1.1 RMF Overview

00:00

All right, so welcome to risk management framework, this is less than 1.1, and this is going to be just a kind of a basic RMF overview before we get into each step.

00:11

So, the learning objectives in this particular module here, we're gonna be talking about what the next risk management framework is and how it can be implemented in the organization. So kind of a high level overview as well as that high level overview of each step. So we're going to give a little bit of information,

00:27

We're also going to talk about some statistics, some interesting data in cyber today and why are meth

00:32

will be important to implement in your organization

00:34

and then why do I need to understand this as an executive management? What what does it mean to me?

00:42

So the risk management Framework. So these are the steps here. Uh this is the diagram, the RmF. Uh so this is the RMF diagram as set out by Nist. Uh these are the steps here. The basic steps, I love this diagram, It gives you a great understanding of which special publications are related to, which steps

01:00

As well as which fits 199 or 5200, which may be related to each step.

01:06

So here are the steps here you want to prepare before you do each step, you're going to categorize your system, you're going to select your controls, you're going to implement those controls and then you want to assess them

01:18

and then you're going to try to authorize that system. So we need to get that at all

01:22

and then we're gonna monitor those controls and see if they're working effectively.

01:27

So prepare. This is one of the newer steps from december 2018 when they updated the Nist RMF. Uh

01:34

the intent behind this step is to really prepare before you do each step in the RMF. So you want to carry out essential activities at all levels, The organizational level, the mission and business process level as well as at the information system level as well.

01:49

You're gonna want to manage security and privacy risks using RMF

01:55

and then who's gonna be responsible for this step was going to be everyone, everyone's gonna need to be involved to make sure that they're prepared for each step to make sure everything goes smoothly and that your projects get done on time.

02:08

So we're gonna go through some statistics as we go through here because I think they're really important to highlight why RMF is so important.

02:15

The average cost of a data breach is $3.92 million. That's from the Parliament institute. They do a really great report every year on what's going on in cybersecurity and what the real statistics are related to cyber and breaches.

02:31

All right, our next step. So we're going to categorize

02:35

so what does that mean for me? Well, we need to categorize the system information processed, stored or transmitted on that system. So this would be based on an impact analysis and that would be done by either the system owner or the S. O as well as having some technical guidance probably provided by your information security team.

02:53

It would depend on if you're talking about a really important system, something that may be low level, maybe not as important. That's really going to depend how you categorize that system.

03:06

So, another great statistic here, the average size of a data breach is 25,575 records. Again, this is from the latest Parliament institute data breach,

03:16

this is from the latest Parliament institute data breach study from 2019. Uh this just really highlights how incredible these cyber attacks are and uh we'll talk a little bit more about cyberattacks, how they happen and why RMF is important. But

03:31

the average size is over 25,000 records that's data being stolen. That could be P. I. P. I. A. All that information stolen from either your customer or from your organization.

03:46

So our next step we need to select our controls.

03:49

So what does that mean? Well, I need to have an initial set of baseline security controls that's going to give me that that baseline where I can start from to make sure that my system is secure

04:00

and then you're gonna want to tailor and supplement that baseline based on how you categorize your system. You know, if you're talking about a system high, high level of security that you need to have on the system, then your controls are probably going to be a little more stringent than something. That maybe is a stand alone system. Maybe it's not internet face, their public facing. So maybe you won't need to worry about that one as much.

04:19

So who's gonna be responsible for some of the same people? You're going to have your esos involved if you have them, your system owner as well as some technical guidance probably provided by the information security team as well.

04:35

So this is another great statistic estimated damages by 2021 for cybersecurity breaches is $6 trillion. That's what they're estimating. The amount of cost is going to be worldwide for cybersecurity attacks. This is from Forbes, I think this is an important number because as an executive

04:55

or part of the executive management team, we're always thinking about costs. We're always thinking about risk.

04:59

So it's important to make sure we understand that

05:02

cybersecurity attacks are really expensive and can be really expensive to the organization.

05:11

All right, so we're gonna do a pop quiz. So which step should be integrated into each step of the RMF process,

05:19

that's going to be the preparation step. So before we go into any step, before we're selecting our controls before implementing anything, we want to make sure that we're prepared. And as we go through each lesson, we're going to get a better idea of what that means to each step, how to prepare for each step. But it's a great way to understand and be prepared for each step in the arm and process.

05:43

Yeah,

05:44

so our next step is gonna be to implement those controls that we've selected. So this is gonna be based on that baseline or those tailored controls that we selected before we're going to implement those, we're going to add them to our systems, so we're gonna deploy them at the system level and to the operational environment.

06:00

Um and of course you should always test them first. Uh So this is going to include workstations, servers, databases, websites, and any custom developed code or applications you have, you know, we still need to think about security when we're developing code uh and how RMF can help with that process.

06:15

And then the responsibility is going to fall mostly on the technical pOC is your sys admins, your developers, anybody who's actually hands on technically involved in those systems and you're so if you have them should also be involved making sure that everything's going according to the documentation.

06:34

All right. So one more statistic here we're going to talk about is the amount of reported cybercrime.

06:40

They only estimate at about 10% annually. That's pretty low. Thinking about how much cybercrime we hear about all the time and thinking that only 10% is actually reported. That's crazy. That means that there's a ton of cyber attacks and breaches happening all the time that we may not know about or hear about, which makes it harder to protect against them.

07:03

Okay, So now we need to assess our controls. So what does that mean? So now I need to assess that the implemented security controls were implemented based on those documentation and procedures that we had done before, that we did in our preparation step and all of our steps that came previously.

07:18

So are they implemented correctly when I actually added that GPO did it apply to that system? I can go to that system and make sure that GPO applied properly? Are they operating as intended? So did they actually secured the system the way that I thought they were going to secure it.

07:32

And is it producing the desired outcome? And I actually secure house my functionality is everything blending well together.

07:39

Um and then your continuous monitoring team is really going to be involved in that as well as your independent assessors. They're going to be the ones that are going to come in and say, hey, I'm not sure if that control works quite as well as, you know, it's showing that it's vulnerable. I know you said he implemented it might be registered key or another setting that's really missing.

08:00

Okay, so another statistic we're going to talk about here

08:03

uh ransomware attacks per minute. 12 news dot com reported. That happens every 14 seconds. It's incredible. Obviously it's

08:13

unfathomable to think about how much ransomware is actually happening right now in the world. And when you think about things now that ransomware is a service, it's so much easier for Attackers out there to actually conduct a ransomware attack on an organization. So it's, it's really important to understand that uh,

08:31

implementing our controls and then making sure they're working properly, maybe will help us uh, prevent a ransomware attack from happening to us.

08:41

All right. So we've assessed our controls, we need to authorize them. And this is really where executive management is going to come in and say,

08:48

you know what? I'm I'm looking at the risk and I need to look at it from the operational asset level, individual level. And then finally, at the organizational level, I need to figure out what this risk to the system means to my organization.

09:01

So is this acceptable risk? Am I okay with

09:05

knowing that we can implement every control or we can't fix every security hole? But this is acceptable to me. I understand the risks

09:13

and then it's great to have an independent assessor if you don't have one on your team to come in and make a recommendation based on their assessment. So they can, they're the ones who are really going to come in and say uh you know, I yes, I think this is going to work well or you know, I don't think this is going to work. We need to, we need to reassess the risk here,

09:31

then who's responsible your system owners and then your C. I. O. Or your sister or depending on your organization, your CEO may be involved if they need to really authorize these systems uh since they may be the ones accepting the risk.

09:46

Okay, so this the yahoo breach I think is a really interesting one to talk about because the number that they found initially from the yahoo breach was much smaller, they thought really have so many customers affected. It's not that many

10:00

and that number grew and grew as time went on as they realized how long people have been in their systems, how much data they had, exfiltrate ID and what they've really done to their systems and it was three billion users. That's incredible that that many people were affected. Uh and that's from CPO magazine dot com, but it's just, it's interesting to see that,

10:18

you know, a huge organization like yahoo can be breached too.

10:22

Um So it's important to make sure that you're looking at the right controls, your implementing that correctly, uh and that RMF can really help with that process.

10:33

All right, so we've authorized the system as executive management, we're fine with the way that our systems are,

10:39

but now we need people to actually monitor those controls. We need to make sure that they're these controls are actually in place still in place and that maybe as time goes on as things change, we may need to implement more. So it's important to really document those changes. Obviously those would be the ISOS would really be involved with making sure the documentation exists for those systems

11:00

and then maybe conduct another impact analysis of any changes that may be occurring. So if we're adding new software,

11:05

if we're adding new servers, maybe we've added more storage, anything like that, we're going to really want to make sure that we're testing the impact that we're assessing those other workstations or servers or applications that may be coming into our environment.

11:18

Uh And then the security state of the system should be reported up to

11:22

appropriate management. If that's executive management or the system owner, whoever is in charge of that system should really know what's going on. Uh So your continuous monitoring team, System administrators, your esos. And again, your system owner is really going to be involved in this process.

11:39

All right. So we're gonna do another pop quiz.

11:41

So who should be involved at each step of the RMF process?

11:46

Yeah, I think this is a this is a really good question because it's important to understand which team should be involved, who should be involved at each step, uh and where executive management really needs to come in. You know, ultimately, your system owners should really be part of every step. They should understand what controls are being implemented, obviously approving them

12:05

and then when it goes to executive management, making sure they understand that they understand the risk to their system as well. Since there the system owners.

12:15

So I found this one the statistic really interesting. The largest DDOS attack on record was 1.7 terabytes per second. This is from the Net Scout threat Intelligence report from 2019. I thought this was incredible because it's so much data, um so much information largest DDOS attack,

12:33

uh 1.7 terabytes per second. It's just it's incredible to think about.

12:39

So we're going to talk about, well, why should I use RMF,

12:41

you know, as an executive management member, as part of the C suite? Why is it important that I make sure that we're using RMF when we're implementing new systems?

12:50

Well, I need to make sure that uh I can improve the efficiency by adding this to the beginning of the sclc. You know, if we're talking about the software development life cycle or the system development life cycle, we need to make sure that we're adding security at the beginning because that can really help to uh improve efficiency, make sure that we're not going back adding security at the end or

13:11

you know trying to add controls where we don't need to

13:13

um we can also create a repeatable process for systems, which helps save so much time and money over time. Uh we were able to um increase the speed of projects, reduce additions, like I mentioned and changes at the end of the project. So that way you're not adding more time, you don't have that addition of security controls at the end, whereas if you added them at the beginning, it might be easier to develop code or to add new systems as you go along.