1.2 Creating a Top-Down RMF Approach

00:00

All right, so welcome to Risk Management Framework for executive management, This is less than 1.2. We're going to talk about creating a top down RmF approach. So starting at that executive level and bringing it down,

00:14

so here are learning objectives. Uh we're going to learn about what executives and management need to understand about RMF to implement it successfully as a top down approach.

00:23

We're also going to talk about how it can be implemented, starting with the executive level, and then how it can also improve business processes, increased speed of projects, things that we discussed in the last lesson,

00:37

so we're going to talk a little bit about again about the RMF structure, I want to bring this up again so we can look at this diagram again uh and talk about the steps again just really quickly, you know, the preparation step is so important, having the ability to look ahead and no, okay, I know what's next in this process. So let me prepare, let me know what's going on that way. We're not surprised as we go along the way.

01:00

So organizational risk.

01:03

Uh, there's a lot of different things that we need to talk about. When we're thinking about organizational risk, uh, when you're implementing the framework, it's going to be dependent on your specific organization and the data you're trying to protect. You know, if you're in the private sector versus federal, you're going to have different laws and regulations, things that you need to follow and different types of data that you're going to be securing

01:21

as well as health care. You know, there's a lot of threats out there right now to the health care sector and critical infrastructure as well. So it's important to understand

01:29

what information you really have and what you need to protect

01:33

as well as manufacturing and academia. There's also a lot of attacks out there now against academic organizations and it's so cyber attacks are really growing and it's good to understand what risk you actually face at your organization in system level.

01:49

So here's another great statistic. I think this is so important too, because, you know, one of the major vectors for cyber or cyber attacks, ransomware malware

01:59

Is through malicious emails, through fishing. It's still one of the easiest way for people to get in is through fishing. One every one of every 302 emails is malicious. When you think about as an organization, how many emails you receive?

02:14

Yeah, I know myself, other people, I know they might get 400 500 emails a day,

02:19

so

02:21

At least one of those, maybe two of them is malicious. Um hopefully you've got spam blocking and everything involved, but it's good to know that one of every 300 is malicious and that's from semantics I str report from 2019.

02:36

So when we're talking about implementing RMF, how can I really do that as a member of the executive team?

02:43

I think it's really important to take the time to get to know the structure of RMF if you have the time to read the documentation and really get into it. Um It's great to talk with other leaders in your organization as well. There may be some other people that might be familiar with risk management or RMF, uh and being able to implement it,

03:01

I think we're going to talk a little bit more to us how to implement in

03:05

new new projects or ongoing projects as well.

03:09

Um So do we already have a process in place for new systems if we do. Can we add some of the RMF steps in there or can we really improve it by using RMF solely?

03:20

Uh and how can improve that process? You know, will it help us to speed up our projects, will help us to save time and money and resources if we implement this and were able to get a good repeatable process going

03:31

um and then really understanding who needs to be involved in integrating RmF. So the people who are actually going to be the boots on the ground, the people that are actually implementing RMF in this, in their systems and in their life cycle,

03:45

um and then what systems do we already have online? What projects do we have ongoing? Can I implement RmF into those projects that are ongoing? Should I think about new systems only or what systems do we just authorize? Should we, should we take a step back and say, hey wait, maybe we need to think about this product or think about this system before we

04:03

implemented. And can we add our meth at the same time?

04:10

So some of the use cases, I'm gonna talk a little bit about my experience with RMF um and seeing it in practice,

04:15

it really does improve the speed to a T O. If we're talking about federal organizations are talking about getting your system authorized, uh you're really going to see improvement, having those preparation steps, having the documentation and really knowing who needs to be involved from day one, it's going to help to uh really, really speed up those projects

04:35

without RMF. One of the consequences. You know, there's a lot um adding security at the end. Sometimes you're not able to implement all the security controls or remediate all the vulnerabilities if you're at the end of the project because you just don't have time, you don't have the resources, so you may have to create

04:53

poems or say, you know, okay, we're going to accept this risk for now. Uh and then we'll try to fix it later, you know, and hopefully you do fix it later, but it's possible that with time, you know, you may forget or it might not have time other projects come up, so security and RMF is implemented from the beginning, it can really help speed things up.

05:12

Um security controls

05:15

are unable to be added due to controls uh added properly. So if you have security controls you're trying to add them at the end. If you're creating software, and it's like, oh, by the way, you've got upgrade java or you've got to upgrade this third party library, uh they may not be able to because their code maybe maybe based on those

05:32

other applications or third party libraries, so it can create this. Okay, well now we've got to accept this risk,

05:39

whereas if it had been added from the beginning, it may be easier to uh maybe easier to implement those security controls and make sure you're more secure at the end.

05:50

Mhm.

05:53

Okay. So new systems

05:55

rm f can be implemented from the ground up. It's much easier, as I mentioned before, to add RMF at the beginning. Makes it easier on all the teams. Makes it easier to add the security controls ahead of time. That way you can test them before they go to production.

06:09

Um

06:10

And is there a project schedule already created for your new system? Have you do you have a project manager that's already working on it? Maybe as a member of the executive team, you can go talk to the project manager and say, hey, have you thought about RMF, are you implementing a baseline or what are your security controls? What are you thinking about? You know, have you added security in here? I think that's really important. Um As well as

06:31

uh you know, let's add steps to the project schedule. If we can, you know, if we're if we're talking about a new system we haven't implemented, implemented it yet or started the project, let's add that extra time into the project to make sure we're adding security along the way.

06:46

And when we're talking about new systems it's great because you can account for potential cost tools or resources. So if you know, you're going to need an additional uh S. O or maybe another sys admin or another security person I. T. Security person to help you along the way. You can plan for that and budget for that as you go along.

07:05

Um and then making sure that you're going to have the right teams involved from the ground up. So making sure that those people were talking about those sad mons, anybody who might be developing the software and your security team can be involved from the beginning. You can have them in those kick off meetings, making sure that they're adding everything to the project as you go along.

07:29

All right. So when we talk about ongoing projects,

07:31

so

07:33

we're going to talk about are we transitioning systems from the cloud? Are we moving systems are we moving data centers? Are we going from on premise to the cloud? You know, that's a huge movement for a lot of people is moving to the cloud, trying to take things out of their data centers. Uh So what I. T. Projects are currently ongoing.

07:49

What's what's going on, let's figure out, you know, I know I want to implement RMF or I know that I want to implement

07:56

some sort of framework to help us address risk at the beginning. So I need to figure out what's ongoing. Are we building software? Are we integrating cloud? Are we adding more applications? Do we need more storage? What are we doing? What I. T. Projects are happening right now

08:11

and then are any of those teams implementing security controls and practices?

08:16

So this is really important to make sure that anybody that's working on this project that's ongoing.

08:20

Hey, did you did you guys implement those security controls? Are you thinking about that? Has anybody from security been involved? Because even if the projects ongoing, you can still add security and say, hey, hold on a second, let's make sure we get some people in here to get some eyes on run some vulnerability scans or do some quick assessments. Figure out what we've got.

08:39

And then for devops, how far along is the project,

08:43

you know, as well as who's involved. But

08:46

how far are we in building this application? What are our deadlines? You know, when you're talking about software development um and devops, it's

08:52

things move a lot faster and they need to move faster so

08:56

it's going to be take a little bit of give and take to try to figure out where we can add security. Where does it make sense to add security or RMF to make sure that uh we're not delaying our project or affecting customers, but we can also make sure that we're secure by the time this goes to production,

09:13

R S. O. Is involved. So

09:16

depending on the size of your organization, do you have a esos, are they? if you don't do you have anybody that understands security assessments? Anybody that could come in?

09:24

Um And then what does the budget look like? Does it make sense to add RMF? Depending on your ongoing project, you may if you if it's already ongoing and you haven't added security, you may have to think about adding it at the end, which could slow the project down, or you may not be able to implement those security controls? Uh

09:43

um the way that you'd like to

09:46

so you have to think about functionality versus security, you know, in this process. Um But that's why when we were talking about earlier new systems, making sure you add RMF at the beginning, it's a great way to make sure that security is added. Um And you're following along the framework as you go through these projects.

10:03

All right, so I have systems.

10:05

Um so what do I need to do to implement arm f if my system is already online.

10:11

Um So it would be great to start with an assessment, figure out what you've got. You know, what is my inventory up to date? Do I know how many workstations, servers, applications, what's going on? Um And then who manages that system? The system owner would be a great place to start to say,

10:24

hey, you know, I want to make sure that we're monitoring things properly. You know, I'll be doing the continuous monitoring we need to do

10:31

um and then we're any controls missed during implementation. That's again, that's great to do a continuous monitoring to figure out. Okay. We thought we implemented this but we didn't we didn't catch at the time. Okay. Let's figure out. Go through the approval process to make sure we can add that later

10:45

and then what processes documentation are already in place. I think more documentation the better it's great if you have a baseline of what your system was and then as you go along you can have that change log or that addition as you go through the documentation to say yes we

11:01

added this, we changed this control or hey we had to roll this back because we had this issue um

11:07

or we installed this application and it added this risk, X risk.

11:11

Um And then what is the timeline to get security added without impacting production? So do you have any death systems? You have any test systems that you could use uh to add some of those security features or remediate some vulnerabilities without really affecting um what's going on in production.

11:30

Okay. So planning for the future.

11:33

So what tools do you think you're going to meet? Um you know, are you going to need to upgrade your accounting or payroll systems? Your I. T. Systems are constantly evolving. Are you going to go to the cloud? You know, thinking about those things that you might do, having a five year roadmap, seven year roadmap, something that you can look at, especially as executive management to say,

11:52

you know what in the future, I know we're going to need to do these things so let's make sure we add that time

11:58

for our M. F. And how security can be added to improve maybe our future projects. Maybe we can add it right now but I know we're going to be adding new systems and we can add RMF and that will help speed up the process and keep us secure.

12:13

So if you're prepared the prepare step you can reduce the time to purchase, develop and implement new systems.

12:20

You know, I've seen this in practice being prepared, having the documentation, making sure the right people are engaged. It always helps the speed and the flow of the project

12:28

and then you went away the cost of the product versus the cost of product plus security. So it's good when you're thinking about budget obviously for new I. T. Systems, uh let me make sure I'm adding security in here. Do I need to add a security tool to complement this new I. T. System? What do I need to do? Security wise to make sure that we're going to be okay?

12:46

Uh And then thinking about adding the security team to product development strategic management meetings. I bring up strategic management because uh security professionals, if you have a cyst so um or even esos anybody who's involved in security, uh they might be great to add to strategic management meetings. They may be able to help you say,

13:05

hey, you know what, this project we thought was going to take six months, you know what, it might take eight months or maybe we can make it in six months if we make these changes. Uh So I think it's great to have them involved in strategic management because they can help kind of balance it and security

13:20

to try to figure out where we can add security, where does it make sense to add security or RMF to make sure that into a project?

13:31

I've probably said it four times, but at the beginning it's always much easier if you add security at the beginning, you're not trying to add things onto the end or delaying projects. You know, if you can get that security team in there in the kick off meeting, it's going to make a huge difference.

13:46

So

13:48

when we're talking about taking a top down approach to RMF,

13:52

you know, it really starts with executive leadership

13:54

and management, who can say

13:58

uh you know, let's think about security. When we're implementing this, let's make sure we're talking to the security team where we have them involved, making sure that people are thinking about the risk before buying tools, so before adding that application, you know, do we know that it's from an okay vendor? Uh Have we done our own research to find out if this is secure or it's going to work in our network?

14:18

Um

14:18

and that helps at the beginning of projects and adding to your current network. So making sure that,

14:24

you know, we've, let's say, we've addressed the baseline, we know which security controls we have, what we want to make sure that if we're adding new tools that we're obsessing the risk along the way,

14:33

um it's going to help with business processes and fewer surprised at the end of the project. None of us like surprises at the end of a project when it comes to delays or at adding onto budget or trying to figure out where resources, how are they going to fit all of these into our project?

14:52

So I'm gonna talk just a minute about AI and machine learning.

14:56

I think this is such a huge thing in the industry right now when we're talking about so many tools that can leverage AI and machine learning uh into them so that they can help people work smarter and faster. So I think it's really important to look at which tools you're looking at. Maybe look at some security tools out there that are already leveraging, machine learning

15:16

to help your security team work more efficiently.

15:20

Uh It's much easier with risk management if you can take some of those tools that are able to look at risk and think about, well you've got the system, this is a system high, you know this is I'm not so worried about the standalone system. Okay well now I can figure out where my risk is and how to implement the proper security controls for that.

15:39

Um And so you can adapt that to your business and your projects.

15:45

So not only can this help the security team do a better job but it can also improve the speed of projects and decision making when it comes to which tools and systems that you're thinking about implementing.

15:56

Um And so we're going to talk a little bit more about this as we go through each step in some of the next lessons.

16:03

So the summary for this video, we talked about how RMF can be implemented into I. T. Projects whether at inception as its ongoing or systems that are already in production.

16:12

We also talked about why RMF is so important at the beginning of a project, how much how it can benefit the system in the organization.