1 hour 45 minutes
All right, so welcome back, we're at risk management framework for executive management, this is less than 1.3. And this is going to be the new step, the preparation step.
So are learning objectives for this video? We're going to learn how the preparation step has been incorporated into RMF,
what it means to each step of the framework. We're going to go through that. We're also going to go through what tasks are associated with the preparation step.
We're gonna talk just a little bit about how the Nice framework and the CSF, the cybersecurity framework map to RMF.
All right, so, the preparation step, I am going to read this to you because I think it's important to see how the Nist SP 837 37 rev two defines preparation.
The purpose of the preparation step is to carry out essential activities at the organization, mission and business process and information system levels of the enterprise to help prepare the organization to manage its security and privacy risks. Using the risk management framework, that's one of the big things we're going to talk a lot about, you're going to see more security and privacy
in each step as we go along.
So why was the sp 837 updated? Uh I think this was a great update, helped to provide a better link between the risk management process in the C suite. So, as we're talking about executive management, so how how executive management can be involved and what it means to governance levels as well.
So to help institutionalize risk management to improve execution of the RMF, so to make sure that when we're actually using risk management framework, we're implementing it properly,
uh and then to demonstrate the alignment from RMF two CSF. If you're interested in reading the cybersecurity framework as well, if you haven't already. It's great, great document as well that pairs with RMF
um as well as to integrate privacy risk management. So that's again, we're going to talk a little bit more about privacy as we go along. You're going to see it really integrated into each step
as well as to align the lifecycle based systems engineering tasks to RMF, which I also think it's important. We talked a little bit about that with software development, but uh actually aligning the life cycle um to RMF, which is great and then to integrate supply chain risk management, that's another huge risk
out there um for several organizations, so it's great to understand those risks.
So this isn't actually part of our math, but I think this is really important uh to think about having a risk committee. I mentioned this as food for thought, something to think about, You could have an independent board similar to, you would have like a board of advisors, but a risk committee would be available and help to provide
guidance for risk management policies and operations.
So they'd be the ones to look at, you know, RMF compliance framework, governance things that would be important to your organization.
Um and it doesn't have to be an external committee. You could bring experts in to do this, but you can also leverage but you can also leverage your internal groups as well. You could take some of your people that maybe risk management executives or people who are very familiar with risk management, that could take a look and help provide guidance.
So they would help in identifying and prioritizing risk activities. So that would include implementing RMF and what it could mean to projects.
Okay, so when we're talking about preparation tasks, we're gonna talk about it in two ways. we're going to talk about it at the organizational level. So these are the tasks that are going to be um you can find more in the RMF framework,
but these are the expected outcomes of the preparation step at the organizational level. So as executives, you know, it's important to understand which tasks should be coming out in the preparation step.
So here we are going to be looking at risk management roles and strategy risk assessments, which would be organization wide,
your control baselines that we had discussed earlier as well as your CSF profiles. So if you're not familiar with the cybersecurity framework, getting familiar with that and what profiles might be related to each step
as well as the common control identification. Um you know, what, what domain level policies could you put in place that would apply to other systems uh that you could use for inheritance
as well as your impact level prioritization. This is an optional task. There's more information about this in the RMF. If you're interested in learning more about the impact level
and how to prioritize that
as well as your continuous monitoring strategy. This is a big one for me. I think this is huge. Having a continuous monitoring strategy really helps to try to find and pick up those things that might be issues as you go along.
Okay, so here are the roles in the strategy for risk management.
So we want to identify and assign roles for security and privacy risk management. So that includes internal personal external um contractors. You may have people working with you vendors, uh so that you can look at any possible conflicts of interest.
And you can also see if there may be any roles allocated to a group instead of a person. So instead of one person doing something, maybe a group can try to
work on this and fix this.
And then you want to establish a risk management strategy. So what level of risk is acceptable to me? We talked about that a little bit, but it's going to be different depending on your organization, in your system
and then you're going to think about
what decisions are coming from the senior leaders throughout the organization. So that's executive management. Can we create that top down security approach and for risk management.
So this could be one document. It could be lots of documents, security and privacy related.
Uh and this is actually going to inform the strategic level decision making. And again, you want to make sure you're addressing privacy concerns as well as security with RMF.
So when we're talking about a risk assessment, we want to assess organization wide security and privacy risk. We want to think about what all of our systems and what everything means to our organization. So we want to aggregate information from system level results are continuous monitoring group as well as our strategic vision. So when we're thinking about what we want to do
as an organization, we need to think, OK, well how is this risk going to affect me?
You know, what's my continuous monitoring plan? How are we going to make sure that we're looking at the totality of the risk? I need to look at everything, You know, that's not just um physical security, you know, that's making sure systems are secure, everything.
So that's gonna be again gathered from internal and external systems.
So we're going to be looking at the variability of the environment. So where am I located? Where are my systems? Where what risk do I need to look at um at this place versus this place?
Uh And are higher impact systems separate from lower impact systems. So do I have network segmentation and by making sure that all of my systems are separate to make sure that my high level systems are much more protected.
So talking about the control baselines a little bit, we're going to talk about the CSF profiles just a little bit too.
So the control baselines, uh it's really important to establish this uh This is a set of controls to reduce risk and it's meant to be used across the organization. So when I put think group policy, I'm thinking, you know, a D. I'm thinking well what policies do I need to put at the domain level so that every system has the same whether it's a password policy
or some other domain level policy that might help you to protect all of your systems. Something that might be critical to you
can you use the sp 853 B. To derive control baseline. So that would be more for federal organizations.
Um And then the C. S. C. S. Are the
the control baselines complement the mist control baselines. Ad and eliminate controls as necessary. So depending on what your system is, you're going to want to change your baseline.
So this may be mandated by laws, executive orders directives depending on what organization you are, how big you are. Uh and what you're looking at doing with your control baselines.
Um And again, you might benefit from using one of the CSF profiles. I highly recommend checking out the cybersecurity framework and getting some more information on that. It could align cyber with your mission, so aligning security and your mission together.
So when we're talking about identifying those common controls, uh there's the ones we're talking about for inheritance, for group policy. So it can be anything from the 853 physical or environmental controls. So we are talking about, you know, security guards or CCTV or any of those other physical controls,
personnel, security controls. Who are we hiring? Are we making, are we doing background checks? Are we looking at people
um and then our acquisition controls, you know, how do we actually buy products? Who are we buying them from? What is acceptable for us when we're buying products? Do we know where they're coming from? Are we okay with this organization?
Um So I recommend that you check out its course on Sai Buri for more for more information on enterprise controls. He's got a great video on that.
Okay, so when we're talking about our continuous monitoring strategy, we want to develop and implement continuous monitoring our group as well as our documentations. We need to understand what documentation do we have, um you know, what procedures are we going to follow?
We need to make sure that we're constantly monitoring our security posture. And if our controls are effective because if we're not looking at anything, people might be making changes or if we're adding the applications were not checking on them, we might be introducing vulnerabilities into our environment.
So that's gonna be essential into creating efficient and cost of effective solutions.
So this can include supply chain risk. So uh this is the reviewing foreign ownership control or influence. So checking any of those products to make sure where they're coming from, who's bought them, what am I going to do with them?
And then we want to define the minimum monitoring frequency. So depending on your system or what's involved, you might want to do daily versus weekly scans, depending on how much it's used, how often it's uses it during production hours. So making sure that you're defining those scans for your systems
and then any use of automation that will help you to improve your scanning and check your controls more efficiently, automating those scans, making sure that they're running constantly. You're always going to get the most up to date information for those scans.
Okay. So we're gonna do a pop quiz. Uh what team could be created to aid in building risk management strategies and policies.
So the risk committee that I mentioned earlier, they could be really critical in helping to identify risk, but also then prioritize risk. So helping to make sure that you're looking at the right things because it can be really easy to say, oh man. But I see this critical vulnerability over here, This is so important
when really, you know, you have another system that might be more impacted. It might be more important to look on this system based on proprietary data or information that you have stored there.
So now we're going to talk about the preparation tasks at the system level.
So this is expected outcomes of the preparation step at the system level. We went over the organizational level. Uh so now we're going to get a little more granular and go at the system level. So as an executive management, it's important to understand this because you're gonna have system owners who may come to you to authorize their systems or to make sure that what they've got going on is okay. So it's good to
understand what's going on at the system level as well.
So here we're going to be looking at the mission and business focus as well as the stakeholders asset identification. What's the authorization boundary? So what's contained in my system? How far does it go? And what am I responsible for as well as information types? The information lifecycle
risk assessments. Again, at the system level
was our requirements definition,
What's our full enterprise architecture as well as our requirements allocation and system registration.
So we're talking about mission or business focus, we need to figure out what is the mission that this system needs to support? What is the business function or process? What do I need to do with this system? What's it going to support?
So we're going to prioritize uh, investment strategies and funding decisions based on this. So, you know, how much money do I want to allocate to the system versus the system? What do I need to do based on resource utilization? So looking at how many resources are needed per system
as well as how is my enterprise architecture affected? If I'm looking at the organizational level, if I had this system here, how is it going to affect everything?
So that would include the development of security and privacy considerations.
So your stakeholders for your system.
So it's gonna be anyone that's interested in the entire system life cycle. Again, we're gonna be talking about system owners, um
so they may be in the organization or outside the organization, but they're going to have a common interest in that system. So we're talking about vendors or anyone who may have a stake in that
during the development or operation of cloud based or shared services. So we need to consider that when we're thinking about who is going to be a stakeholder for that system,
we need to think about communication between our partners. That's such a key step of RMF. Making sure that all the teams are working together properly, they're talking to each other, they're thinking about what needs to be done in the next step of RMF.
So that way we can ensure that security and privacy concerns are addressed.
So here's our video summary. What we talked about today. What does the preparation step of RMF mean? That's what we talked about. We talked about how it affects the business and mission process at the organization and system levels, as well as how a risk committee could help lower risk in the organization, as well as help to secure your systems.