMF Integrated Organization-wide Risk Management System Development Life Cycle Information System Boundaries Security Control Allocation Roles & Responsibilities FITSP-M Module 3 - Risk Management Framework

Integrated Organization-Wide Risk Management FITSP-M Module 3 - Risk Management Framework

System Development Life Cycle Phases of the SDLC Initiation Development/Acquisition Implementation Operation/Maintenance Disposal Security Requirements Integrated Project Teams Reusing Information FITSP-M Module 3 - Risk Management Framework

Security Categorization Step Task RMF Task Phase SDLC 1.1 Security Categorization Categorize Initiation (concept/requirements definition) 1.2 Information System Description 1.3 Information System Registration 2.1 Common Control Identification Select 2.2 Security Control Selection 2.3 Monitoring Strategy 2.4 Security Plan Approval   Development/Acquisition 3.1 Security Control Implementation Implement Implementation 3.2 Security Control Documentation 4.1 Assessment Preparation Assess 4.2 Security Control Assessment 4.3 Security Assessment Report 4.4 Remediation Actions FITSP-M Module 3 - Risk Management Framework

Plan of Action and Milestones 5.1 Plan of Action and Milestones Authorize Implementation 5.2 Security Authorization Package 5.3 Risk Determination 5.4 Risk Acceptance 6.1 System and Environment Changes Monitor Operation/Maintenance. 6.2 Ongoing Security Control Assessments 6.3 Ongoing Remediation Actions 6.4 Key Updates 6.5 Security Status Reporting 6.6 Ongoing Risk Determination and Acceptance 6.7 System Decommissioning   Disposal FITSP-M Module 3 - Risk Management Framework

Knowledge Check Place the SDLC Phase within the appropriate RMF step Which NIST special publication supersedes SP 800-30 as the source for guidance on risk management? What are the four components of the new Risk Management Model? Give an example of Tier 1 risk. Which phase of the SDLC should define security requirements? Development/Acquisition Implementation Initiation Disposal Operation/Maintenance. RMF 1 - Security Categorization RMF 2 - Security Control Selection RMF 3 - Security Control Implementation RMF 4 - Security Control Assessment RMF 5 - Security Authorization RMF 6 - Security Control Monitoring Place the SDLC Phase within the appropriate RMF step FITSP-M Module 3 - Risk Management Framework

Information System Boundaries Establishing Information System Boundaries Boundaries for Complex Information Systems Changing Technologies and the Effect on Information System Boundaries FITSP-M Module 3 - Risk Management Framework

Changing Technologies Effect on Information System Boundaries Dynamic Subsystems Net-centric Service-oriented Architecture Cloud Computing External Subsystems Contractor Systems Trust Relationships FITSP-M Module 3 - Risk Management Framework

FedRAMP Federal Risk and Authorization Management Program Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations Increase confidence in security of cloud solutions Achieve consistent security authorizations using a baseline set of agreed upon standards and accredited independent third party assessment organizations Ensure consistent application of existing security practices Increase confidence in security assessments Increase confidence in security assessments Increase automation and near real-time data for continuous monitoring FITSP-M Module 3 - Risk Management Framework

Security Control Allocation Options System-specific Common Hybrid Inherited FITSP-M Module 3 - Risk Management Framework

Roles & Responsibilities Section C Roles & Responsibilities FITSP-M Module 3 - Risk Management Framework

Organization-wide RM Strategy/ New Roles Risk Executive (function) Information Security Architect Information System Security Engineer FITSP-M Module 3 - Risk Management Framework

RMF Roles & Responsibilities Head Of Agency (Chief Executive Officer) Risk Executive (Function) Chief Information Officer Information Owner/Steward Senior Information Security Officer Authorizing Official Authorizing Official Designated Representative Common Control Provider Information System Owner Information System Security Officer Information Security Architect Information System Security Engineer Security Control Assessor FITSP-M Module 3 - Risk Management Framework

Head Of Agency (Chief Executive Officer) Highest-level Senior Official Overall Responsibility Information & Information Systems Security Integrated with Strategic and Operational Processes Sufficiently Trained Personnel Establishes Appropriate Accountability Provides Active Support Oversight of Monitoring FITSP-M Module 3 - Risk Management Framework

Risk Executive (Function) Ensures Risk-related Considerations are Organization-wide Consistent Across Organization Coordinates with Senior Leadership to: Provide Comprehensive Approach Develop a Risk Management Strategy Facilitate Sharing of Risk Information Provides Oversight Provide Forum to Consider All Risk Sources FITSP-M Module 3 - Risk Management Framework

Chief Information Officer Designating Senior Information Security Officer Information Security Policies Ensuring Adequately Trained Personnel Assisting Senior Officials with Their Security Responsibilities Appropriate Allocation of Resources FISMA Reporting FITSP-M Module 3 - Risk Management Framework

Information Owner/Steward Authority For Specified Information May or May Not Be the Same as System Owner Provide Input to Information System Owners Rules of Behavior Single System May Contain Information from Multiple Information Owners/Stewards FITSP-M Module 3 - Risk Management Framework

Senior Information Security Officer Carries Out the CIO FISMA Responsibilities Primary Liaison for CIO to Organization’s Senior Officials Possesses Professional Qualifications Heads Office that Conducts FISMA Reporting FITSP-M Module 3 - Risk Management Framework

Authorizing Official Formally Assumes Responsibility Budgetary Oversight Accountable for Security Risks Senior Management Position Approve Security Plans and Plan of Actions and Milestones (POAMs) Information System May Involve Multiple Authorizing Officials Authorizing Official Designated Representative FITSP-M Module 3 - Risk Management Framework

Common Control Provider Documenting Common Controls Validating Required Control Assessments Documenting Assessment Findings in SAR Producing POAMs FITSP-M Module 3 - Risk Management Framework

Information System Owner Aka Program Manager Focal Point for Information System (IS) Responsible for IS throughout the SDLC Addressing The Operational Interests of User Community Ensuring Compliance with Information Security Requirements SSP, Development and Maintenance Deciding Who Has Access to System Works with Assessor to Remediate Deficiencies FITSP-M Module 3 - Risk Management Framework

Information System Security Officer Ensures Appropriate Security Posture Principal Advisor Day-to-Day Security Operations Environmental Physical Personnel Incident Handling Training and Awareness Policies and Procedures Active System Monitoring FITSP-M Module 3 - Risk Management Framework

Information Security Architect Security Requirements Adequately Addressed In Enterprise Architecture Reference Models Segment And Solution Architectures Resulting Information Systems Liaison Between The Enterprise Architect And Information System Security Engineer Advisor to Senior Officials System Boundaries Assessing Severity of Deficiencies POAMs Risk Mitigation Approaches Security Alerts FITSP-M Module 3 - Risk Management Framework

Information System Security Engineer Information System Security Engineering: A process that captures and refines information security requirements and ensures that the requirements are effectively integrated into information technology component products and information systems through purposeful security architecting, design, development, and configuration. Part of the Development Team Employ Security Control Best Practices Coordinate Security-related Activities FITSP-M Module 3 - Risk Management Framework

Security Control Assessor Conduct SSP Assessments Conduct Control Assessments Provide Assessment of Deficiencies Recommend Corrective Action Prepare SAR (Security Assessment Report) Assessor Independence Unbiased Assessment Process Objective Information for Risk Determination FITSP-M Module 3 - Risk Management Framework

Knowledge Check What establishes the scope of protection for organizational information systems? What is the difference between a dynamic subsystem and an external subsystem. What program uses a “do once, use many times” framework that will save cost, time, and staff required to conduct redundant agency security assessments. Which RMF role helps to ensure that risk-related considerations for individual information systems are viewed from an organization-wide perspective? Which RMF role is responsible for ensuring that the information security requirements necessary to protect the organization’s core missions and business processes are adequately addressed in all aspects of enterprise architecture? FITSP-M Module 3 - Risk Management Framework

Steps in the RMF Process Section D Steps in the RMF Process FITSP-M Module 3 - Risk Management Framework

The Risk Management Process Well-defined, Risk-related Tasks Sequential Iterative Clearly Defined Roles Tight Integration with SDLC Milestone Checkpoints Level of Effort Importance/Criticality of a System Categorization, The First Step… FITSP-M Module 3 - Risk Management Framework

Steps of the RMF Step 1 – Categorize Information System Step 2 – Select Security Controls Step 3 – Implement Security Controls Step 4 – Assess Security Controls Step 5 – Authorize Information System Step 6 – Monitor Security Controls Gap Analysis FITSP-M Module 3 - Risk Management Framework

Step 1 – Categorize Information System Security Categorization Information System Description Information System Registration FITSP-M Module 3 - Risk Management Framework

Step 2 – Select Security Controls Common Control Identification Security Control Selection Monitoring Strategy Security Plan Approval FITSP-M Module 3 - Risk Management Framework

Step 3 – Implement Security Controls Security Control Implementation Security Control Documentation Planned Inputs Expected Behavior Expected Outputs FITSP-M Module 3 - Risk Management Framework

Step 4 – Assess Security Controls Assessment Preparation Security Control Assessment Security Assessment Report Remediation Actions FITSP-M Module 3 - Risk Management Framework

Step 5 – Authorize Information System Plan Of Action And Milestones Security Authorization Package Risk Determination Risk Acceptance FITSP-M Module 3 - Risk Management Framework

Step 6 – Monitor Security Controls Information System And Environment Changes Ongoing Security Control Assessments Ongoing Remediation Actions Key Updates Security Status Reporting Ongoing Risk Determination And Acceptance Information System Removal And Decommissioning FITSP-M Module 3 - Risk Management Framework

Risk Management Framework Key Concepts & Vocabulary Section A: SP 800-37r1 Evolution of Risk Management Harmonization of International and National Standards Components of Risk Management Multitiered Risk Management Section B: Risk Management Framework (RMF) Characteristics of RMF The Fundamentals of RMF Steps in the RMF Process FITSP-M Module 3 - Risk Management Framework

Next Module: Gap Analysis Questions? Next Module: Gap Analysis FITSP-M Module 3 - Risk Management Framework

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.