Time
2 hours 22 minutes
Difficulty
Intermediate
CEU/CPE
2

Video Description

This lesson introduces the Department of Defense (DoD) Risk Management Framework (RMF). This course prepares participants to take the CAP Exam which consists of 125 multiple choice questions and covers the following domains:

  1. Risk management framework
  2. Categorization of Information Systems
  3. Selection of Security Controls
  4. Security Control Implementation
  5. Security Control Assessment
  6. Information System Authorization
  7. Monitoring of Security Controls

The instructor walks through a chapter by chapter breakdown of the course and tells participants the goals of each chapter. Risk Management Framework is an important concept as it is ever evolving as security systems become more complex and advanced. RMF consists of six key steps: Step 1: Categorize system Step 2: Select security controls Step 3: Implement Security Controls Step 4: Assess Security Controls Step 5: Authorize System Step 6: Monitor Security Controls In the field of RMF, it is important to familiarize yourself with the following terms: 1. Assurance

  1. Integrity
  2. Non-repudiation
  3. Confidentiality
  4. Availability
  5. Authentication

The instructor also explains the security control structure: management, operation and technical.

Video Transcription

00:10
wrist.
00:15
What do we risk management framework on? Mike? Right, man, I'm going to guide you through from start to finish what you need to know. To implement feet risk management framework over this series, we're going to walk through security policy regulations and frameworks,
00:32
arm F roles and responsibilities. Risk analysis processes Steps one through six. Categorize, select, implement, Assess, authorize and monitor For those studying for the ice aka cap exam,
00:50
this content will suit your requirements.
00:53
The exam itself is three hours of 125 multiple choice questions covering these domains. Risk management framework, categorization of information systems, selection of security controls, the security control, implementation, security control assessment,
01:08
information system, authorization and monitoring of security controls
01:15
in the first section, we're going to deal what they basic introduction. We're going to define some key terms and concepts that you need to know as you implement the risk management framework. When we're done, you'll be able to identify the important concepts of assurance, assessment and authorization
01:34
list the three key characteristics of security,
01:37
a list of the reasons for widespread change of the risk management framework and defined the security controls and list examples off at least three classes of controls. If you're setting for the I S C Square cop exam, this section will cover the basics of the exam
01:55
and all the references covered in the current cap exam.
01:59
So why are in F
02:00
where did it start from? And why is it important? Well, it all starts with fisma, the Federal Information Security Management Act. Anything ending with act. It's a law. Congress passed this law in 2002 mandating that all federal information systems
02:19
must report back to them or the office of Owen be actually
02:23
the security posture of their machines. The framework in which they'll report is themed Nous Special Publication, Siri's 800. Starting with next 837 it will walk you through the basics that you need to know to begin implementing the risk management framework in your environment.
02:42
The Department of Defense issued or actually reissued
02:46
d o d I 85 10 dot a one. This publication rescinded die cap and implements and references off further to the risk management framework. This instruction indicates that the risk management framework is to replace
03:02
die, cap and manage the total life cycle of cyber security risk
03:07
for all deal d I T. Systems. The risk management framework is composed of six course steps. Categorize, select, implement, assess, authorize and monitor.
03:21
Throughout this year's, we're gonna walk one by one through each of the steps, ensuring that you have a full understanding of what's required in each.
03:30
Before we can start, we need to understand some core terms, starting with assurance. Would we talk about assurance? We're dealing with a degree of trust or confidence that the system is going to act and behave in a manner that is predictable?
03:46
We need to be able to trust our systems.
03:51
All protection mechanisms work to process sensitive data for many types of users and maintain the same level off protection. You should be familiar with what was initially introduced as thesis CIA Triad.
04:05
Introducing the core concepts of security, confidentiality, integrity and availability. We also need to take into account authentication and non repudiation, authentic or authentication to make sure that it is really or the original and non repudiation,
04:26
ensuring
04:27
that I cannot deny doing whatever it is that I did this non repudiation.
04:34
When dealing with the risk management framework, everything is broken down into three classes of security controls. First management controls these air action taken to manage the development, maintenance and use of the systems like policies, procedures,
04:51
the operational controls, the day to day mechanisms of how we operate in a given environment
04:58
and then the technical controls. These are the blinky lights, the hardware and software controls and how the devices are configured, such as authentication mechanisms and encryption.
05:10
When dealing with management controls, you'll see security authorization and Security Control assessments. Planning Risk Assessment System Service is an acquisition program. Management on it and human resource is
05:25
the operational control Families deal with awareness and training, configuration management, contingency planning, an incident response, maintenance, media protection, physical and environmental protection, personnel security and system and information integrity
05:42
and within the technical control family. All together, there are 59 controls represented and these four core families identification, authentication, access control on an accountability and system and communications protection.
06:00
You can clearly see the class representative and the first column management, operational or technical, the long name or the bass name of the control family, and then the two letter identify air. We'll get into more of that later.
06:16
So why these families, and why do we consider these controls to be comprehensive? Well, it all points back to defense and death and basic terms is the successive layers that caused adversaries to have to break through one barrier and then immediately another and another
06:34
until hopefully they've exhausted. Their resource is, and yet we have still protect the core asset.
06:41
Next, let's talk about assessment
06:44
assessment. The core definition given to us by mist is the testing and or evaluation off the management, operational and technical security controls to determine the extent to which the controls are implemented correctly, operating as intended
07:00
and producing the desired outcome. With respect to meeting
07:04
the security requirements for an information system or organization, the short simply is make sure that it's doing what we think it's supposed to do and how it was designed to do it.
07:16
Next authorization. The core definition offered by Mist is the official management decision given by senior organizational officials to authorise operation of an information system and to explicitly accept the risk to organizational operation, assets, individuals,
07:36
other organizations and
07:39
the nation based on the implementation of the agreed upon set of security controls. In other words, after the assessment,
07:48
someone has to say I got it
07:53
and our next section, we will deal with some of the cyber security policies and corps regulations.

Up Next

What is the Risk Management Framework?

This course introduces the Department of Defense (DoD) Risk Management Framework (RMF). This course prepares participants to take the CAP Exam which consists of 125 multiple choice questions and covers the following domains:

Instructed By

Instructor Profile Image
Michael Redman
Sr. ISSM at deciBel Research, Inc.
Instructor