NIST Risk Management Framework Overview
2y ago
40 Views
1 Downloads
957.36 KB
26 Pages
Report/dmca
Download PDF

Transcription

NIST Risk ManagementFramework Overview

NIST Risk Management Framework Overview About the NIST Risk Management Framework (RMF) Supporting Publications The RMF StepsStep 1: CategorizeStep 2: SelectStep 3: ImplementStep 4: AssessStep 5: AuthorizeStep 6: Monitor Additional Resources and Contact InformationNIST Risk Management Framework 2

NIST Special Publication 800-37, Guide for Applyingthe Risk Management Framework A holistic andcomprehensive riskmanagement process Integrates the RiskManagementFramework (RMF) intothe systemdevelopment lifecycle(SDLC) Provides processes(tasks) for each of thesix steps in the RMF atthe system levelNIST Risk Management Framework orizeSystemImplementControlsAssessControls

Supporting PublicationsFederal Information Processing Standards (FIPS) FIPS 199 – Standards for Security Categorization FIPS 200 – Minimum Security RequirementsSpecial Publications (SPs) SP 800-18 – Guide for System Security Plan DevelopmentSP 800-30 – Guide for Conducting Risk AssessmentsSP 800-34 – Guide for Contingency Plan developmentSP 800-37 – Guide for Applying the Risk Management FrameworkSP 800-39 – Managing Information Security RiskSP 800-53/53A – Security Controls Catalog and Assessment ProceduresSP 800-60 – Mapping Information Types to Security CategoriesSP 800-128 – Security-focused Configuration ManagementSP 800-137 – Information Security Continuous MonitoringMany others for operational and technical implementationsNIST Risk Management Framework 4

NIST SP 800-39: Managing Information Security Risk –Organization, Mission, and Information System View Multi-level riskmanagement approach Implemented by theRisk Executive Function Enterprise Architectureand SDLC Focus Supports all steps in theRMFStrategicFocusLevel 1OrganizationLevel 2Mission / Business ProcessTacticalFocusLevel 3System (Environment of Operation)Three Levels of Organization-WideRisk ManagementNIST Risk Management Framework 5

NIST SP 800-39: Managing Information Security Risk –Organization, Mission, and Information System ViewAssessInformation andCommunication FlowsFrameMonitorRespondRisk Management ProcessNIST Risk Management Framework 6

NIST Special Publication 800-30, Guide to ConductingRisk Assessments Addresses the Assessing Risk component of RiskManagement (from SP 800-39) Provides guidance on applying risk assessmentconcepts to:– All three tiers in the risk management hierarchy– Each step in the Risk Management Framework Supports all steps of the RMF A 3-step Process– Step 1: Prepare for assessment– Step 2: Conduct the assessment– Step 3: Maintain the assessmentNIST Risk Management Framework 7

NIST Special Publication 800-37, Guide for Applyingthe Risk Management Framework A holistic andcomprehensive riskmanagement process Integrates the RiskManagementFramework (RMF) intothe systemdevelopment lifecycle(SDLC) Provides processes(tasks) for each of thesix steps in the RMF atthe system levelNIST Risk Management Framework orizeSystemImplementControlsAssessControls

NIST RMF Step 1: CategorizePurpose: Determine thecriticality of the informationand system according topotential worst-case, adverseimpact to the organization,mission/business functions,and the system.NIST Risk Management Framework 9

Federal Information ProcessingStandard (FIPS) 199Standards for Security Categorization of FederalInformation and Information SystemsSecurity ObjectivesConfidentialityImpact LevelLow: loss has limitedadverse impactModerate: loss has seriousadverse impactHigh: loss has catastrophicadverse impactIntegrityNIST Risk Management Framework 10Availability

NIST RMF Step 2: SelectPurpose: Select security controlsstarting with the appropriatebaseline using categorizationoutput from Step 1 Apply tailoring guidance asneeded based on riskassessmentNIST Risk Management Framework 12

Federal Information ProcessingStandard (FIPS) 200Minimum Security Requirements for Federal Information andInformation Systems Defines 17 security-related areas (families)that:– Represent a broad-based, balanced security program– Include management, operational, and technical securitycontrols (all are needed for defense in depth) Specifies that a minimum baseline of securitycontrols, as defined in NIST SP 800-53, will beimplemented Specifies that the baselines are to be appropriatelytailoredNIST Risk Management Framework 13

NIST Special Publication 800-53Security and Privacy Controls for Information Systems andOrganizations A catalog of securitycontrols Defines three securitybaselines (L, M, H) Initial versionpublished in 2005 Currently using Rev. 4(2013)NIST Risk Management Framework 14 Undergoing updateto Rev. 5, draftreleased in Aug 2017for public comment

Security and Privacy Controls A countermeasureprescribed for system or anorganization designed to Control implementationsprotect the confidentiality,and assessment methodsintegrity, and availability ofmay vary based on theits information and to meettechnology to which thea set of definedcontrol is being applied,requirements.e.g.: Security and privacy controls– Cloud-based systemsare intentionally not focused– Mobile systemson any specific technologies– ApplicationsNIST Risk Management Framework 16

SP 800-53 Control FamiliesAC – Access ControlMP – Media ProtectionAT – Awareness and TrainingPA* – Privacy AuthorizationAU – Audit and AccountabilityPE – Physical and EnvironmentalProtectionCA – Security Assessment andAuthorizationPL – PlanningCM – Configuration ManagementPM – Program ManagementCP – Contingency PlanningPS – Personnel SecurityIA – Identification and AuthenticationRA – Risk AssessmentIP* – Individual ParticipationSA – System and Service AcquisitionIR – Incident ResponseSC – System and CommunicationProtectionMA - MaintenanceSI – System and Information IntegrityNIST Risk Management Framework 17

SP 800-53 Control Baselines Baselines are definedin Appendix D Determined by:– Information andsystem categorization(L, M, H)– Organizational riskassessment and risktolerance– System level riskassessmentNIST Risk Management Framework 19 Baselines can andshould be tailored,based on RISK, to fitthe mission andsystem environment Some controls arenot included inbaselines

NIST RMF Step 3: ImplementPurpose: Implement security controlswithin enterprise architecture and systemsusing sound system security engineeringpractices (see SP 800-160); apply securityconfiguration settings.NIST Risk Management Framework 20

Implementation Tips Plan for control Implementationimplementation duringmay include:the development phase– Writing and followingof the SDLC – BAKE IT INpolicies, plans, and Many NIST publicationsoperational proceduresare available to provide– Configuring settings inimplementationoperating systems andguidance on a wideapplicationsrange of controls and– Installing tools/software tocontrol typesautomate control(https://csrc.nist.gov)implementation TrainingNIST Risk Management Framework 21

NIST RMF Step 4: AssessPurpose: Determine security controleffectiveness – are controls implementedcorrectly, operating as intended, andmeeting the security requirements for thesystem and environment of operation?NIST Risk Management Framework 22

NIST Special Publication 800-53AAssessing Security and Privacy Controls in Systems andOrganizations: Building Effective Security Assessment Plans Supports RMF Step 4(Assess) Is a companiondocument to 800-53 Is updated shortlyafter 800-53 isupdatedNIST Risk Management Framework 23 Describes highlevel procedures forassessing securitycontrols for effectiveness Defines assessmentprocedures using– Assessment Objectives– Assessment Methods– Assessment Objects

SP 800-53A Assessment Steps1. Develop the Security Assessment Plana. Determine which controls are to beassessedb. Select appropriate procedures to assess thosecontrolsc. Determine depth and coverage needed forassuranced. Tailor the assessment procedurese. Finalize the plan and obtain approval2. Conduct the assessment3. Analyze the results4. Create the Security Assessment ReportNIST Risk Management Framework 24

SP 800-53A Assessment Procedures“Parts” Assessment objectives – determinationstatements Three assessment methods and associatedassessment objects– Interview – objects are individuals/groups of individuals– Examine – objects include: Specifications (e.g., documents - policies, procedures, designs) Mechanisms (e.g., functionality in HW, SW, firmware) Activities (e.g., system ops, administration, mgmt., exercises)– Test – objects include: Mechanisms (e.g., HW, SW, firmware) Activities (e.g., system ops, administration, mgmt., exercises)NIST Risk Management Framework 25

NIST RMF Step 5: AuthorizePurpose: The Authorizing Official (AO) examines theoutput of the security controls assessmentto determine whether or not the risk isacceptable The AO may consult with the Risk Executive (Function), the ChiefInformation Officer, the Chief Information Security Officer, asneeded since aggregate risk should be considered for theauthorization decision After the initial authorization, ongoing authorization is put inplace using output from continuous monitoring (seeSupplemental Guidance on Ongoing Authorization 37rev1/nist oa guidance.pdf)NIST Risk Management Framework 27

NIST RMF Step 6: MonitorPurpose: Continuously monitor controlsimplemented for the system and its environment ofoperation for changes, signs of attack, etc. that mayaffect controls, and reassess control effectiveness Incorporate all monitoring (800-39 risk monitoring,800-128 configuration management monitoring,800-137 control effectiveness monitoring, etc.) intoan integrated organization-wide monitoringprogramNIST Risk Management Framework 31

Examples of ApplicationsCommittee onNational Security SystemsOverlays for specific national securitysystems/operational environments, such as:space platform, privacy, classified information,etc.The Federal Risk and Authorization ManagementProgram (FedRAMP) is a government-wide programthat provides a standardized approach to securityassessment, authorization, and continuousmonitoring for cloud products and services.NIST Interagency Report 7628, Rev. 1,Guidelines for Smart Grid CybersecurityFISMA Overview 35

Additional Resources and Contact InformationFISMA Publications: sk-Management@usaNISTgov@NISTcyberTHANK YOU!NIST Risk Management Framework 36

Mar 28, 2018 · NIST Special Publication 800-30, Guide to Conducting Risk Assessments Addresses the Assessing Risk component of Risk Management (from SP 800-39) Provides guidance on applying risk assessment concepts to: – All three tiers in the risk management hierarchy – Each step in the

Related Books

Business Applications Solution (BAS) Program Common .

Business Applications Solution (BAS) Program Common .

NIST Big Data Working Group

NIST Big Data Working Group

Risk Management Framework - Carnegie Mellon University

Risk Management Framework - Carnegie Mellon University

NIST SPECIAL PUBLICATION 1800-2B Identity and Access .

NIST SPECIAL PUBLICATION 1800-2B Identity and Access .

Mapping PCI DSS v3.2.1 to the NIST Cybersecurity Framework v1

Mapping PCI DSS v3.2.1 to the NIST Cybersecurity Framework v1

Risk Management – All Project Phases

Risk Management – All Project Phases

Evaluation of Cloud Computing Services Based on NIST 800 .

Evaluation of Cloud Computing Services Based on NIST 800 .

Guide to Understanding FedRAMP - GSA

Guide to Understanding FedRAMP - GSA

NIST RMF Quick Start Guide

NIST RMF Quick Start Guide

Archived NIST Technical Series Publication

Archived NIST Technical Series Publication

COLLEGE OF CLINICAL PHARMACY RISK MANAGEMENT PLAN

COLLEGE OF CLINICAL PHARMACY RISK MANAGEMENT PLAN

PopularTags

Recent Views