3.0 Assessing the System

00:01

Hi and welcome to Risk Management Framework for executive Management. Uh This is less than three dot oh, assessing the system.

00:11

So are learning objectives for this video are going to be where the assessment step fits into RMF, What tasks are associated with the assessment step

00:20

and what executive leadership can do to successfully support organizational and system assessments.

00:28

So the assessment step, we're going to talk about the definition here from the Nist Sp 837.

00:33

The purpose of the assessed step is to determine if the control selected for implementation are implemented correctly, operating as intended, in producing the desired outcome, with respect to meeting the security and privacy requirements for the system and the organization.

00:48

Um And again, if you have any questions about any of the steps mentioned previously or anything going forward, uh the Nist SP 837 has a lot of a lot more detail, a lot of great information if you're interested in learning more.

01:00

Um So why is this important? Why is this assessment step important? So we need to make sure that the controls that we put in place are working properly, they're working as we intended them to work. So we've got to assess them and make sure that if we implemented a that we're seeing a on the outcome.

01:18

So the assessment tasks, all the tasks associated with completing a full assessment

01:23

is going to be the assessor selection. So whether that's someone in house, maybe you have an assessor in house or getting an independent assessor, uh talking about the assessment plan,

01:32

the controls assessments,

01:34

any assessment reports that are going to go along with this step,

01:38

remediation action. Anything that might need to be remediated as well as a plan of action in milestones or poems. Anything that you might need to say, hey, I can't fix this now, we're gonna need to fix this and you know, we but we can fix this in six weeks. So that will be our plan of action.

01:53

So what we're talking about assessor selection,

01:57

we're talking about, we're going to need the security and privacy plans, any common controls in RS Crm strategy depending on what organization or business you're in.

02:07

So are expected outputs. We're gonna need to select the assessor or assessment team if we're going to have a team of people depending on how big our organization and system are to conduct this control assessment. So they're going to be the ones to really come in and say, let me test these and make sure these work the way that we're supposed to.

02:24

So the primary responsibility is gonna be your authorizing officials so that maybe C suite, so that might be the ones making sure that yes, I've selected the proper assessment team or your designated representative.

02:37

So you're supporting roles are going to be C. I. O. Uh senior information security officer or privacy officer. So having those people involved in assessor selection might really help.

02:49

So when we're talking about our assessment plan we're going to need to bring in again the security and privacy plans, common controls and our crm strategy again for this assessment plan

03:00

with the intention that our output is going to be, the security and privacy assessment plans are approved by the A. O.

03:08

So making sure authorizing official is good to go happy with what we're doing. Um So that could be executive management, making sure that yes I'm okay with this assessment plan. And let's move forward

03:19

and of course support by either the C. I. O. Um senior information security officer or privacy officers or the information owner. They might be helping to provide some information or provide support during the assessment plan.

03:34

So why is it crucial to choose the right assessor or team?

03:38

So it's really important because you want to make sure you have technical people that also understand security. So having uh I. T. Or technical people that understand the security controls. They understand the guidelines or the controls that you would have been implementing. So that way they know how to be assessed them properly. So whether that's vulnerability scans, compliance scans

03:58

um whether they're actually going to go in and test those test those controls so making sure you've got the right team to actually test them properly is huge.

04:09

Okay so for control assessments again we're going to be using those security and privacy assessment plans that we did in our previous task as well as any audit results that might come along with that with the expected output.

04:20

That we're going to have completed control assessments in associated evidence so we can say yes I tested these and I know they work properly or no they don't work properly. We need to fix them.

04:32

So again the primary responsibility that's really gonna fall on the assessor. They're gonna be the one that are actually doing the assessments

04:39

and the A. O. Or designated representative security and privacy officers. They're going to be the ones to kind of come in and support them and say yes okay we got this. Do you need this you know how can we help you to do this assessment?

04:51

So the assessment reports uh the inputs are going to come from the previous tasks are completed assessments or any evidence that might be related to that

05:00

with the intention of having a completed security and privacy assessment with findings and recommendations. So the idea is not just to say, hey this is wrong but hey, this might be wrong. Let's fix it and let I know how to fix it. We can help get this resolved. Um we can help improve security posture

05:18

or make sure that if you thought you implemented this control, it's not working properly. Let's fix it.

05:24

The primary responsibility again is going to be the control assessor. They're going to be the ones providing those findings and recommendations and then supporting roles. So system owner and security and privacy officers um they're really going to be helping to support if there's any questions, if they can add any sort of technical knowledge about the environment to the assessor.

05:45

So remediation actions.

05:47

So our inputs are going to come from the previous task, our assessment reports, our findings or recommendations for the organization and system level. You know, depending on what type of assessment you're going to be doing.

05:58

Expected outputs are going to range from initial remediation actions to maybe a reassessment by the team. Um And of course updated security and privacy reports. If we're talking about implementing different controls or we need to do something different, we need to add more software, we need to leverage something else. We're going to use everything that we found in those findings

06:19

uh to maybe conducting another reassessments like Yeah, you know what, let's look at this again, let's figure out what's really going on. Um And that will come after hopefully fixing some of the problems if there were any found after assessing.

06:32

So the primary responsibility is going to fall on the system owner as well as the control assessor

06:39

with support provided by the A. O. Or senior security or privacy officers or anybody in risk management executives, executive level. Um, they'll all be helping to support any remediation actions or reassessment steps.

06:56

So plain affection milestones,

06:58

these are going to be taking all the inputs from before you're going to be taking your assessment reports, any results, um, in looking at your risk tolerance level, all with the intent of bringing a plan detailing the findings of the assessment of what's going to be remediated. Um, and this is usually a plan of, hey, we can fix this in six weeks or

07:17

Hey, eight weeks, 10 weeks, six months. You know, maybe it's a

07:20

software development is going to take six months for us to upgrade all the software or we might need to get rid of some third party libraries or replace them with something else. So all of that takes time. So the poem should really have, um,

07:34

what miles, you know, when it says milestones, what milestones are we going to reach in six weeks? We can do this the next six weeks. We can do that. So

07:42

really having a plan for how we're going to remediate and when

07:46

primary responsibility is going to be on the system owner, they're going to be really responsible for making sure they understand

07:53

what poems there are because usually there's more than one. Um, and following those through making sure that things are getting fixed and poems are getting closed

08:01

and with supporting roles from the information owner, security and privacy officers as well as the control assessor, they may be coming in to provide more supporting evidence or guidance

08:13

quiz. Who are the key players in each task of the assessment step.

08:18

So we're going to have a lot of people involved in assessments and we should, there should be a lot of hands on people involved. So our system owners really going to be involved because they're going to want to understand um if there are any vulnerabilities or any um controls that were implemented properly, you know, they really want to be involved.

08:37

Um and really having the AO and the assessors involved,

08:41

whether it's an independent assessor, individual or group, it will be good to have a lot of communication between all the parties involved.

08:52

All right. So for our executive review,

08:54

so the main takeaway is the assessment step is a crucial step in RMF.

09:00

Um choosing the right team can make all the difference. So having the right people involved in making sure this communication between those people, it's really going to help bring this step together,

09:09

making sure you have technical people performing the assessment. So you really want to make sure that they're actually testing those controls, vulnerability scans and compliance scans are great, but maybe also testing some of those controls to our good

09:22

uh, and understanding the risk tolerance level for the system. So things may come up in the assessment that say, hey, you know what, this is not acceptable risk anymore. We've got to really really evaluate how we're gonna handle this system.

09:35

Uh and poems, they shouldn't be open forever, We should have an actionable date. Um, those dates may slip but to say, hey, you know what, we can get this upgrade done even if it's a year, we can say, hey, we know we're going to have the funds, we can buy this in six months, we can implement it in six months, it will be fixed in a year. So it's good to have that actionable date.

09:54

So in today's video, we talked about why the assessment step is important to RMF.

10:01

We talked about which task are essential to the assessment step,