NIST 800-39

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Why don't we take a look
00:00
at special publication from NIST,
00:00
National Institute of Standards and Technology,
00:00
and this is NIST 800-39,
00:00
which is managing information security risk,
00:00
perfect for this course,
00:00
and there are other organizations
00:00
that have other risk frameworks and
00:00
other risk mitigation documents
00:00
or risk assessment documents.
00:00
But I think NIST is very closely
00:00
aligned with ISOC's methodology and approach.
00:00
Let's start off by looking at 800-39.
00:00
Here we're looking to manage
00:00
the organizational security risks at three basic levels;
00:00
the organization, the mission,
00:00
and the individual information systems.
00:00
We'll come and talk about this as
00:00
the three tiers within the organization.
00:00
We'll look at that in just a few minutes.
00:00
But basically, what NIST 800-39 tells us,
00:00
is there a set of processes that
00:00
we perform in managing risks.
00:00
In the middle, we see frame, risk framing.
00:00
What risk framing means is that we put the risk into
00:00
context and it's in context
00:00
of our organization or our environment.
00:00
If we're in the government military,
00:00
we have a very specific environment,
00:00
a very specific culture.
00:00
If we're in the payment card industry with their laws
00:00
and regulations or regulations more specifically,
00:00
we have to abide to.
00:00
Regardless of our environment,
00:00
every organization has those unique elements
00:00
that we have to understand in order to approach risk.
00:00
Organizational objectives, vision of
00:00
the organization, mission statement, stakeholders.
00:00
Looking and understanding those pieces
00:00
is what we're doing in framing.
00:00
Once we understand the context of
00:00
the organization and the objectives
00:00
and the culture and the environment,
00:00
then we move on specifically addressing individual risks.
00:00
Now, in the assessment piece up at the top,
00:00
we're going to talk about this
00:00
because there's a supplementary document,
00:00
NIST 800-30, that gives us the steps of risk assessment.
00:00
But assessment, ultimately,
00:00
we're getting a value for the risk and
00:00
taking the value for the risk and examining
00:00
it in context of the cost of the countermeasure,
00:00
and we're trying to find
00:00
a solution that has a greater benefit than the cost,
00:00
that's what we're doing in risk management.
00:00
We gather information, we examine the risk,
00:00
we get a value for the risks.
00:00
We want to make a good cost-effective decision
00:00
on how to mitigate the risk to the appropriate degree,
00:00
and that's what assessment is all about.
00:00
Once we've made the decision,
00:00
what risk mitigation strategy to implement,
00:00
we implement it in the response piece.
00:00
Here's the point where we reduce
00:00
or accept or transfer risk,
00:00
and then once we've implemented that risk response,
00:00
we have to continue to monitor the controls we've put
00:00
in place for changes to the threat landscape,
00:00
changes in the control,
00:00
changes in the environment that
00:00
might change our risk profile.
00:00
These are the four aspects of
00:00
managing risk per NIST 800-39.
00:00
Again, just hitting the highlights here,
00:00
risk framing, look at
00:00
assumptions, constraints, tolerance.
00:00
Look at organizational objectives.
00:00
Look at all the things that are
00:00
unique to this particular environment.
00:00
If it's organization-wide or if it's
00:00
based on a project or an endeavor,
00:00
frame the risk and put it into context,
00:00
then we conduct the assessment.
00:00
We'll go into more detail in just a few minutes
00:00
when we get to NIST 800-30,
00:00
we respond based on the assessment.
00:00
The whole purpose of that risk
00:00
assessment was so that we can
00:00
make a good decision in the risk response phase.
00:00
We're going to make sure that
00:00
we act upon what we've learned.
00:00
Then monitoring,
00:00
ultimately what we're doing in
00:00
>> risk monitoring is making
00:00
>> sure that our mitigation controls are
00:00
meeting their objectives. That's it.
00:00
All things to monitor that comes in the next domain,
00:00
we'll talk about monitoring for risk.
00:00
Actually it's Domain 3
00:00
where we talk about monitoring
00:00
risks and making sure that the controls are working.
00:00
Now I'd also mentioned
00:00
this tiered model that we get from NIST 800-39,
00:00
and essentially, in this framework,
00:00
we look at three tiers of
00:00
the organization as a whole or the inner parts.
00:00
Up at the very top,
00:00
this is where we have the organization,
00:00
and these are the goals of the organization,
00:00
the mission of the organization,
00:00
value as the organization sees it.
00:00
Up at this piece,
00:00
this is where the governing entity works and develops
00:00
these long-term strategies and
00:00
sets the tone for the organization.
00:00
What governance determines is
00:00
our directive and our strategy and our goal;
00:00
will then the individual lines of business figure
00:00
out how to implement it,
00:00
so this is where we get these businesses processes and
00:00
these procedures that we work with on a day-to-day basis.
00:00
Then down at the very bottom,
00:00
down at Tier 3 are
00:00
the actual individual systems themselves.
00:00
We have to make sure that we don't start by thinking,
00:00
what systems do we need here?
00:00
What type of encryption?
00:00
What type of firewall?
00:00
What this? What that?
00:00
We have to understand
00:00
the organization which shapes the business processes,
00:00
and those are the pieces that help
00:00
us choose the information systems,
00:00
not the other way around.
00:00
Decisions come down, escalations go up.
00:00
Governance decides what our processes are,
00:00
decides what our information systems are.
00:00
Issues with information systems,
00:00
if they're not meeting their goals or stated objectives
00:00
that gets escalated to Tier 2,
00:00
which would escalate problems to Tier 1 so
00:00
escalations go up, decisions come down.
00:00
Again, just another way to look at this.
00:00
Tier 1 helps us
00:00
prioritize what makes the business successful.
00:00
At Tier 2,
00:00
we put in place in architecture,
00:00
and if you haven't talked much about architecture,
00:00
thought much about architecture,
00:00
what we're considering there are
00:00
the various disparate elements
00:00
that have to work together towards a common goal.
00:00
It gives life to
00:00
our information security program
00:00
really is how we implement the enterprise architecture.
00:00
It's how we accomplish
00:00
what our goals and objectives are,
00:00
so that's a Tier 2.
00:00
Then again, Tier 3 is where we
00:00
really get to the individual technical controls.
Up Next