What do we risk management framework on? Mike? Right, man, I'm going to guide you through from start to finish what you need to know. To implement feet risk management framework over this series, we're going to walk through security policy regulations and frameworks,
arm F roles and responsibilities. Risk analysis processes Steps one through six. Categorize, select, implement, Assess, authorize and monitor For those studying for the ice aka cap exam,
this content will suit your requirements.
The exam itself is three hours of 125 multiple choice questions covering these domains. Risk management framework, categorization of information systems, selection of security controls, the security control, implementation, security control assessment,
information system, authorization and monitoring of security controls
in the first section, we're going to deal what they basic introduction. We're going to define some key terms and concepts that you need to know as you implement the risk management framework. When we're done, you'll be able to identify the important concepts of assurance, assessment and authorization
list the three key characteristics of security,
a list of the reasons for widespread change of the risk management framework and defined the security controls and list examples off at least three classes of controls. If you're setting for the I S C Square cop exam, this section will cover the basics of the exam
and all the references covered in the current cap exam.
where did it start from? And why is it important? Well, it all starts with fisma, the Federal Information Security Management Act. Anything ending with act. It's a law. Congress passed this law in 2002 mandating that all federal information systems
must report back to them or the office of Owen be actually
the security posture of their machines. The framework in which they'll report is themed Nous Special Publication, Siri's 800. Starting with next 837 it will walk you through the basics that you need to know to begin implementing the risk management framework in your environment.
The Department of Defense issued or actually reissued
d o d I 85 10 dot a one. This publication rescinded die cap and implements and references off further to the risk management framework. This instruction indicates that the risk management framework is to replace
die, cap and manage the total life cycle of cyber security risk
for all deal d I T. Systems. The risk management framework is composed of six course steps. Categorize, select, implement, assess, authorize and monitor.
Throughout this year's, we're gonna walk one by one through each of the steps, ensuring that you have a full understanding of what's required in each.
Before we can start, we need to understand some core terms, starting with assurance. Would we talk about assurance? We're dealing with a degree of trust or confidence that the system is going to act and behave in a manner that is predictable?
We need to be able to trust our systems.
All protection mechanisms work to process sensitive data for many types of users and maintain the same level off protection. You should be familiar with what was initially introduced as thesis CIA Triad.
Introducing the core concepts of security, confidentiality, integrity and availability. We also need to take into account authentication and non repudiation, authentic or authentication to make sure that it is really or the original and non repudiation,
that I cannot deny doing whatever it is that I did this non repudiation.
When dealing with the risk management framework, everything is broken down into three classes of security controls. First management controls these air action taken to manage the development, maintenance and use of the systems like policies, procedures,
the operational controls, the day to day mechanisms of how we operate in a given environment
and then the technical controls. These are the blinky lights, the hardware and software controls and how the devices are configured, such as authentication mechanisms and encryption.
When dealing with management controls, you'll see security authorization and Security Control assessments. Planning Risk Assessment System Service is an acquisition program. Management on it and human resource is
the operational control Families deal with awareness and training, configuration management, contingency planning, an incident response, maintenance, media protection, physical and environmental protection, personnel security and system and information integrity
and within the technical control family. All together, there are 59 controls represented and these four core families identification, authentication, access control on an accountability and system and communications protection.
You can clearly see the class representative and the first column management, operational or technical, the long name or the bass name of the control family, and then the two letter identify air. We'll get into more of that later.
So why these families, and why do we consider these controls to be comprehensive? Well, it all points back to defense and death and basic terms is the successive layers that caused adversaries to have to break through one barrier and then immediately another and another
until hopefully they've exhausted. Their resource is, and yet we have still protect the core asset.
Next, let's talk about assessment
assessment. The core definition given to us by mist is the testing and or evaluation off the management, operational and technical security controls to determine the extent to which the controls are implemented correctly, operating as intended
and producing the desired outcome. With respect to meeting
the security requirements for an information system or organization, the short simply is make sure that it's doing what we think it's supposed to do and how it was designed to do it.
Next authorization. The core definition offered by Mist is the official management decision given by senior organizational officials to authorise operation of an information system and to explicitly accept the risk to organizational operation, assets, individuals,
other organizations and
the nation based on the implementation of the agreed upon set of security controls. In other words, after the assessment,
someone has to say I got it
and our next section, we will deal with some of the cyber security policies and corps regulations.