Now what? Discussion on frameworks in relation to information security, specifically in risk management. What course would be complete without talking about the beloved R M F. The risk management framework will look a revision one and then, quite recently, December 2018
Uh, revision to has been published. So,
uh, still the same idea in principle. Now, this is applying the risk management framework to federal information systems, so this could pertain to the design of systems to the assessment of systems, but making sure that we have a formalized process for
ensuring that systems meet the requirements to exist in a federal information environment. Okay, so we started out with R E M F 800-37 Revision one. And what we have are the six steps that we're going to examine.
So we start off with categorizing the system. I don't know.
You know, one of the things that I always teaches when you're working with risks, start by determining your assets. What am I protecting and what's it worth? Always start with the assets well right here where we're talking about categorizing the information system, we're looking at our assets.
What are the systems What environment are they in? What type of information
are they going to be holding? So that's what we mean by categorizing the system. Now, one of the tools that can help me categorize the system is Phipps 1 99 I'm not necessarily gonna go over all the supplementary documents, but Phipps 1 99 can help me assess what category?
Excuse me, What category a system would belong to based on the content of information that's stored on that system. Okay, so the first step is we're gonna categorize based on value of the system
Well, still, we will select security controls based on the value we just determined. Okay, so we categorize the system with Fitz 1 99 Now, based on that categorization, we're going to select security controls driven by Phipps
200. So 1 99 200 go very closely. Together.
1 99 helps about how to categorize fits. 200 talks about using security controls based on the category.
So ultimately, we look at the value of the system. We determine what security controls we want to implement,
and then we implement them,
and then we assess This is where we test now when I say implement them. I'm not saying that we select security controls and roll amount into our production environment, but we will configure these controls most likely in the test environment.
And that's when we're going to assess them penetration, test vulnerability, assessments.
Uh, any particular assessment driven by the application or the system.
the system. We should have certification and accreditation.
Is that really, really
no? Let me said this way. At the end of assessment, the system should be certified.
Then it move ist moves to the accreditation phase, and the accreditation phase is now being referred to as authorizing a system. So it used to be
a credit. Now it's authorized. That's fine.
And certification is the technical evaluation of a product when we moved authorizing. That's where senior management looks at the product and says, This meets our needs. We want to move forward with it.
This system is authorized to operate in this environment that's done by authorising official
and at that point in time, really not much left to do other than monitor the state of the system in its current environment, and then we start back all over again. We may find that the security of the system doesn't meet the need.
So just like most risk management frameworks and documents, you see, sort of that idea of a revolving set of arrows or iterative process is now the flow. Again, this just goes with our M f.
Identify your assets. Look, ATT threats.
What are the controls in place?
What weakness is still exist after mitigating the controls?
What are the identity? What are the consequences?
And that's gonna bring us to risk estimation. So this is the risk identification process again, as a predecessor, to risk estimation can that follows pretty closely to what we're seeing with our mouths.
as I mentioned in December 2018 we have a revision of Miss Special Publication 837. And this is the, uh is now named risk management framework
for information systems and organizations
and a system lifecycle approach for security and privacy. So notice it no longer specifies for federal systems. And the reason for that is many private sector organizations have adopted the risk management framework, so we really don't have to limit it to federal system.
A system lifecycle approach for security in privacy.
So throughout the entire life cycle, off the product,
we have an approach to implement security and operating a form of risk management.
we start in the middle with prepare. That's our first piece. And as we go to these other elements will come back and prepare, and then we'll operate. That will prepare.
But when we talk about preparing, this is where we define our processes are methodologies. This is where we define how we're gonna implement, how we're going to assess. What metrics are we looking for? How frequently do we monitor? So that preparation
phase is where we're gonna document a planet essentially
and that starts at the project initiation face. When projects get initiated,
we are taking the time toe layout, approaches,
concepts, ideas, business case, all that information before we ever begin the project. So right off the bat,
before we even have the word project out of our mouth, we begin in preparations. How do we collect requirements? How do we analyze risks? What software do we have?
all right, so not all that different. We categorize our systems once again based on the value of the system. We can still go to Phipps 1 99 For that,
we select controls. Phipps 200 will help us there.
the controls. We put those controls in place that get assessed, and at the end of assessment, they should have passed the vulnerability assessment in the PIN test.
They should be certified as being technically accurate.
That moves on the senior management for the authorization peace. And if senior management authorizes, this system is now authorized to operate the specific environment, and senior management accepts all risks associated with that project. So that's a big step. Senior management says
This is ours. Let's go with.
And then the last step is to monitor and continue to monitor four risks. What risks do have monitor for How often do I monitor for risks? What tools do I use? What are the expected metrics that's determined in the prepare face? Right. The
very first thing in preparation,
we laid the guide work down for what we're gonna be doing, moving forward