CRISC

Course
Time
6 hours 30 minutes
Difficulty
Advanced
CEU/CPE
7

Video Transcription

00:02
Now what? Discussion on frameworks in relation to information security, specifically in risk management. What course would be complete without talking about the beloved R M F. The risk management framework will look a revision one and then, quite recently, December 2018
00:21
Uh, revision to has been published. So,
00:24
uh, still the same idea in principle. Now, this is applying the risk management framework to federal information systems, so this could pertain to the design of systems to the assessment of systems, but making sure that we have a formalized process for
00:44
ensuring that systems meet the requirements to exist in a federal information environment. Okay, so we started out with R E M F 800-37 Revision one. And what we have are the six steps that we're going to examine.
01:02
So we start off with categorizing the system. I don't know.
01:06
You know, one of the things that I always teaches when you're working with risks, start by determining your assets. What am I protecting and what's it worth? Always start with the assets well right here where we're talking about categorizing the information system, we're looking at our assets.
01:25
What are the systems What environment are they in? What type of information
01:29
are they going to be holding? So that's what we mean by categorizing the system. Now, one of the tools that can help me categorize the system is Phipps 1 99 I'm not necessarily gonna go over all the supplementary documents, but Phipps 1 99 can help me assess what category?
01:48
Excuse me, What category a system would belong to based on the content of information that's stored on that system. Okay, so the first step is we're gonna categorize based on value of the system
02:00
now.
02:00
Well, still, we will select security controls based on the value we just determined. Okay, so we categorize the system with Fitz 1 99 Now, based on that categorization, we're going to select security controls driven by Phipps
02:16
200. So 1 99 200 go very closely. Together.
02:22
1 99 helps about how to categorize fits. 200 talks about using security controls based on the category.
02:30
So ultimately, we look at the value of the system. We determine what security controls we want to implement,
02:38
and then we implement them,
02:40
and then we assess This is where we test now when I say implement them. I'm not saying that we select security controls and roll amount into our production environment, but we will configure these controls most likely in the test environment.
02:57
And that's when we're going to assess them penetration, test vulnerability, assessments.
03:01
Uh, any particular assessment driven by the application or the system.
03:07
And at that point,
03:08
the system. We should have certification and accreditation.
03:15
Is that really, really
03:16
no? Let me said this way. At the end of assessment, the system should be certified.
03:23
Then it move ist moves to the accreditation phase, and the accreditation phase is now being referred to as authorizing a system. So it used to be
03:32
a credit. Now it's authorized. That's fine.
03:36
And certification is the technical evaluation of a product when we moved authorizing. That's where senior management looks at the product and says, This meets our needs. We want to move forward with it.
03:51
This system is authorized to operate in this environment that's done by authorising official
03:57
and at that point in time, really not much left to do other than monitor the state of the system in its current environment, and then we start back all over again. We may find that the security of the system doesn't meet the need.
04:12
So just like most risk management frameworks and documents, you see, sort of that idea of a revolving set of arrows or iterative process is now the flow. Again, this just goes with our M f.
04:27
Identify your assets. Look, ATT threats.
04:30
What are the controls in place?
04:31
What weakness is still exist after mitigating the controls?
04:38
What are the identity? What are the consequences?
04:41
And that's gonna bring us to risk estimation. So this is the risk identification process again, as a predecessor, to risk estimation can that follows pretty closely to what we're seeing with our mouths.
04:55
All right. Now,
04:57
as I mentioned in December 2018 we have a revision of Miss Special Publication 837. And this is the, uh is now named risk management framework
05:10
for information systems and organizations
05:14
and a system lifecycle approach for security and privacy. So notice it no longer specifies for federal systems. And the reason for that is many private sector organizations have adopted the risk management framework, so we really don't have to limit it to federal system.
05:31
A system lifecycle approach for security in privacy.
05:38
So throughout the entire life cycle, off the product,
05:42
we have an approach to implement security and operating a form of risk management.
05:48
All right, now
05:49
we start in the middle with prepare. That's our first piece. And as we go to these other elements will come back and prepare, and then we'll operate. That will prepare.
06:00
But when we talk about preparing, this is where we define our processes are methodologies. This is where we define how we're gonna implement, how we're going to assess. What metrics are we looking for? How frequently do we monitor? So that preparation
06:16
phase is where we're gonna document a planet essentially
06:20
and that starts at the project initiation face. When projects get initiated,
06:28
we are taking the time toe layout, approaches,
06:31
concepts, ideas, business case, all that information before we ever begin the project. So right off the bat,
06:42
before we even have the word project out of our mouth, we begin in preparations. How do we collect requirements? How do we analyze risks? What software do we have?
06:51
And so
06:53
all right, so not all that different. We categorize our systems once again based on the value of the system. We can still go to Phipps 1 99 For that,
07:03
we select controls. Phipps 200 will help us there.
07:08
We intimate
07:10
the controls. We put those controls in place that get assessed, and at the end of assessment, they should have passed the vulnerability assessment in the PIN test.
07:18
They should be certified as being technically accurate.
07:24
That moves on the senior management for the authorization peace. And if senior management authorizes, this system is now authorized to operate the specific environment, and senior management accepts all risks associated with that project. So that's a big step. Senior management says
07:43
This is ours. Let's go with.
07:46
And then the last step is to monitor and continue to monitor four risks. What risks do have monitor for How often do I monitor for risks? What tools do I use? What are the expected metrics that's determined in the prepare face? Right. The
08:05
very first thing in preparation,
08:07
we laid the guide work down for what we're gonna be doing, moving forward

Up Next

CRISC

This course on Certified in Risk and Information Systems Control is for IT and business professionals who develop and maintain information system controls, and whose job revolves around security operations and compliance.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor