Welcome back to the dealer risk with framework video Siris on my grave and here to help you work your way through implementing the mist risk management framework In this section, we're gonna take a look at risk analysis processes
and decide on effective risk management options for your information system. For those of you studying for the I S C Square cap examination, remember is study the stages of the traditional see in a model and the risk management framework.
Be sure to take note of how the two models match up. Study the key documents produced in the risk management framework at a study. The key concept auf authorization decisions,
as we start to look at through brisk management processes. It starts with a little bit of background is starting with the I. C. D. 503 signed by the director of National Intelligence and effective as of September 15 2008
it rescinded the D. C. I. D. 63 policy and manual and the D C. I. D. 65 manual.
It also requires intelligent community elements to determine the level of risk based on the overall effect to the mission, not just the check list addresses, policy for the following risk management certification, accreditation, reciprocity and interconnections,
and governance and dispute resolution.
As for the authorities wth eEye City 503 is authorized by the National Security Act of 1947 the Federal Information Security Management Act, or FISMA of 2002 and the amended EO 12 9 58 and e 0 12 3 33
So, as we begin to look at the risk management process, let's first lay down a definition.
Risk management is the process that allows I t managers to balance the operational and economic costs off effective measures and achieve gains admission capability by protecting the systems and data that support their organizations missions.
It's overall objective is to achieve acceptable levels of information security,
well informed decisions and justifications, and assessing and authorizing decisions.
Wth e risk management framework takes a three tiered model towards integrated organization wide risk management. You can see this laid out in more detail in this special publication 839 starting with Tear one. The organization.
This is where the specific techniques and methodologies four risk management is managed. Tier one manages the methods and procedures as well as
mitigating measures. Tier One also sets the overall risk tolerance for the organization and insurers. Ongoing continuous monitoring
here, too, is for mission and business processes. Defining the core missions of business processes happens at tear to the information and information flow, prioritizing missions and business processes, defining the types of informations needed,
as well as incorporating high level information security into missions and those business processes.
And finally, Tier three the information system. This is where you will handle the specific allocation of security controls, whether they are system specific hybrid or common theme. Risk assessment process is composed of four primary steps. Step one.
Prepare for the assessment
step to conduct the assessment, Step three. Communicate and share assessment results and Step four maintain the assessment,
starting with Step one. First, we need to identify the overall purpose. This begins to set the expectation off the information that the assessment is intended to produce and any decisions the assessment is intended to support.
Then we identify the overall scope. What is the organizational applicability the timeframe supported and the architecture and technology considerations happen within the first step of identifying the scope.
Next, identify any assumptions or constraints. Theo organizations risk tolerance should be well defined and communicated, and also any priorities or trade offs that might have to occur. Then identify information sources
being sure to be descriptive with the different threats, vulnerabilities
and potential impacts against the information system.
Next, identify the risk model and analytic approach. There may be one or more risk models in use in conducting a risk assessment. Identify which models is to be used for the risk assessment and stick to it.
That brings us to step to first, identify the threat sources. It's important to identify and characterize all possible threat sources of concern for the information system and then identify the capability, intent and targeting characterises
for adversarial threats against that system and
the range of effects for non adversarial effects.
Next, identify threat events. What is a potential threat event? What is a relevant threaten event? What are the threat? Sources that could initiate an event
next identify vulnerabilities and predisposing conditions. This will be set by the organization itself, the mission and business processes and the information system. This should be identified throughout the organization itself.
The specific mission in business processes of the system as well as the information system itself
next determined the likelihood, the characteristics of the specific threat sources. What are the vulnerability conditions identified against the information system? What is the organizational susceptibility reflecting the safeguards and countermeasures planned or implemented
To determine the likelihood we used the 830? This is the guide for conducting risk assessments. You'll see that you have four choices. Very low, low, moderate, high and very high.
you must identify what is the likelihood of that threat event against the likelihood that the threat of it is going to have an adverse impact.
To determine your overall impact, you need to identify the characteristics of the threat. Sources themselves identify the vulnerability conditions that have been identified and the organizational susceptibility to reflecting the safeguards and countermeasures planned or implemented to impede such events.
Now, when it comes to determining overall impact, this is where quantifying meets qualifying. We call it semi qualitative values. You also find this indeed missed 830 for very high events
expected to have multiple severe or catastrophic effects. We would score this as a 10
for very low events expected to have negligible effects. We would score this as a zero and so forth when determining risk. What we're looking at is the impact that would result from the event the likelihood off the event itself occurring.
And next we communicate
the risk assessment results. It doesn't do us any good to do all the assessment work and keep it to ourselves.
This is where we will present the total risk assessment, or at least the preliminary risk assessment to the organizational decision makers so they can begin to identify support risk responses.
Next, it's important to share the risk related results. This is where the executive risk function comes in again. This is made up of the organizational decision makers that support the risk responses and the security subject matter experts across all disciplines
and then step four monitor for the risk factors. What are the organizational operations and assets ensuring to monitor the individuals other organizations that might impact the system as well as impact the nation as a whole?
Finally, to update the risk assessment
any identified Chris is just another condition that must be addressed thistles, where a solid, cohesive risk management team is important.
Risk presents itself throughout the system's entire life cycle, and they aren't one off to off events. This is why all team members must be well tuned to the system
upon receiving the assessment results. There is a determination to be made the risk acceptance, risk avoidance, risk mitigation, risk sharing or transfer, or a combination of any of the above.
So now that we've lived out the four primary steps, let's look at how it fits together across all components. Remember that mist and partnership with the D. O. D itself, the intelligence communities and CNS s has developed a common information security framework for all federal government and
The overall goal is to improve information security, strengthen risk management processes and encourage reciprocity among all federal agencies. This is well defined and laid out for you indeed missed 837 that transforms the classic C n A
into a well defined six death
risk management framework.
Again, looking at the's six course steps of the risk management framework is categorized. Select,
implement, assess authorized and monitor.
So how does the traditional C N A and the risk management framework lineup together. You can see it laid out here, for instance, the traditional see, in a process you have task. One preparation this'd is where the information system description would be identified, the security categorization and so forth.
Well, we're still doing that in step one of the risk management framework.
We identify the system description, we categorize the system and we register the system. You may be using Archer or e mass or whatever your component is using. Also identified are the common control identifications, the security control selections,
the security control implementations
and the security control documentation.
Now, instead of two of the traditional CIA, you would have notification simple planning and resource ing, followed by the SSP Analytics update and acceptance. This is where you would do the security configuration review the security planning analysis and the system security plan
again. This is still happening within the framework. We call it this system plan approval thistles where we begin with our monitoring strategy for the system
that moves us to step four of the traditional C n a. The security control assessment itself and then the security control confirmation documentation. Well, obviously we're still doing that within the risk management framework. Theus assessment happens. The plan of action and milestones is created
and the documentation is prepared.
So really, you see when you break it down to its core processes, there's not a lot of difference between, For instance, die cap and the risk management framework. It's not a different process. It's just different wording. All the same requirements were there under one that are there
So one of the key documents that you'll need for our map authorization it would be the system security plan itself, the Plan of action milestones or the poem, the Security Assessment Report, the SAR and the authorization decision document for the A D. D.
Now that is the core what we used to call executive package to a risk management framework authorization package.
However, to create all of these, especially the SSP, you need all supporting artifacts, all supporting policies, standards and procedures from across the organization. So the controls to be properly assessed
the next section we're going to jump in to step one categorization