
Organizations today have to protect themselves from risks related to cyber security, including hacking, malware, phishing, and non-compliance to rules and regulations. In this hands-on course, you’ll learn how to develop a NIST risk management framework and how to integrate your risk management strategy into business functions and life cycle activities.
In the first part of this course, you will learn how to define and rate risks based on impacts and threats levels. You will explore the risk management framework and how to implement it to assess the current state and identify the risk of the gaps in your information systems. You should be able to run gap analysis and conduct your initial current state risk assessment, roadmap, and initiatives to move to a more mature state cyber security. Then you use the outcome of your gap analysis to implement a risk management framework that meets your organization's specific requirements and the goals and objectives of its risk management strategy.
During risk assessment, you need to identify and map infrastructure assets components, assign NIST security controls, countermeasures and measure risk management maturity level. This includes the use of quantitative and qualitative risk assessment tools. It is important to conduct an internal assessment of your organization to identify the potential impact of any arising risk and assign the proper controls to mitigate it to protect your organization from potential threats. Further, you need to monitor and evaluate your security controls to ensure that they are effective.
In the last section of the course, you learn about the monitoring process, Key Risk Indicators (KRIs), Key Performance Indicators (KPIs), related metrics, and reporting mechanisms to keep your organization on top of alters and provide valuable insights for decision-makers regarding risk and privacy.
NIST provides numerous publications in support of the RMF.
· The NIST special publication or SP 800-37 Rev.2 is the core document of the RMF that demonstrates a system life cycle approach for security and privacy. This document fully describes the process for applying the RMF to information systems and organizations.
· NIST SP 800-53, currently at revision 5, provides a catalog of security and privacy controls and a process for selecting controls to protect your systems and operations from threats.
· NIST SP 800-53A is for assessing security and privacy controls in information systems and organizations.
· NIST SP 800-30 revision 1 is a guide for conducting risk assessments. It's a step-by-step process for assessing organizational risks.
· NIST SP 800 -53B is intended to select control baselines for information systems and organizations. The control baselines provide a starting point for organizations in the security and privacy control selection process.
· NIST SP 800-171 Rev.2 is for protecting controlled unclassified information in nonfederal systems and organizations.
I attached all these publications in the exercise files for anyone who likes to read them in-depth which is very beneficial despite that it might take some time.
If your job requires you to manage cyber security risks in the high-stakes world of enterprise IT, this course is for you. You'll examine risks, threats, opportunities, and vulnerabilities at the strategic and operational levels while being able to select the right countermeasures and security controls to mitigate that risk. You'll explore risk appetite, risk tolerance, mitigation strategies, and the seven-step approach to build a NIST risk management framework.
The case study in this course will highlight risk and regulatory compliance issues and stakeholder communication. Risk assessment is primarily a business concept and it is all about money. You have to identify the most critical assets and systems that your business has, which are the ones that could potentially lead to the largest monetary losses for the company. Now that you have identified the most critical assets and systems, you have to determine the proper controls to mitigate the identified risks. Then you have to test the proper controls to see if they work, and if not, you have to find new proper controls to mitigate the identified risks that minimize the risks while not causing large financial losses to the organization.
Risk assessment involves three factors: the importance of the assets at risk, how critical the threat is, and the vulnerability of the system to that threat. Using those factors, you can assess the risk which is the likelihood of money loss by your organization. Even though risk assessment is based on logical constructs rather than numbers, it helps to express it as a formula:
Risk = Asset X Threat X Vulnerability
Suppose you want to assess the risk associated with the threat of hackers compromising a particular system. If your network is vulnerable, perhaps because you have no firewall and no antivirus solution, and the asset is critical, your risk is high. However, if you have good countermeasures defenses and your vulnerability is low, your risk will be medium even though the asset is still critical.
Generally, the risk is about uncertainty, but in the IT world risk is the extent to which an entity is threatened by a potential circumstance or event. If something is guaranteed to happen, it is not a risk. The success of the organization’s missions and business functions depends on safeguarding the confidentiality, integrity, availability of information processed. In addition to the responsibility to protect organizational assets from the threats that exist in today’s environment, organizations have a responsibility to consider and manage the risks to individuals when information systems process personally identifiable information (PII). The Risk Management Framework (RMF) from the National Institute of Standards and Technology NIST SP 800 37 Rev 2 defines a road map and a strategy for efficiently managing organizational risk.
The risk management framework developed by NIST is designed for managing risks relating to the cybersecurity of an organization or a product, service, or system. The framework is intended to be used in conjunction with other cybersecurity frameworks, including the NIST Cybersecurity Framework, the NIST Risk Assessment Framework, and the CIS Critical Security Controls. Preparing the organization to execute the risk management framework NIST RMF can include:
• Assigning roles and responsibilities for organizational risk management processes.
• Establishing a risk Identifying and prioritizing assets.
• Understanding threats to information systems and organizations.
• Developing the security and privacy architectures that include controls.
Risk management is essential and critical for survival in every organization's information security and privacy program. In this course, you will learn how to use the NIST RMF to assist your business to categorize and manage its security and privacy program efficiently across the system management lifecycle. I take you in-depth look at each of the NIST RMF's seven phases, covering everything from how to prepare for a risk-based approach to security then assessment and continuously monitoring and reviewing security measures in a system. Further, you will clearly understand how to select the proper security controls from the NIST SP800-53 Rev 5 security catalog to respond and mitigate risks. Along the process, I use a case study to show you how each stage is used in the real world.
The increasing frequency, creativity, and severity of cybersecurity attacks mean that all enterprises should ensure that cybersecurity risk is receiving appropriate attention within their enterprise risk management (ERM) programs. The NISTIR 8286 Integrating Cybersecurity and Enterprise Risk Management (ERM) document Published: October 2020 is intended to help individual organizations within an enterprise improve their cybersecurity risk information, which they provide as inputs to their enterprise’s ERM processes through communications and risk information sharing. By doing so, enterprises and their component organizations can better identify, assess, and manage their cybersecurity risks in the context of their broader mission and business objectives. Focusing on the use of risk registers to set out cybersecurity risk, this document explains the value of rolling up measures of risk usually addressed at lower system and organization levels to the broader enterprise level.
NISTIR 8286A Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management Published on November 2021 supplements NIST Interagency or Internal Report 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM), by providing additional detail regarding risk guidance, identification, and analysis. This report offers examples and information to illustrate risk tolerance, risk appetite, and methods for determining risks in that context. To support the development of an Enterprise Risk Register, this report describes documentation of various scenarios based on the potential impact of threats and vulnerabilities on enterprise assets.
Documenting the likelihood and impact of various threat events through cybersecurity risk registers integrated into an enterprise risk profile helps to prioritize and communicate enterprise cybersecurity risk response and monitoring. For further details please refer to the indicated NIST documents. I am highlighting this topic to provide you with a glance at NIST’s efforts to integrate cyber security and risk management into Enterprise Risk Management (ERM).
The wide management approach (ERM) is to ensure that all cyber risk activities, countermeasures, policies, plans, and strategies are not treated separately in a silo management approach. This can result in system failure, data breach, loss of assets and data, and compromise security objectives due to the hidden aggregated and cascaded risks that some organization functions may overlook or miscalculate its impacts and threats which may build up like a snowball and cause severe consequences.
I've created a case study scenario to assist you in learning the NIST RMF. While it is a work of fiction, it is based on numerous real-life businesses. Target Cloud Inc., based in San Francisco, is a global cloud storage provider. It is a public company that trades shares in the following markets: Toronto, New York, London, Mexico City, Sao Paulo, Frankfurt, and Tokyo. It has a presence in nearly 100 countries. Target Cloud, Inc. focuses on market share sustainability and scalability when providing cloud storage solutions and services to individuals, businesses, and government organizations in the United States, Canada, and other global locations. In the US, city, state, and federal government agencies, the energy industry, utility corporations, and colleges are among their primary clients. Target Cloud Inc. has about 500 people in five main cities and another 100 in smaller locations. The main office, which employs 125 people, is located in San Francisco, California. The company also has offices in Chicago, Illinois; Austin, Texas; Seattle, Washington, and Ontario; Canada. Target Cloud, Inc.'s primary data center is connected to each of the offices. Cloud storage operates on a client-server architecture, in which a client submits a request to the subscribed cloud storage service, and the data center's server responds appropriately. The basic purpose of the cloud is that instead of keeping data locally, users' data may be gathered and stored at a data center, allowing them to access it from any device. Data management organizations, utilities, educational institutions, and government agencies are among Target Cloud Inc's clients in the United States and they have requested the company to demonstrate compliance with NIST Risk management and cybersecurity guidelines. Because Target Cloud Inc. is unfamiliar with them, their management recruited you as a cyber security consultant to oversee the project and integrate the NIST RMF and CSF into their operations.
If you accept the mission, you must read the case study to learn more about the company's technical infrastructure, operations, and identify potential risks and their impacts level on security objectives. You'll find various facts about Target Cloud Inc. You can find details about the case study in the exercise files that comes with this course. Utilize these details as you progress through the NIST RMF's steps. As if you were a real cyber-security expert assessing their security and privacy procedures, use this case study to practice. You can use the NIST RMF process with either Target Cloud Inc. or your own company as you learn about it throughout this course to evaluate the security and privacy capabilities. You can record and document your observations on the provided template worksheets and make recommendations as if you're working for Target Cloud Inc. This is exactly what I do as a cybersecurity consultant.
Before we go deep in building the risk management framework, we need to understand what is a risk? Risk is defined by the National Institute of Standards and Technology (NIST) as a measure of the extent to which an entity is threatened by a potential circumstance or event. Cyber security risk management is not a silo management approach but an integrated enterprise-wide management approach. To understand risk, we need to understand the different types of risk that may occur.
Risk appetite. The broad-based amount of risk a company or entity is willing to accept in pursuit of its mission or vision.
2. Risk Tolerance. The acceptable variation of risk relative to the achievement of an objective. If a regulation says that sensitive data at rest must be encrypted, yet there is no feasible encryption solution or the cost of implementing a solution would have a large negative financial impact, the enterprise may choose to accept the risk associated with regulatory non-compliance. This would be a risky trade-off.
3. Risk capacity. The objective amount of loss an enterprise can tolerate without risking its continued existence as such differs from risk appetite, which is more of a board/management decision on how much risk is desirable.
4. Risk mitigation is the steps that an organization takes to minimize the potential loss in the event of the occurrence of a risk.
The cybersecurity manager must clearly understand the organization's risk profile. A customized analysis needs to be done since no model is providing a full picture. Focus on key issues should be kept to fully understand risk, which will help develop and implement risk treatment approaches that effectively respond to organizational needs. Resources need to be assigned to the real and most relevant issues. Low-risk acceptance is possible by local management. Acceptance at a medium risk level is possible by the chief information officer, known as the CIO. Depending on the potential impact, the chief information security officer may accept high-risk acceptance. Severe risk acceptance is only at the board level, depending on potential impact. Risk reduction is mandatory through rigorous controls or monitoring. A management notification process requires risk analysis techniques including the following:
· Interviews with experts and process owners
· Use of models and simulations
· Every analysis may vary in detail according to every case.
· Analysis may be qualitative or quantitative, or a combination.
In any case, the type of analysis used should be consistent with the business needs. Risk management activities look to reduce impacts to acceptable levels. The impact is generally quantified as a direct or indirect financial loss in the long term. Examples of impacts are:
· Direct loss of money (cash or credit)
· Criminal or civil liability
· Loss of reputation, goodwill, image
· Reduction of share value
· Employee, customer, or shareholder conflicts of interest
· Breach of confidence or privacy
· Market share loss
· Interruption of operation
· Noncompliance with regulations or laws results in a penalty
The one that remains after implementing controls is the affected areas that require reinforcement in internal control. Risk appetite and tolerance will influence what to do with this. Final risk acceptance additionally considers:
· Regulatory compliance
· Organizational policy
· Affected assets' sensitivity and criticality
· The cost and effectiveness of additional control implementations
Risk aggregation
Let me touch quickly on another important risk concept, risk aggregation. Risk management can only be effective if a full enterprise scope is considered to cover the organization’s needs end-to-end. A partial scope that focuses only on isolated risks can generate serious consequences. Only a part of potential risks can be considered when performing analysis and making decisions. Only a portion of the enterprise can be considered. There can be risks that are irrelevant when analyzed individually but that become significant when aggregated to others. Not having an aggregate risk analysis can create a false sense of security. We could be surpassing risk appetite or even risk capacity without noticing it if an aggregate analysis is not executed. There can be different situations affecting the execution of aggregate analysis. Some are internal and some external to the organization. The following are examples of this.
· Lack of consistent and clear terminology across the enterprise
· Complex internal structure with different (sub-) cultures
· Unknown dependencies between reported risk among business units or technologies
· Something can be relevant at the entity level but not at the business unit level
· Use of different methodologies and frameworks among stakeholders
· Failure to understand gaps in both the ability to detect an event occurring and to respond to it
Organizations shall use a uniform method to define the frequency and impact of risk scenarios. Through risk scenarios, we can make IT risk more concrete and tangible. Risk scenarios also allow for proper risk analysis and assessment. This is a core approach to bring realism, insight, organizational engagement, improved analysis, and structure to a complex concept (IT risk). Through this technique, all of the possible "what could go wrong" situations need to be identified in every used scenario. Two approaches can be used:
· Top-down
· Bottom-up
Aggregated risk can exist where a particular threat affects a large number of minor vulnerabilities; they are not significantly isolated, but become relevant in the aggregate. Cascading risk refers to the situation when one failure leads to a chain reaction of failures. Regardless of the method used, risk needs to be properly identified and tools can be used depending on the organization's needs. A risk can be related to or characterized by:
· Its origin
· A specific activity, event, or occurrence
· Its ramifications, outcome, or impact
· A specific reason for its occurrence
· Protective mechanisms and controls
· Time and location of occurrence
Defining risk levels needs to be done concerning its impact on the confidentiality, integrity, and availability of the data in the organization’s operational systems.
An asset is any data, device, or another component of an organization’s systems that is valuable, often because it contains sensitive data or can be used to access such information. For example, an employee’s desktop computer, laptop, or company phone would be considered an asset, as would applications on those devices. Likewise, critical infrastructure, such as servers and support systems, are assets. An organization’s most common assets are information assets. These are databases and physical files that contain the sensitive data that organizations store or process. A related concept is the ‘information asset container’, which is where that information is kept. In the case of databases, this would be the application that is used to create the database. For physical files, it would be where the information resides.
Threats
A threat to information assets is any event or incident that has the potential to harm an asset by exploiting a specific vulnerability. Threats are circumstances that compromise an asset's confidentiality, integrity, or availability, and they can be intentional or unintentional. Employee error, a technological breakdown, or an incident that causes physical harm, such as a fire or natural catastrophe, are examples of unintentional threats, whereas criminal hacking or a malicious insider stealing information are considered intentional threats.
Vulnerabilities
To become more accurate in our risk management approach we need to define vulnerabilities that are weaknesses in our environment. It is a weakness that can be exploited by a threat actor. Estimating the degree of the vulnerability requires experience. Utilizing control effectiveness will affect any existing vulnerability. While automatic scanning equipment is used to identify technical vulnerabilities, this cannot be done for physical, process, or performance vulnerabilities. Several vulnerabilities examples can be listed as follows:
· Defective software
· Improperly configured equipment
· Inadequate compliance enforcement
· Poor network design
· A process that is uncontrolled or defective
· Inadequate management
· Insufficient staff
· Lack of knowledge to support users or run the process.
· Lack of security functionality
· Lack of proper maintenance
· Poor choice of passwords
· Untested technology
· Transmission of unprotected communications
· Lack of redundancy
· Poor management communication
Organizations use penetration testing to identify, detect and monitor any vulnerabilities in their applications or networks. Pentesting, also known as penetration testing is a security assessment, an analysis, and progression of simulated attacks on an application (web, mobile, or API) or network to check its security posture. The objective is to penetrate the application or network security defenses by looking for vulnerabilities.
The output of a pentest is a list of vulnerabilities, the risks they pose to the application or network, and a concluding report. The report includes an executive summary of the testing, scope of work, testing methodology, summary of findings, and recommendations for remediation. The vulnerabilities found during a pentest can be used to fine-tune your security policies, patch your applications or networks, identify common weaknesses across applications, and strengthen your overall security posture.
One of the companies that provide pentest is Cobalt’s Pentest as a cloud service (PtaaS). Cobalt's innovative approach to scheduling and tracking pentester availability makes test scheduling much faster. Please check their website https://cobalt.grsm.io/musa-adi for further information. I added the link to this lecture.
What does your company have to secure? This should be based on the risk management plan, risk assessment, laws, rules, or standards. What information, application, systems, or technologies, would have a significant impact on security objectives confidentiality, integrity, or availability if compromised? A significant impact entails a high level of risk. Sensitive data, such as personally identifiable information or protected health information, payment card, and cardholder data, would be among your crown jewels. It could be applications like card processing, critical inventory management systems, or your web server used for client orders, or systems like email and communications, or an entire network, so we need to concentrate on the server and database system that stores or transmit sensitive client information like personally identifiable information (PII) or credit card numbers. You'll need to ask more questions once you've identified your highest-risk assets and the focus of your risk assessment scope.
Where are your organization's IT assets on networks or servers, both physically and logically?
Who uses these systems and how are they being used? This might be another machine or a human user. Begin your preparation by having a network diagram and identifying the high-value assets. If you're working with data, you'll need to map data flows as well. The diagram depicts the data flow on your network. Each of those systems is in scope, and they all need to be protected. Your system profile, also known as a system security plan, should contain all of this information. NIST SP 800-18 Rev.1 describes the contents of both system security plans and the system profile. In the exercise files, I've included a sample security system plan template (SSP) for you to practice.
How to map inventory critical assets?
After you've determined what is and isn't covered by your risk management framework or RMF scope, you'll need to make a list of all assets that are required to be protected. Any high-value hardware, such as routers, switches, and wireless access points, as well as network appliances are included. Any endpoint computers or devices, such as PCs, mobile devices, or peripherals, whether they're standalone, virtual, or in the cloud, as well as any security equipment, such as firewalls and log aggregation systems. Databases, web servers, policy servers, and access control should all be included in your inventory, as should any software, such as apps, that directly or indirectly support your operations. In your asset inventory, provide the manufacturer, versions, and any other dependencies. In the identify function, asset management category of the NIST cybersecurity framework CMF, you'll find instructions on what information you need to collect as part of an asset inventory. The subcategory lists all of the controls associated with this step.
What sources do you use to compile your information security inventory? Because they should have a record of all purchased software and hardware, your business and buying office is commonly the best place to start. The active directory also offers information about Windows clients and servers for those that use Microsoft. A third method is to use a network mapping tool to investigate your network. Nmap, for example, is a popular free tool that displays the devices on your network along with their IP addresses and open ports. Nmap is freely available at nmap.org. Another useful paid software is the network topology mapper by solar winds automate device discovery and mapping that has good features such as:
· Build multiple maps from a single scan
· Perform multi-level network discovery
· Auto-detect changes to network topology
· Export network diagrams to Visio
· Address regulatory PCI compliance
These network mapping softwares are used to produce your network diagrams. These are diagrams that show how your computer or telecommunications network is set up. They aid cyber security professionals in seeing how and what is included in a computer network and what is in the IT infrastructure. Following is a sample network diagram showing various devices and servers.
Data flow diagrams are based on network diagrams, which are also used to comprehend data flows. You begin by identifying your most sensitive information, such as credit card data. Using your network diagram, show where sensitive data are input, stored, processed, or transmitted. You'll know where the most sensitive data and personally identifiable information (PII) is and what systems it may be on. Please check the chart below.
Use the provided system security plan (SSP) template to complete parts one through twelve as an activity for this section. Fill up as much as you can of the SSP template based on your scope and category decisions while working through this exercise. Sections can be skipped and filled up later. Use your organization or the case study Target Cloud Inc. and make assumptions if necessary. Keep in mind that this is a tool to aid your understanding of the systems under assessment and review.
Cybercriminals have caused businesses to lose billions of dollars. They create damages to businesses by exploiting vulnerabilities in technology, IT systems, and even people through social engineering hacking. Cyber security isn't simply an IT issue; it's an enterprise risk management issue. Business leaders, authorizing officials, system owners, and IT cyber security professionals all are working to manage risks by identifying what may go wrong and putting in place the appropriate defenses and countermeasures to minimize or mitigate, avoid or transfer the potential risk likelihood and its impact on business. This video describes cyber threats and vulnerabilities as part of the security risk management process. Organizations of all sizes are vulnerable to several threats. Malicious malware, social engineering, phishing, business email breach, and account hijacking are all examples of ransomware. These threats can potentially affect the organization in a variety of ways. All of this, in most cases, produces various types of risks for companies due to some type of deficiencies or vulnerabilities. Risks arising from the loss of confidentiality, integrity, or availability of data or information systems that potentially affect organizational operations, organizational assets, individuals, or other organizations are known as information system-related security risks. Another risk you should be aware of is compliance issues. These are risks and legal ramifications that your company might face for not complying with the laws and regulations such as the payment card industry PCI DSS that I highlighted previously in this course.
The National Institute of Standards and Technology (NIST) establishes the guidelines that all US federal government agencies, contractors, state agencies, and increasingly many businesses must follow. What rules do you need to make sure your company adheres to? Here's a brief activity to get you started: Make a list of any current threats or risks to your information systems or data. Any sort of risk can be considered: technological, procedural, managerial, compliance, and so on. This is simply a brief brainstorming session. Working with my clients has shown me that, at the very least, they are aware of their most serious security issues. Keep your list since it will help a lot later in the course. You need security controls throughout the lifecycle of your system to ensure you're controlling your risks and satisfying compliance needs. Security begins with the development or implementation of new technologies or apps, as well as the expansion of your company's operations into other regions, such as the European Union, where the EU General Data Protection Regulation (GDPR) applies.
Are you familiar with the security requirements?
Wouldn't it be good to have a list of security requirements and objectives as you begin to integrate security into the IT system infrastructure to handle risks and threats continually? This guide is provided by the NIST RMF to assist you in implementing suitable and effective protection, detection, and security control measures in your IT system. The NIST RMF supports the integration of security and privacy procedures and processes into information systems across the system development life cycle, emphasizing risk management, risk assessment, and organizational-wide risk governance. The RMF is divided into seven phases. Preparation is the first step, and that's what we're doing right now. The second step is to categorize, which involves taking inventory of your IT assets, and the third step is to choose the first set of security controls required to minimize and mitigate the risks. After that, you put the security controls in place. These can be both technological, such as network defenses or endpoint protection, and procedural such as access control policy and procedures. The fifth step is to evaluate the controls to see whether they've been implemented correctly and are working as they are expected. The sixth step is to grant authorization for the security system to be implemented in production from the authorizing officials in your organization. The seven-step is monitoring which is required to provide continual security and risk management. Because risks never go away, risk management is a continual process. I will explore all the NIST risk management framework seven-steps more in-depth in the following lectures therefore stay tuned and if you may have any questions or clarification, please write them in the QA section.
IT risk assessment should be the foundation of your IT security strategy to understand what events can negatively affect your organization and what security gaps pose a threat to your critical information, so you can make better security decisions and take smarter proactive measures. IT risk assessment helps you determine the vulnerabilities in information systems and the broader IT environment, assess the likelihood that a risky event will occur, and rank risks based on the risk estimate combined with the level of impact that it would cause if it occurs. IT risk assessment is required by many compliance regulations. For example, if your organization must comply with HIPAA or could face GDPR audits, then information security risk assessment is a must-have for your organization to minimize the risk of non-compliance and huge fines.
Because most organizations have a limited budget for risk assessment, you will likely have to limit the scope of the project to mission-critical assets. Accordingly, you need to define a standard for determining the importance of each asset. As a key part of the risk assessment, assets are prioritized based on the adverse impact or consequence of asset loss. Prioritization of assets is based on asset value, physical consequences, cost of replacement, criticality, impact on image or reputation, or trust by users and legal standing. Privacy risk assessments are conducted to determine the likelihood that a given operation the system is taking when processing PII could create an adverse effect on individuals—and the potential impact on individuals. Once the standard has been approved by management and formally incorporated into the risk assessment security policy, use it to classify each asset you identified as critical, major, or minor.
IT risk is a business risk, the business risk associated with the use, ownership, operation, involvement, influence, and adoption of IT within an enterprise. The top-level risk management plan provides the strategic context that is needed to ensure that the organization’s overall business objectives and goals are understood and then factored correctly into the decisions that are made about risk. It is IT-related events and conditions that could potentially impact the business. It may occur with an uncertainty of frequency and magnitudes generating challenges in meeting strategic goals and objectives. Understanding cyber risks and taking a risk-based approach to security improves an organization's effectiveness, efficiency, and depth of protection. To help organizations understand and manage their risks and identify compliance gaps, NIST established the risk management framework or RMF. According to the EY cyber security global quantitative survey, the maturity level of risk management practices determined a positive relationship between risk and financial performance. The leading risk management practices that differentiate the various maturity levels are organized as follows:
►The top-performing companies from a risk maturity perspective implemented on average twice as many of the key risk capabilities as those in the lowest-performing group.
►Companies in the top 20% of risk maturity generated three times the level of earnings as those in the bottom 20%.
►Financial performance is highly correlated with the level of integration and coordination across risk, control, and compliance functions.
Risk management is integral to achieving business objectives and compliance and is a process aimed at achieving a balance between realizing opportunities for gain. Cybersecurity management should be linked to enterprise risk management and should not be treated in a silo management approach. Risk management is fundamental for cybersecurity and governance and can have different meanings for different people. Risk management must be a major part of the organization's culture. Communication, awareness, education, and training (AET) should involve all stakeholders with a common and unified language that will allow variations in needs and perceptions to be identified and addressed more effectively. Unifying language is key to avoiding miscommunication.
This is a fundamental section of this course where you will learn IT risk assessment so that you can apply it in your business therefore, please don’t skip this lecture. When executing a risk assessment, a control can be found in any part of a process. This demands an end-to-end understanding of the process. Layering controls can be useful, but having several controls addressing the same risk is expensive and wasteful. Key risks need to be located based on the organizational objectives and the nature of the assessment. Controls covering those risks need to be identified and tested. Later In this course, we will explore the NIST SP 800-53 Rev 5 security and privacy controls.
Risk assessment is achieved by three methods
1. Quantitative
2. Qualitative
3. Semi-quantitative
Here are 12 steps to conducting an IT risk assessment
STEP #1 Collect the information about the risks you want to assess.
· Interview management, data owners, and other employees
· Analyze your systems and infrastructure
· Review documentation
STEP #2
Find all valuable assets across the organization that could be damaged by the threats. Here are just a few examples:
· Servers
· Website
· Client contact information
· Trade secrets and intellectual properties
· Customer credit card data
· Protected Health Information under HIPAA
STEP #3
Identify potential consequences. Determine what possibly could harm the organization if a given asset was damaged? This is a business concept, the likelihood of financial or other business losses. Here are a few consequences you should care about:
· Legal consequences. If somebody steals data from one of your databases, even if that data is not particularly valuable, you can incur fines and other legal costs because you failed to comply with the data protection security requirements of HIPAA, PCI DSS, or other compliance.
· Data loss. Theft of trade secrets could cause you to lose business to your competitors. Theft of customer information could result in loss of trust and customer attrition.
· System or application downtime. If a system fails to perform its primary function, customers may be unable to place orders, employees may be unable to do their jobs or communicate, and so on.
STEP #4
Identify threats and their impact levels. A threat is anything that might exploit a vulnerability to breach your security and cause harm to your assets. Here are a few common types of threats:
· Natural disasters. Floods, hurricanes, earthquakes, fire, and other natural disasters can destroy much more than a hacker. You can lose not only data but the servers and appliances as well. When deciding where to house your servers, think about the chances of a natural disaster. For instance, don’t put your server room on the first floor if your area has a high risk of floods.
· System failure. The likelihood of system failure depends on the quality of your computer. For relatively new, high-quality equipment, the chance of system failure is low. But if the equipment is old or from a “no-name” vendor, the chance of failure is much higher. Therefore, it’s wise to buy high-quality equipment, or at least equipment with good support.
· Accidental human interference. This threat is always high, no matter what business you are in. Anyone can make mistakes such as accidentally deleting important files, clicking on malware links, or accidentally physically damaging a piece of equipment. Therefore, you should regularly back up your data, including system settings, ACLs, and other configuration information, and carefully track all changes to critical systems.
· Malicious humans. There are three types of malicious behavior:
1. Interference is when somebody causes damage to your business by deleting data, engineering a distributed denial of service (DDOS) against your website, physically stealing a computer or server, and so on.
2. Impersonation is a misuse of someone else’s credentials, which are often acquired through social engineering attacks or brute-force attacks, or purchased on the dark web.
3. Interception is classic hacking, where they steal your data.
STEP #5
Analyze Controls. Analyze the controls that are either in place or in the planning stage to minimize or eliminate the probability that a threat will exploit a vulnerability in the system. Controls can be implemented through technical means, such as computer hardware or software, encryption, intrusion detection mechanisms, and identification and authentication subsystems. Nontechnical controls include security policies, administrative actions, and physical and environmental mechanisms.
Both technical and non-technical controls can further be classified as preventive or detective controls. As the name implies, preventive controls attempt to anticipate and stop attacks. Examples of preventive technical controls are encryption and authentication devices. Detective controls are used to discover attacks or events through such means as audit trails and intrusion detection systems.
STEP #6
Identify vulnerabilities and assess the likelihood of their exploitation. A vulnerability is a weakness that allows some threat to breach your security and cause hard to an asset. Vulnerabilities can be physical, such as old equipment, or a problem with software design or configuration, such as excessive access permissions or unpatched workstations. Vulnerabilities can be identified through vulnerability analysis, audit reports, the NIST vulnerability database vendor data, commercial computer incident response teams, and system software security analysis. Testing the IT system is also an important tool in identifying vulnerabilities. Testing can include the following:
· Information security test and evaluation (ST&E) procedures
· Automated Penetration testing techniques
· Vulnerability scanning tools
You can reduce your software-based vulnerabilities with proper patch management. But don’t forget about physical vulnerabilities. For example, moving your server room to the second floor of the building will greatly reduce your vulnerability to flooding.
STEP #7
Assess the Impact a threat could have. The impact analysis should include the following factors:
· The mission of the system, including the processes implemented by the system.
· The criticality of the system, determined by its value and the value of the data to the organization.
· The sensitivity of the system and its data.
The information required to conduct an impact analysis can be obtained from existing organizational documentation, including a business impact analysis (BIA). This document uses either quantitative or qualitative means to determine the impact that would be caused by compromise or harm to the organization’s information assets. An attack or adverse event can result in compromise or loss of information system confidentiality, integrity, and availability. As with the likelihood determination, the impact on the system can be qualitatively assessed as high, medium, or low. I will discuss this further in the watermark impact concept later in the course. The following additional items should be included in the impact analysis:
· The estimated frequency of the threat’s exploitation of a vulnerability on an annual basis.
· The approximate cost of each of these occurrences.
· A weight factor based on the relative impact of a specific threat exploiting a specific vulnerability.
STEP #8
Prioritize the Information security risks. For each threat/vulnerability pair, determine the level of risk to the IT system, based on the following:
· The likelihood that the threat will exploit the vulnerability
· The impact of the threat successfully exploiting the vulnerability
· The adequacy of the existing or planned information system security controls for eliminating or reducing the risk
A useful tool for estimating risk in this manner is the risk-level matrix. A high likelihood that the threat will occur is given a value of 10; a medium likelihood is assigned a value of 5, and a low likelihood of occurrence is given a rating of 1. Similarly, a high impact level is assigned a value of 10, a medium impact level is given a value of 5, and a low impact level is given a value of 1. Risk is calculated by multiplying the threat likelihood value by the impact value, and the risks are categorized as high, medium, or low based on the result.
STEP #9
Recommend controls. Using the risk level as a basis, determine the actions that senior management and other responsible individuals must take to mitigate the risk. Here are some general guidelines for each level of risk:
High— a plan for corrective measures should be developed as soon as possible.
Medium — a plan for corrective measures should be developed within a reasonable period.
Low — the team must decide whether to accept the risk or implement corrective actions
As you consider controls to mitigate each risk, be sure to consider:
· Organizational policies
· Cost-benefit analysis
· Operational impact
· Feasibility
· Applicable regulations
· The overall effectiveness of the recommended controls
· Safety and reliability
· Compliance with rules and regulations
STEP #10
Document the results. The final step in the risk assessment process is to develop a risk assessment report to support management in making appropriate budget decisions, policies, procedures, and so on. The report should describe the corresponding vulnerabilities, the assets at risk, the impact on your IT infrastructure, the likelihood of occurrence, and the control recommendations for each threat. Please check the table containing a few examples.
STEP #11
Create a strategy for IT infrastructure enhancements to mitigate the most important vulnerabilities and get management sign-off.
STEP #12
Define mitigation processes. You can improve your IT security infrastructure but you cannot eliminate all risks. When a disaster happens, you fix what happened, you investigate why it happened, and then you try to prevent it from happening again or at least make the consequences less harmful.
As you work through this process, you will get a better idea of how the company and its infrastructure operates and how it can operate better. Then you can create a risk assessment policy that defines what the organization must do periodically annually in many cases, how risk is to be addressed and mitigated, for example, a minimum acceptable vulnerability window, and how the organization must carry out subsequent enterprise risk assessments for its IT infrastructure components and other assets. Always keep in mind that the information security risk assessment and enterprise risk management processes are the heart of cybersecurity. These are the processes that establish the rules and guidelines of the entire information security management, providing answers to what threats and vulnerabilities can cause financial harm to your business and how they should be mitigated.
Business impact analysis (BIA) is a part of risk assessment. A business impact analysis (BIA) predicts the consequences of disruption of a business function or a process and gathers information needed to develop recovery strategies. Potential loss scenarios should be identified during a risk assessment. Operations may also be interrupted by the failure of a supplier of goods or services or delayed deliveries. Many possible scenarios should be considered. Identifying and evaluating the impact of disasters on business provides the basis for investment in recovery strategies as well as investment in prevention and mitigation strategies. A business impact analysis (BIA) is a type of risk assessment that helps establish the priority for protecting and recovering a company's high-value assets. The BIA should identify the operational and financial consequences of company operations and business activities being disrupted. Lost sales, any delayed sales or income, increase expenses such as overtime labor, outsourcing, expediting costs, regulatory fines, contractual penalties or loss of contractual bonuses, customer dissatisfaction or defection, and a delay in implementing new business plans are all factors to consider.
When conducting a BIA, I recommend using a BIA questionnaire to survey employees within the company who have a thorough understanding of how it operates. Inquire them to identify the potential impacts if the business functions or process that they are responsible for is interrupted. The BIA should also identify the critical business processes and resources needed for the business to continue to function at various levels. You can use the business impact analysis worksheet from ready.gov to document operational and functional impacts. The BIA report should document the potential impacts resulting from the disruption of business functions and processes and the duration of the interruption. You need also to identify a point in time when interruption would have a greater impact. Scenarios resulting in significant business interruption should be assessed and quantified in terms of financial impact. The costs should then be compared with the cost for possible recovery strategies.
The BIA is composed of the following three steps:
1. Determine mission/business processes and recovery criticality. Mission/business processes supported by the system are identified and the impact of a system disruption to those processes is determined along with outage impacts and estimated downtime. The downtime should reflect the maximum that an organization can tolerate while still maintaining the mission.
2. Identify resource requirements. Realistic recovery efforts require a thorough evaluation of the resources required to resume mission/business processes and related interdependencies as quickly as possible. Examples of resources that should be identified include facilities, personnel, equipment, software, data files, system components, and vital records.
3. Identify recovery priorities for system resources. Based upon the results from the previous activities, system resources can more clearly be linked to critical mission/business processes. Priority levels can be established for sequencing recovery activities and resources.
Estimated Downtime
Working directly with mission/business process owners, departmental staff, managers, and other stakeholders helps to estimate the downtime factors for consideration as a result of a disruptive event, which lead to understand the
• Maximum Tolerable Downtime (MTD)
The MTD represents the total amount of time leaders/managers are willing to accept for a mission/business process outage or disruption and includes all impact considerations. Determining MTD is important because it could leave continuity planners with imprecise direction on
(1) Selection of an appropriate recovery method, and
(2) the depth of detail which will be required when developing recovery procedures, including their scope and content.
• Recovery Time Objective (RTO)
RTO defines the maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported mission/business processes, and the MTD. Determining the information system resource RTO is important for selecting appropriate technologies that are best suited for meeting the MTD.
• Recovery Point Objective (RPO).
The RPO represents the point in time, before a disruption or system outage, to which mission/business process data must be recovered (given the most recent backup copy of the data) after an outage.
The table below identifies the MTD, RTO, and RPO (as applicable) for the organizational mission/business processes that rely on its system. Values for MTDs and RPOs are expected to be specific time frames, identified in hourly increments (i.e., 8 hours, 36 hours, 97 hours, etc.).
Now Let's have a look at a BIA exercise. Fill up the ready.gov BIA template for your organization using your inventory list. You may also utilize the case study Target Cloud Inc. provided with the course. Determine the timing of an event that would have the greatest impact and its possible duration, or the amount of time the operation, system, or application might be disrupted, as well as any operational and financial implications for your business or the case study company. The BIA report will assist you in prioritizing protective controls, mitigation strategies, resilience, and the sequence of actions for your business's restoration. The business operations that have the most operational and financial implications should be prioritized for the first recovery.
Cybersecurity risk and its potential impact need to be expressed in business terms. The cybersecurity professional needs to comprehend how any related failure or event will impact the organization's operation (directly or indirectly). A non-cyber security professional needs to understand how to link any potential impact on the operation with the corresponding infrastructure supporting it. The link between cybersecurity risk scenarios and organizational impact needs to be clearly stated. Once a decision has been made on implementing a control, costs and benefits should be considered. The cost of the countermeasure needs to be compared to the potential impact of the related materialized risk. If the cost of the countermeasure exceeds the benefits of the risk mitigation that are directly linked to the impact, the organization may decide to accept the risk.
Calculating Risk-Reduction ROI
With any security decision, implementing new solutions and controls will likely require a monetary expense. This is where you’ll benefit from the ability to determine the cost of potential risk versus the cost of the control. Here’s one way to calculate Return on Investment (ROI) to account for the cost of risk vs the cost of control.
Example
Let’s use phishing attacks as an example. Say your organization expects to get phished 5 times per year, at an estimated cost of $35,000 per successful attack. The cost to train employees to spot and avoid phishing emails is expected to be $25,000. Here’s what the security ROI would look like:
In this example, it makes monetary sense to invest the $25,000 in training to help reduce the risk of a successful phishing attack. Remember that each organization is different, and determining these variables will be based on the circumstance and risk tolerance of the organization. As with any application of the security controls, the cost to implement will depend on the estimation of risk reduction and other factors.
When performing risk management, an organization should have a risk management strategy in place. The risk management strategy is the plan that an organization uses to identify, evaluate, and control the risks that affect the organization. The risk management strategy defines the goal of the risk management process and provides a context for the risk evaluation and risk control activities. Risk management provides some predictability. Understanding the organization’s threat, vulnerability, and risk profile help to understand risk exposure and potential consequences or compromise. It increases the awareness of risk management priorities based on potential consequences. The risk mitigation strategy becomes more sufficient in reducing and understanding the potential consequences impacts from a residual risk. Further, it provides us with measurable evidence that risk management resources are used appropriately and cost-effectively. The senior accountable official for risk management aligns information security management processes with strategic, operational, and budgetary planning processes. The supply chain risk management strategy can also provide useful inputs to the organization-wide risk management strategy.
The primary purpose of the Risk Management Strategy is to provide a holistic view of the enterprise and its risks, including identifying high-consequence risks, understanding how risk is distributed across the enterprise, and establishing how risk will be managed and controlled. The Risk Management Strategy is part of an enterprise risk management process, which also includes the identification of critical assets and the identification of vulnerabilities. The Risk Management Strategy is a high-level document that provides the framework for risk management throughout the enterprise. It is a strategic document and should be adapted to the organization and its needs. Enterprise Risk Management is the discipline through which a firm in any industry assesses, governs, exploits, finances, and monitors risk from all sources to maximize the organization's short- and long-term value to its stakeholders. It is the process by which resources are planned, organized, directed, and controlled to ensure risk remains within acceptable bounds at optimal cost. In today's complex business environment, enterprise risk management has become a critical discipline to gain a significant competitive advantage. Cybersecurity risk managers must have a good strategy roadmap to enhance both corporate performance and business decision-making.
To make it effective, a risk management strategy must be an integrated business process.
· It must be consistent with the governance strategy.
· The cybersecurity strategy must be based on the organization's overall business and risk strategy.
· Internal and external factors will influence the risk management strategy.
Enterprise Risk Management ensures there is a process in place to set objectives and get them aligned with the organization’s mission and business operation. This should be consistent with the organization’s risk:
· Appetite
· Tolerance
An organization’s objectives are key in managing risks. Risk assessment and risk response cannot be executed without setting objectives. How can we know what to protect if we have not identified organizational objectives? Through these objectives, the organization can identify what could go wrong in pursuing objectives and goals. It positions risk management within the business risk awareness, risk culture. It also defines specific strategies for achieving goals while minimizing risks.
Enterprise Goal Category
There are several goals that an organization is seeking to achieve to increase the value for its stakeholders and maintain compliance with rules and regulations. The four main goals are listed as follows:
1. High-level strategic goals that are aligned with and support the organization’s mission or vision.
2. Operational performance and profitability goals
3. The effectiveness of the organization’s reporting, including internal and external reporting and involving financial and nonfinancial information.
4. Compliance: The organization’s compliance with applicable laws and regulations.
The risk management strategy is one of the cornerstones of the overall cybersecurity program and is embedded in the organization's culture.
Due Care and Due Diligence
Organizations must exercise due diligence in managing information security and privacy risk. This is accomplished, in part, by establishing a comprehensive risk management program that uses the flexibility in NIST publications to categorize systems, select and implement security and privacy controls that meet the mission and business needs, assess the effectiveness of the controls, authorize the systems for operation, and continuously monitor the systems. Due Care and Due Diligence concepts are often discussed when evaluating the need for appropriate information assurance controls and risk management. Many areas of law rely on these concepts to determine negligence, intent, and the severity of damages.
· Due care. The responsibility that managers and their organizations have to provide information assurance to ensure that the type of control, the cost of control, and the deployment of control are appropriate for the system being managed.
· Due Diligence continuous activities an organization takes to ensure the efforts established in due care are effective and operating as intended.
Exercising due diligence and implementing robust and comprehensive information security and privacy risk management programs can facilitate compliance with applicable laws, regulations, executive orders, and government-wide policies. Due care and due diligence are needed for effective governance, proper risk management, and prompt compliance. Organizations need to pay a lot of attention to identifying the different compliance elements surrounding their business operations to avoid risks of non-compliance.
To implement the NIST risk management framework efficiently, it is important to:
· Understand the background of the organization (history, founders, purpose, business, market share, core processes, valuable assets, competitive areas) and its risk (inherent, reputational, business)
· Evaluate existing risk management activities.
· Develop a structure and process for the development of risk management initiatives and controls.
This will be useful for:
· Clarifying and gaining a common understanding of the organizational objectives
· Identifying the environment in which these objectives are set
· Specifying the main scope and objectives for risk management, applicable restrictions or specific conditions, and the outcomes required.
· Developing a set of criteria against which the risk will be measured.
· Initiating a gap analysis to identity key elements gaps for structuring the risk identification and assessment process. The difference between control design or operational effectiveness and the organization's business objectives is referred to as a gap analysis.
As an information security professional, you’re often faced with difficult decisions to make. One such decision is determining the best risk analysis method for a specific situation. Your organization may have a preferred method, but you may find yourself needing to use a different method at times. It’s important to understand the different methods available to help you select the best one for your particular situation. Risk analysis is the process of estimating two essential properties of each risk scenario defined as the description of a possible IT risk event that when it occurs will have an uncertain negative or positive impact on achieving business goals and objectives. Each company needs to build a set as a starting point to conduct its risk analysis. They are an effective tool in helping to ask the right questions and to prepare for future uncertainty. A risk assessment should evaluate both
· Frequency, likelihood and,
· Impact
There are three general methods available for risk analysis:
· Qualitative
· Quantitative
· Hybrid
Qualitative Analysis
The magnitude and likelihood scales are adjusted to every single case by high, medium, and low. This type tends to be used when:
· An initial assessment is being executed.
· Nontangible aspects (reputation, culture, and image) will be considered.
· There is a lack of information on historical events.
Quantitative Analysis
Numerical values are assigned to impact and likelihood. It can come from different sources. The quality of the analysis depends on the accuracy of values assigned and the validity of the models used. Results can be expressed in the following terms:
· Monetary
· Technical
· Operational
· Human impact
Let us take an example to calculate the expectancy of a single loss (SLE)
SLE = AV x EF.
AV = Asset Value
EF = Exposure Factor
EF = the likelihood that an event will occur and its magnitude equals the percentage of asset loss caused by the identified threat. The greater the value, with a greater probability and greater magnitude, the greater the potential risk of loss.
Expected Annual Loss
It includes the annualized rate of occurrence (ARO). Multiple occurrences increase potential losses.
The expected annual loss (ALE)= Expectancy of a single loss (SLE) x Annualized rate of occurrence (ARO)
Threat-based calculation
Let’s analyze the example of hard drive failure to better understand how threat-based calculation works. Let’s first describe the threat, vulnerability, and risk.
Hard drive failure is a risk.
Vulnerability—backups are done rarely.
Data loss is at high risk.
The asset is data. The Asset Value (AV) is $100,000. What is the expectancy of a single loss (SLE) if the exposure factor (EF) is 0.3?
SLE= Asset Value * EF = $30,000.
What is the ALE (Annual Loss Expectancy)? (ALE = SLE expectancy of a single loss x ARO annualized rate of occurrence).
ALE = $30,000 (SLE) *.5 (happens 1 in every 2 years) = $15,000
What is the maximum amount of the countermeasure that should not be exceeded? As we can see, the risk is about the impact of the vulnerability on the business and the probability of its being exploited. Annualized loss expectancy (ALE) is $15,000. This means that the potential loss is $15,000 in one year when the data is lost as a result of the hard drive failure. A countermeasure can be used to reduce the potential loss. It happens when management decides to reduce the risk. This countermeasure should not cost more than $15,000 per year. Otherwise, it wouldn’t be logical from a business point of view (we don’t want to spend more money than we can potentially lose). This is basically how cost and benefit analysis works.
Semi-Quantitative Analysis
Values are assigned to the scales used. These are indicative, not real, which is the requisite of the quantitative approach. The model used needs to recognize and declare this limitation. The selection of the numbers and the formula is critical because this is what is going to generate results for decision-making. Models and values should be generally known. An example of a scale of values for likelihood:
· Uncommon (value = 1) Never seen
· Unlikely (value = 2). Not seen in the last five years
· (Value = 3) Moderate seen in the last five years but not in the last year
· Likely (value = 4). Last seen within the last year
· Frequent (value = 5). It happens regularly.
An example of a scale of values for impact:
Very Low= 1
Low= 2
Medium= 3
High= 4
Very High=5
These values should be sufficient to allow risk prioritization according to a semi-quantitative approach.
· Risk equals the product of the impact and the likelihood.
If we have a high-risk impact (4) with a moderate likelihood (3) then
· Risk equals 4 x 3 =12
The NIST risk management framework SP800-37R2 uses a three tiers risk model, and it looks at these tiers across the organization. First, we have the organizational level tier, second the mission or business process tier, and finally at the bottom of the pyramid the information system tier. The risk management cycle is a continuous process for making risk decisions within each of the tiers defined in the risk management model. It is continually re-informed by the changing risk landscape as well as changing organizational priorities and functions. The risk management cycle provides four elements that structure an organization's approach to risk management: frame; assess; respond, and monitor. The risk framing process, typically conducted at the organizational level, produces the risk management strategy that reflects organizational governance decisions and processes associated with risk strategy, risk tolerance, and risk methodology. The NIST RMF will help you understand cyber risks, where, when, and how they may occur, what assets may be affected, and potential threats against your assets.
Once you've completed your preparation, you can categorize systems, select and implement appropriate controls, assess those controls, and then monitor for effectiveness. The categorize step is necessary to categorize the information systems according to their criticality, and then choose controls based upon that criticality then implement those controls within the system. The RMF is purposefully designed to be technology-neutral so that the methodology can be applied to any type of information system without modification. While the specific controls selected, control implementation details, and control assessment methods and objects may vary with different types of IT resources, there is no need to adjust the RMF process to accommodate specific technologies.
For example, information about the temperature in a remote facility collected and transmitted by a sensor to a monitoring station, or health IT devices transmitting patient information via a hospital network, require protection. This information can be protected by: categorizing the information to determine the impact of loss; assessing whether the processing of the information could impact individuals’ privacy; and selecting and implementing controls that apply to the IT resources in use. Therefore, cloud-based systems, industrial/process control systems, weapons systems, cyber-physical systems, applications, IoT devices, or mobile devices/systems, do not require a separate risk management process but rather a tailored set of controls and specific implementation details determined by applying the existing RMF process.
The success of the organization’s missions and business functions depends on protecting the confidentiality, integrity, availability of information processed, stored, and transmitted by information systems, and the private data of individuals. The major objectives of NIST RMF are to provide closer linkage and communication between the risk management processes and activities at the C-suite or governance level of the organization and the individuals, processes, and activities at the system and operational level of the organization. Some of these objectives are:
· To ensure that managing system-related security and privacy risk is consistent with the mission and business objectives of the organization and risk management strategy established by the senior leadership
· To institutionalize critical risk management preparation activities at all risk management levels to facilitate a more effective, efficient, and cost-effective execution of the RMF.
· To demonstrate how the NIST Cybersecurity Framework [NIST CSF] can be aligned with the RMF and implemented using established NIST risk management processes
· To integrate privacy risk management processes into the RMF to better support the privacy protection needs for which privacy programs are responsible
· To allow for an organization-generated control selection approach to complement the traditional baseline control selection approach and support the use of the consolidated control catalog in NIST SP 800-53, Revision 5.
· To identify, prioritize, and focus resources on the organization’s high-value assets (HVA) that require increased levels of protection—taking measures commensurate with the risk to such assets.
· To employ organizationally-tailored control baselines to increase the speed of security and privacy plan development and the consistency of security and privacy plan content.
The NIST SP800-37 R2 Risk Management Framework addresses security and privacy risks from two perspectives:
· An information system perspective
· A common controls perspective
For an information system, authorizing officials to issue an authorization accepting the security and privacy risks to the organization’s operations and assets, individuals, and other organizations. For common controls, authorizing officials to issue a common control authorization for a specific set of controls that can be inherited by existing organizational systems. Preparing the organization to execute the RMF can include:
· Assigning roles and responsibilities for organizational risk management processes.
· Establishing a risk identifying and prioritizing assets including information assets.
· Understanding threats to information systems and organizations; management strategy and organizational risk tolerance.
· Developing the security and privacy architectures that include controls suitable for inheritance by information systems.
The 7 Steps Structure of NIST Risk Management Framework
1. Prepare to execute the RMF from an organization- and a system-level perspective by establishing a context and priorities for managing security and privacy risk.
2. Categorize the system and the information processed, stored, and transmitted by the system based on an analysis of the impact of loss
3. Select an initial set of controls for the system and tailor the controls as needed to reduce risk to an acceptable level based on an assessment of risk.
4. Implement the controls and describe how the controls are employed within the system and its environment of operation.
5. Assess the controls to determine if the controls are implemented correctly, operating as intended, and producing the desired out concerning to satisfy the security and privacy requirements.
6. Authorize the system or common controls based on a determination of the risk to organizational operations and assets, individuals, other organizations, and even the nation.
7. Monitor the system and the associated controls on an ongoing basis to include assessing control effectiveness, documenting changes to the system and environment of operation, conducting a risk assessment.
Each step in the RMF has a purpose statement, a defined set of outcomes, and a set of tasks that are carried out to achieve those outcomes. The outcomes can be achieved by different risk management levels. Please refer to the NIST SP 800-37 R2 for further details. I encourage you to read the complete document to have a detailed overview.
The NIST RMF preparation phase establishes the context and goals for managing enterprise-wide security and privacy risk, ensuring that businesses are ready to implement the RMF. This is accomplished on two levels: at the strategic organizational level and the more granular system or operational level. In the next sections, I'll go through each of these processes and their associated tasks. You may check NIST SP 800-37 Rev. 2 for further details. The primary objective of the preparation phase is to facilitate communication between senior leaders and system owners and operators, to prioritize requirements and allocate resources, to determine common security controls and develop organizationally tailored control baselines, and to identify, prioritize, and focus resources on high-value assets. Information security risk management is a key component of governance. The US National Institute of Science and Technology (NIST) Publication 800-30 outlines key roles that must be played to support and participate in risk management.
· It is the responsibility of the board of directors.
· Periodic reports of efforts and effectiveness are needed.
· Confirmation on expectations met is required.
· Adequate resources must be available.
Establishing NIST RMF objectives can significantly help the organizations minimize their information technology footprint and attack surface, as well as prioritize efforts so that protection mechanisms are focused on the most vital and high-value assets and systems. The preparation phase may be seen from two perspectives: from the top-down, organizational level, or the bottom-up, system level. Organizational leaders are responsible for the preparatory responsibilities at the organizational level as follows:
· Identify and assign risk management roles and responsibilities.
· Establish a risk management strategy that documents the organization's approach to determining risk tolerance, managing security and privacy risks, and setting goals for meeting security control objectives.
· Determine the most common controls from NIST SP 800-53 catalog
This establishes the required protection methods, techniques, or technologies throughout the organization. NIST SP 800-53B contains the list of common controls in use by federal agencies. And finally, maintain a continuous monitoring strategy to ensure consistent security and privacy control effectiveness.
This helps business executives to be aware of any security or privacy issues ahead of time. The preparation step's system-level tasks are handled by system owners, operators, or administrators and are focused on specific information systems technologies or applications. Identifying the system's purpose or business function, as well as why the system or application exists, are among these system-level tasks. What role do the systems play inside the company and among the stakeholders who use and rely on them? You must also identify the assets that must be secured. These assets might be tangible or intangible items or components that contribute to the achievement of the mission or business objectives.
The classification or categorization of the data, as well as the security and privacy requirements, are among the types of information processed, stored, and communicated by the system. Regulatory authorities, standard bodies, and stakeholders all demand different levels of protection. You and your organization will be prepared for the NIST RMF process if you complete both the organizational and system-level requirements. A system security plan, or SSP, is a document that documents the current profile of a system, including responsibilities, system status, type, purpose, description, related systems, network boundaries, any applicable laws, regulations, or standards, and the decision on the minimum-security control baseline. This course includes a system security plan template SSP that is based on current US standards. Organizations may choose to utilize a different format that provides similar information. The system security plan should document the roles and responsibilities of the risk management team. The key roles in the cyber management program are:
· Governing boards and senior management
· Director of information technology
· The chief information security officer
· Information security manager(s)
· The system and information owners
· Business and functional managers
· IT security practitioners
· Security awareness trainers
How many of these positions do you have in your company? It's now your turn. Complete parts one through seven of the provided system security plan template SSP for either the case study business Target cloud Inc. or your organization for this exercise. This section contains the high-level organizational details for the operation or system that is being assessed. The other components, as well as system-level tasks, will be completed in subsequent exercises. Fill in as much information as possible. Don't worry if something is left blank; you can always fill it up later.
Once you've prepared your organization for implementing the NIST RMF, you can move to the categorizing and scoping step to establish authorization boundary for the information system. This is where you set the scope of your RMF activity, based on the importance of the asset to the organization. It's grouping the system, or systems under review for this process. When categorizing your assets, not everything needs to be protected to the same degree. It should be based on its value and risk. This is why risk analysis and risk assessment are crucial for the categorizing and scoping step therefore the organization defines the scope of stakeholder assets to be considered for protection. Further, the scope shall be addressed in the organization security policy. For example, a company that deals with credit card data processing must secure its transactions to comply with PCI DSS regulations and not expose itself to the risk of a data breach. Knowing when, where, and how to apply security controls comes down to the value of the assets you're protecting.
When categorizing systems, it all starts with the IT infrastructure of the company, which includes its networks, computing environments, and organizational structure. What are the different types of high-value assets and where do they reside in the information system? Answering these questions helps determining the categorization and the scope of the system. The type of computing operating system, which is commonly Windows, Linux, or the cloud, is the next layer. The programs that run on computer systems are known as the application layer. These applications interact with the information. This information might be saved in databases or on hard drives or even stored in the cloud. Business activities and supporting functions surround these tiers. Once scope is defined, the system, description, and inventory should all be documented in a scoping document or risk matrix.
The NIST RMF categorize step allows you to define the scope of your RMF activities depending on the asset's value to the company. It's the equivalent of filing sensitive document data in a file cabinet, or, more likely, in a document management system. After mapping and identifying your system inventory assets, you assess the potential impact of compromising the security objectives, confidentiality, integrity, and availability of these assets. Then, you categorize assets according to their type, value, and potential risk. The categorization process consists of three tasks:
· The system inventory of critical organizational operations, assets, and systems.
· Security categorization based on risk analysis and risk assessment which is determining the potential adverse impact should the system or data be lost or compromised.
· The security categorization results are reviewed and the categorization decision is approved by senior leaders in the organization.
The purpose of the risk management framework categorized step is to guide the subsequent risk management processes and tasks by determining the negative impact of compromising security objectives to the organization losing organizational assets, organizational systems and the information processed, stored, and transmitted by those systems. This stage demonstrates to you how to identify the information and system's criticality in terms of potential worst-case scenarios that might have a negative impact on the company. The categorization process starts with a detailed examination of the organization's objectives and integrated business processes, as well as the enterprise architecture, to determine the types of data processed, saved, and transferred by the information systems.
Scoping addresses the question, "What we shall be focused on?" What are we looking at, in other words? Is it a certain function, system, or data that we are looking for? Is it everything in the enterprise, or is it only a part of it? To avoid attempting to analyze and secure too much, you should focus your efforts on a specified objective as much as possible while implementing and analyzing security. When I analyze a firm that accepts credit cards for compliance with the payment card industry data security requirements, I simply look at their cardholder data environment. Only those systems that process, store, and transmit credit card data, as well as any system that supports it, such as a computer network, are included in the scope.
There is a need for a management authorization boundary that establishes the scope of protection for an information system on what the organization agrees to protect under its direct management or within the scope of its responsibilities. It also defines the specific scope of an authorizing official’s responsibility and accountability for protecting information resources and individuals’ privacy including the use of systems, components, and services from external providers. Establishment of meaningful authorization boundaries is a foundation for assuring mission and business success for the organization.
All components of an information system are to be authorized for operation by an authorizing official in the organization. This excludes separately authorized systems to which the information system is connected. The authorization boundary for a system is established during the RMF Prepare Task – System level, Task P-11. The scope of the authorization boundary is revisited periodically as part of the continuous monitoring process carried out by the organization. Applying the RMF steps and associated tasks to existing systems can serve as a gap analysis to determine if the organization’s security and privacy risks have been effectively managed.
The NIST SP document on security and privacy controls for federal information systems and organizations, known as NIST SP 800-53 currently at rev.5 provide a catalog of security and privacy controls for information systems and organizations and a process for selecting those controls to protect your operation's assets and systems from a diverse set of threats. The NIST Cybersecurity Framework CSF and NIST SP 800-53 controls are both used by US government and non-government organizations.
Once you decided what are your high-value assets and the crown jewels of your organization that you want to protect, and after defining the control baseline and the impact level of risks to your organization’s information system that affect asset’s security objectives, it is time to select the proper security controls.
Security controls are the safeguards or countermeasures employed within a system or an organization to protect the confidentiality, integrity, and availability of the system and its information and to manage information security risk. Privacy controls are the administrative, technical, and physical safeguards employed within a system or an organization to manage privacy risks and to ensure compliance with applicable privacy requirements.
Security and privacy controls are selected and implemented to satisfy security and privacy requirements imposed on a system or organization. Security and privacy requirements are derived from applicable laws, executive orders, directives, regulations, policies, standards, and mission needs to ensure the confidentiality, integrity, and availability of information processed, stored, or transmitted and to manage risks to individuals’ protected data.
Organizations should answer several key questions when addressing information security and privacy controls:
• What security and privacy controls are needed to satisfy security and privacy requirements?
• Have the selected controls been implemented or is there a plan in place to do so?
• What is the required level of assurance (i.e., grounds for confidence) that the selected controls, as designed and implemented, are effective?
The number and type of appropriate security controls vary throughout a system’s life cycle and are selected based on the organization’s understanding of the results of security impact analysis that should be performed before the selection of controls begins. Thus, the relative maturity of an organization’s enterprise architecture and security program will have a significant influence on the types of appropriate security controls. The blend of security controls is tied to the mission of the organization and the role of the system within the organization as it supports that mission.
Let us see an example of a typical security control found in NIST SP 800-53 Control SI-5 on Security alerts, advisories, and directives that require organizations to receive security alerts from external organizations, such as law enforcement, vendors, or other organization, and generate their alerts as needed. By having this control in place, organizations can proactively manage threats and vulnerabilities, thereby reducing their overall risk. A supplement to the NIST Risk Management Framework is the Cybersecurity Framework or CSF. Created through collaboration between industry and government, the NIST CSF consists of standards, guidelines, and practices to promote critical infrastructure protection.
The NIST CSF separates security controls into five functions of cybersecurity: identify, protect, detect, respond, and recover. There are other security and privacy control frameworks available depending on your industry. These include the Cloud Controls Matrix from the Cloud Security Alliance; HIPAA and supplemental HITECH Act, security and privacy rules for health and medical records; the Payment Card Industry Data Security Standards for credit or payment card data; and the ISO IEC 27000 Series, which is a grouping of international information security management models from the International Standards Organization. These are the top ones you'll see as a cybersecurity professional. Take a moment to consider the ones that apply to your organization.
In preparation for selecting and tailoring the appropriate security control baselines for organizational systems and their respective environments of operation, organizations first determine the criticality and sensitivity of the information to be processed, stored, or transmitted by its information systems. The process of determining information criticality and sensitivity is known as security categorization and is described in [FIPS 199]. [FIPS 199] requires organizations to categorize systems as low, moderate, and high impact for the stated security objectives of confidentiality, integrity, and availability. Since the potential impact values for security objectives confidentiality, integrity, and availability may not always be the same for a particular system, the high-water mark concept introduced in [FIPS 199] and is used in [FIPS 200] to determine the impact level of the system for the express purpose of selecting the applicable security control baseline from one of the three baselines as defined in NIST SP 800-53B control baselines for information systems and organizations.
A low-impact system is defined as a system in which all three of the security objectives are low. A moderate-impact system is a system in which at least one of the security objectives is moderate and no security objective is high. A high-impact information system in which at least one security objective is assigned a high impact value. Once the impact level of the system is determined, organizations select the appropriate security control baseline. This approach provides a starting point from which controls or control enhancements may be removed, added, or specialized based on the tailoring needs. The high watermark concept is employed because there are significant dependencies among the security objectives of confidentiality, integrity, and availability. In most cases, a compromise in one security objective ultimately affects the other security objectives as well. For example, a categorized system that has two moderate risk applications and one high-risk application residing on it, the overall impact rating is high. A system is categorized as low for availability, low for integrity, but high for confidentiality, the overall impact rating is high.
Control baseline is the set of security and privacy controls defined for a low-impact, moderate-impact, or high-impact system or selected based on the privacy selection criteria that provide a starting point for the tailoring process. For example, if your information system has a high impact then you need to select the predefined set of security controls for the high-impact system and the same apply to the low and moderate-impact system. Federal control baselines are provided in [NIST SP 800-53B].
Two approaches can be used for the initial selection of controls:
· Top-down approach
· Bottom-up approach
The organization-generated control selection approach differs from the baseline selection approach because the organization does not start with a pre-defined set of controls. Rather, the organization uses its selection process to select controls. This may be necessary when the system is highly specialized (e.g., a weapons system or a medical device) or has a limited purpose or scope like a smart meter. In these situations, it may be more efficient and cost-effective for an organization to select a specific set of controls for the system (i.e., a bottom-up approach) instead of starting with a pre-defined set of controls from a broad-based control baseline and subsequently eliminating controls through the tailoring process (i.e., top-down approach). Organizations can also use the [NIST CSF] to develop Cybersecurity Framework profiles representing a set of organization-specific security and privacy requirements and thus, guiding and informing control selection from [ NIST SP 800-53]
Assume this scenario. Your company is working on improving its cybersecurity program, and you've been given the responsibility for implementing the NIST risk management framework. What are your plans for doing this? In the previous lectures, you learned about The NIST RMF preparation, defining scope, and categorization. You will learn about the NIST security controls catalog in this video so you can determine the appropriate plan and control mechanisms for your company's cyber security program.
NIST security catalog SP 800-53 Rev5 has 20 control families that help the organizations meet the challenge of selecting the appropriate basic security controls, policies, and procedures to protect their information security and privacy. The controls established by NIST Special Publication (SP) 800-53 Rev5 are designed to improve risk management for any organization or system that processes, stores or transmits information. Tailoring these controls is necessary to ensure their applicability to your organization’s infrastructure and environment. Below is the table of NIST 800-53 R5 control families.
Who must comply with NIST SP 800-53?
The standard is mandatory for federal information systems, organizations, and agencies. Any organization that works with the federal government is also required to comply with NIST SP 800-53 to maintain the relationship. However, the standard provides a solid framework for any organization to develop, maintain and improve their information security practices, including state, local and tribal governments, and private companies, from small and medium businesses to enterprises.
What data does NIST SP 800-53 protect?
While the standard does not provide a list of specific information types, it does offer recommendations for classifying the types of data your organization creates, stores, and transmits. For example, one classification might be “protected”; this data could include customer names, birth dates, and social security numbers.
FIPS 199 Defines Three Impact Levels
The Federal Information Security Management Act, commonly known as FIPS 199, defines three levels of impact based on the risk assessment: low, moderate, and high. Each level requires a more stringent set of security controls and provides more security than the previous level. High-impact systems require the most stringent security controls and offer the highest level of security. The majority of systems fall into the moderate impact category and offer a level of security that is greater than that of low-impact systems.
The Low impact system — Loss would have a limited adverse impact.
The Moderate impact system — Loss would have a serious adverse impact.
The High impact system — Loss would have a catastrophic impact.
NIST 800-53 R5 Compliance
The following best practices will help you select and implement appropriate security and privacy controls for NIST SP 800-53 compliance.
· Identify your sensitive data. Find out what kind of data your organization deals with, where it is stored, and how it is received, maintained, and transmitted. Sensitive data can be spread across multiple systems and applications.
· Classify sensitive data. Categorize and label your data according to its value and sensitivity. Assign each information type an impact value low, moderate, or high for each security objective confidentiality, integrity, and availability.
· Consult FIPS 199 for appropriate security categories and impact levels that relate to your organizational goals, mission, and business success.
· Evaluate your current level of cybersecurity with a risk assessment. At a high level, risk assessment involves identifying risks, assessing the probability of their occurrence and their potential impact, taking steps to remediate the most serious risks, and then assessing the effectiveness of those steps.
· Document a plan to improve your policies and procedures. Select controls based on your specific business needs. The selection process should be proportional to the impact level of the risk being mitigated. Document your plan and the rationale for each choice of control and policy.
· Provide ongoing employee training. Educate all employees on access governance and cybersecurity best practices, such as how to identify and report malware.
· Make compliance an ongoing process. Once you have brought your system into compliance with NIST SP 800-53, maintain and improve your compliance with regular system audits, especially after a security incident.
The NIST computer security resource center is your resource for more information on a computer, cyber, and information security and privacy. I highly recommend you take some time and check it out.
In the NIST RMF security controls implementation step, you apply the security and privacy controls you have listed earlier in your risk plans. In your baseline configuration report, you should also provide control implementation-specific details. During security control implementation, you establish and apply any mandatory configuration settings required by both applicable industry standards and your organization's rules and policies. Common control is a security or privacy control that is inherited by multiple information systems or programs. System owners and authorizing officials determine if the common controls available for inheritance provide adequate protection. Accepting common controls requires authorization by an authorizing official. An important aspect of risk management is the ongoing monitoring of controls implemented within or inherited by an information system.
For example, according to NIST and IT security industry requirements, you would implement password restrictions for all systems. A service provider's common controls may be inherited by some systems. For all user IDs and passwords, your system or application may use a single source, such as federated identities. To verify that security controls are satisfied to a minimum throughout implementation, work with whoever runs the identification and authentication system.This will help reduce the cost of implementing and speed up your control selection process. In general, the greater the number of common controls implemented, the greater the potential cost savings since the protective measures are repaid over many systems. Additionally, the deployment of controls as common controls often provides a more standardized, stable, scalable, and secure implementation across the organization as opposed to the same control implemented separately on multiple individual systems.
For example, U.S. Federal Risk and Authorization Management Program (FedRAMP) standardizes security assessment and authorization for cloud products and services used by U.S. federal agencies. The goal is to make sure federal data is consistently protected at a high level in the cloud. (FedRAMP) is a certification for federally approved cloud service providers that meets the NIST 800-53 moderate impact controls. If a common control doesn't meet the baseline requirements, you can identify compensating or supplementary NIST security controls to achieve the required protection objectives. These are controls that provide equivalent or similar protection. For example, if the password policy isn't strict enough for the data type, you can supplement it with multifactor authentication.
Business owners, on the other hand, might still accept the risk. Documenting how Security controls are implemented on the systems is the second control implementation task. The implementation of controls does not always proceed according to plan. As a result, as you implement security and privacy measures, you should update your system security plans to reflect the new details. This allows you to identify when controls are changed, whether those changes are approved, the impact of the changes on the system and organization's security and privacy posture, and how they affect the security baseline. This section's exercise is to finish the SSP template that you began in the previous exercises. Choose three of the NIST baseline categories for section 14, minimum security controls, then fill in the implementation details. Also, fill in sections 15 and 16. The system security plan SSP serves as a written guide to completing the NIST Risk Management Framework.
After selecting the applicable control baselines, organizations tailor the controls based on various factors (e.g., missions or business functions, threats, security and privacy risks (including supply chain risks), type of system, or risk tolerance). An important aspect of risk management is the ongoing monitoring of controls implemented within or inherited by an information system. An effective continuous monitoring strategy at the system level is developed and implemented in coordination with the organizational continuous monitoring strategy. Tailoring is the process by which security control baselines are modified by identifying and designating common controls; applying scoping considerations; selecting compensating controls; assigning specific values to defined control parameters; supplementing baselines with additional controls or control enhancements; and providing additional specification information for control implementation. The tailoring process may also be applied to privacy controls.
Organizations shall initiate a tailoring process to align the controls more closely with the organization's specific security and privacy requirements. The tailoring process is part of an organization-wide risk management process that includes framing, assessing, responding to, and monitoring information security and privacy risks. Tailoring decisions are dependent on organizational or system-specific factors. While tailoring decisions are focused on security and privacy considerations, the decisions are typically aligned with other risk-related issues that organizations must routinely address. Risk-related issues such as cost, schedule, and performance are considered in the determination of which controls to employ and how to implement controls in organizational systems and environments of operation.
Organizations use risk management guidance to facilitate risk-based decision-making regarding the applicability of the controls in the baselines. Ultimately, organizations employ the tailoring process to achieve cost-effective solutions that support organizational mission and business needs and provide security and privacy protections proportionate with risk. Tailoring decisions, including the risk-based justification for the decisions, are documented in the system security and privacy plans for organizational systems. Risk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination.
In previous sections we learned about the preparation, categorization, establishing, and authorizing the scope boundaries of the RMF. We also learned about selecting and implementing security controls. The fifth step in the NIST risk management framework is to assess security controls within the IT infrastructure for any gaps or risks. The assessment step determines if the controls selected for implementation are successfully implemented, performing as needed, and generating the expected output. Security Controls should be adequate to minimize risks to your business, systems, and data when it comes to satisfying the security and privacy requirements for the system and the company. For a successful assessment, the following tasks are required:
· Preparation
· Defining, compiling, and listing the security control baselines
· Documenting assessment scope
· Selecting the assessor
· Accessibility to organizational, personnel, policies, risk and security plans, documentation systems, and security privacy assessment plans.
Let us take our course case study as an example to conduct our security control assessment, Target Cloud Inc. would require the NIST SP 800-53B high-level baseline system because the impact level is high based on the watermark concept which we discussed earlier. The next step is to determine the focus of our assessment. Remember that scoping provides answers to the following questions: Where are the assets on the network, both physically and logically? What is its purpose and who uses it? This can be accomplished by either a human or a machine.
To prepare for the assessment, a network diagram that identifies the critical assets in scope is required to conduct the assessment of the security controls. First, we need to know where and how data is processed, stored, or transmitted on Target Cloud Inc storage servers. This will display where the system data is mapped on the networks. Each of those systems is in the boundary scope that requires protection. Now we have completed our control framework, baseline, and scope, it is time to choose an assessor or auditor. The assessor should have access to any information systems assets or devices that are part of the scope of the evaluation. The assessor who might be an individual or organization must be unbiased and independent to provide an accurate review and assessment of Target Cloud Inc.’s security controls and privacy procedures. They must also be experienced in performing assessments or audits using company control frameworks and baselines, and be knowledgeable about the organization's industry sector and the types of systems in place, and should hold an industry-standard certification like the CISA, CISM, ISACA, or CISSP.
Another prerequisite is that the assessor should have accessibility to the organization's staff who are familiar with the operations, systems, and data. Any applicable organizational policies or procedures, whether high-level or lower-level operation documentation, must also be provided to the assessor. The assessor will use system, security, and privacy plans to confirm that selected controls are in place and operating as expected. The requirements are assembled and supplied to the assessor to complete the documentation of the assessment. If I am doing the assessment, I will also require a diagram that graphically shows where systems are located and how data flows across the networks. The assessor will next coordinate with the company to create an assessment plan that outlines the assessment approach for reviewing all applicable controls for all in-scope processes, systems, and data that will be assessed. The security and privacy assessment plans are then evaluated and approved to establish the expectations for the security control effectiveness.
Security risk assessments set the baseline for a company’s ongoing cybersecurity efforts. NIST security controls assessment is part of the broad risk assessment plan. Risk assessment allows an organization to identify, analyze, classify the security risks and prioritizes potential vulnerabilities to various information assets (i.e., systems, hardware, applications, and data). Further, risk assessment can help understand what are the most important threats to an organization’s infrastructure, and prioritize remediation of systems. It Increases the organization’s knowledge base regarding threats, vulnerabilities, privacy risks, and strategies for more cost-effective solutions to common information security and privacy problems. The primary purpose of a risk assessment is to inform decision-makers about vulnerabilities in corporate systems, allowing them to take preventive defensive actions and prepare effective risk responses. Security risk assessments also indicate to management areas where employees need training to help minimize attack surfaces. It can also help with long-term planning and budgeting of security investments. It informs officials as to where to deploy the necessary reactive security controls to respond to risk.
A security assessment combines security scans, ethical hacking, and risk assessment to identify not only the risks facing an organization but also its current security controls and how effective they are. It can identify gaps in the current security posture, and recommend changes or improvements that will improve security for protected assets. Risk assessment maintains effective and up-to-date knowledge about the threat situation. Therefore, the fundamental goal of the risk assessment process is to maximize the operational deployment of the organization’s risk controls. Now that you understood the assessment goals and requirements, you need to understand the process of when and how to conduct security controls assessment. First, start with selecting the appropriate assessor or assessment team for the type of assessment to be conducted. Develop a control assessment plan that describes the scope of the assessment including:
1. Security controls and control enhancements under assessment.
2. Assessment procedures to be used to determine control effectiveness
3. Assessment environment, team, assessment roles, and responsibilities.
· Assess the security controls in the information system and its environment of operation to determine the extent to which the controls are implemented correctly, operating, and producing the desired outcome.
· The results of a security assessment are documented in a security assessment report.
· Provide the results of the security control assessment to the authorizing officials.
The NIST SP 800-53A provides a set of procedures for conducting assessments of security and privacy controls employed within systems and organizations. An assessment procedure consists of a set of assessment objectives, each with an associated set of potential assessment methods and assessment objects. Three assessment methods can define the nature of the assessor’s actions and include examine, interview, and test.
· The examine method is the process of reviewing, inspecting, observing, studying or analyzing one or more assessment objects such as system audit records; system security plan.
· The interview method is the process of holding discussions with individuals or groups of individuals within an organization to facilitate assessor understanding, achieve clarification, or obtain evidence.
· The test method is the process of exercising one or more assessment objects. For example, using penetration testing to identify vulnerabilities in software or network to test the control in place.
The following figure illustrates an example of an assessment procedure to assess the effectiveness of remote access control AC-17.
The process of assessing the security and privacy controls includes 4 steps:
· Prepare for security and privacy controls assessments
· Develop Security and privacy assessment plans
· Conduct security and privacy control assessments
· Analyze assessment of report results
You need to ensure the control assessment plan is reviewed and approved by the authorizing official before conducting the assessment. Start assessments as early as possible in the software or system development life cycle (SDLC), where it's much more efficient and cost-effectively to identify requirements, resolve them more quickly, and fix any potential problems. This means identifying security requirements at the beginning of the project. Organizations perform periodic assessments to evaluate the effectiveness of security controls and the identification of new risks. Most mature organizations conduct a formal risk assessment annually.
Your job as an assessor is to confirm that each control is in place and identify any risks or gaps. The assessor's findings are just factual reporting of whether the controls are operating as intended, and whether any deficiencies in the controls were discovered during the assessment. Our job as consultants and assessors is just to collect the facts about what we see, observe, and test in infrastructure as presented by the organization. The assessment plan should include sufficient detail to indicate the scope of the assessment, the schedule for completing it, the individual or individuals responsible, and the assessment procedures planned for assessing each control. System owners rely on the information in the assessment plan to allocate appropriate resources to the assessment, including personnel who will provide documentation, participate in interviews, or facilitate access to the system as well as those performing the assessment.
Penetration Testing (Ethical Hacking) could be part of both security control assessment and monitoring steps of the NIST risk management framework. It also can be an important tool in the risk management plan to identify, evaluate and rank potential risks and their potential impact threat on the business. Penetration testing is the process of stimulating real-life cyber-attacks against an application, software, system, or network under safe conditions. It can help evaluate how existing security measures will measure up in a real attack. Most importantly, penetration testing can find unknown vulnerabilities, including zero-day threats and business logic vulnerabilities. Penetration testing was traditionally done manually by a trusted and certified security professional known as an ethical hacker. The hacker works under an agreed scope, attempting to breach a company’s systems in a controlled manner, without causing damage. In recent years, automated penetration testing tools are helping organizations achieve similar benefits at lower cost and with higher testing frequency.
In the previous section, I mentioned cobalt cloud penetration testing as a service (PtaaS). Cobalt works by sending out beacons to detect network vulnerabilities. When used as intended, it simulates an actual attack. Also, a cobalt strike beacon can execute PowerShell scripts, perform keylogging activities, take screenshots, download files, and spawn other payloads. Another service provider is NeuraLegion provides NexPloit, a penetration testing platform powered by artificial intelligence (AI). It automatically scans multiple layers of the IT environment and provides reports on vulnerabilities, including zero-day and complex business logic vulnerabilities.
NIST security control CA-8 is about conducting penetration testing that can be used to validate vulnerabilities or determine the degree of penetration resistance of systems to adversaries within specified constraints. Penetration testing attempts to duplicate the actions of adversaries and provides a more in-depth analysis of security- and privacy-related weaknesses or deficiencies. It is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Penetration testing may result in the exposure of information that is protected by laws or regulations, to individuals conducting the testing. Rules of engagement, contracts, or other appropriate mechanisms can be used to communicate expectations for how to protect this information. Risk assessments guide the decisions on the level of independence required for the personnel conducting penetration testing.
You have three high-level responsibilities as a security assessor. Identify any gaps in compliance control, classify security and privacy risks, and write a final assessment report to document your findings. In the POAM (Plan of Action and Milestones) spreadsheet provided with this course, the "Priority" section determines the organization's important issues that need to be resolved. It's on a scale of one to ten, with ten being the top priority. I use this spreadsheet based on the NIST Cybersecurity Framework to document my analyses while completing security and privacy assessments. I go over each of the controls one by one, starting with the CSF identification function and asset management category. I check my client's compliance with each of these control areas. I ‘ve also provided in the exercise files a spreadsheet for mapping the Center for Internet Security's CIS controls version 8 with NIST 800-53 Rev5 low baseline security controls along with NITS cyber security framework functions. As you can see in this sheet, establishing and maintaining detailed enterprise asset inventory controls are specified in conjunction with the cybersecurity framework identify function and NIST security control CM-8.
Usually, when I'm assessing an organization, I'll talk to the administrators about checking the inventory of high-value assets, physical devices, software, and networks. Then I check the inventory of sensitive data and data flows with business owners. Do they have a data categorization policy in place, and do they know where their most sensitive information is stored on their systems and networks? I'll also look at their inventory listings from systems like the Windows server update service (WSUS), which records hardware and software information if it's accessible by unauthorized personnel or not. Information technology administrators can use Windows Server Update Services (WSUS) to deploy the latest Microsoft product upgrades. Administrators may use WSUS to centrally oversee the deployment of Microsoft updates to machines on their network. In addition, I examine the client's Windows active directory, access control privileges, and policies.
Remember to document facts that can be seen and observed. Now let us return to our course case study example. Target Cloud Inc. is a company that specializes in cloud computing. I discovered that the company does not keep track of where personally identifiable information, or PII, is collected, stored, transmitted, and processed. This is a noncompliance with NIST security control family PT personally identifiable information processing and transparency. Please check table C-15. The Specific details may be found in NIST SP 800-53 Rev. 5.
Employees frequently write spreadsheets containing PII, save them locally on their PCs, and back them up to USB memory sticks. I'll take a note of it in the notes section of my report. Spreadsheets containing PII are saved on a USB drive. I'd then assign a high-priority ranking.
Because it's critical to secure PII data, we'll set the security level to the highest. We'll also show this as a high rating and potential risk for compliance because this organization isn't compliant. Noncompliance risks and control gaps are seldom black-and-white situations. As an assessor, you'll need to figure out how compliant the business is, as well as the risk connected with the gap. Combining the facts with your professional judgment in consultation with your client is the best approach for security assessment results. Since the company is classified in the high-impact watermark classification, there is a need to implement security control SC-41 Port and input/output device access. Port and I/O device access connection ports include (USB), compact disc, and digital versatile disc drives must be disabled or removed to help prevent the exfiltration of information from systems and the introduction of malicious code from those ports or devices. Physically disabling or removing ports and input/output devices is the stronger action.
Now let me demonstrate to you how to use the cybersecurity risk-aligned framework spreadsheet's likelihood, impact, and risk categories. In our case study example, I found compliance gaps with uncontrolled sensitive data and a clear risk of PII being compromised, either accidentally or maliciously. To determine the overall risk, use the scales in the likelihood and impact columns. for example, the likelihood column has a dropdown that ranges from a very low likelihood of occurrence to a very high likelihood of occurrence. In our case, I believe there is a high likelihood that PII will be exposed accidentally or intentionally. Consequently, the impact, if that PII is leaked, would have a very high impact on the organization and its clients. Therefore, the overall risk would also be very high. You may use this spreadsheet to examine each of the controls as you progress through the NIST risk management framework and cybersecurity frameworks.
As a part of your report, you shall document any control gaps, vulnerabilities, or high risks in the plan of action and milestones or POAM report. This is the organization's plan for resolving issues. For example, if the company won’t have a PT-4 security control mechanism and tools that allow individuals to participate in making decisions about the processing of their personally identifiable information, you can tell the client. When you record your finding, write the target date for resolving the findings, the point of contact, the current status of the finding under observation. After the client is informed of the open finding, they have 30 days to correct it. If it isn't fixed after 30 days, it becomes a POAM entry.
Use the POAM spreadsheet included in this course to keep track of any compliance gaps or high risks in your report and make sure they're addressed properly. You must write a report based on your findings. Usually, as a cybersecurity consultant, I either use a template given by the regulator or one like the one provided with this course for my security control assessment reports. These reports provide your formal security findings for the company. You need to complete your report and make it clear and comprehensive for your clients to help them resolve their issues quickly.
Your security assessment and POAM reports are now complete. So, what's next? The implementation of the security system must then be authorized to operate, according to the NIST Risk Management Framework. The authorized step's goal is to ensure organizational responsibility by requiring a senior management official to verify if the security and privacy risks are acceptable. The authorized step consists of four main tasks:
· Risk analysis and determination,
· Risk response, and
· Authorization decisions and reporting
· Authorization package
The authorization package must be compiled and presented as the first action in the authorized step. All official reports and documentation up to this stage, including security and privacy plans, security and privacy assessment reports, plans of action and milestones (POAMs), and the executive summary, are included in the authorization package. The authorized official given this information so that they make informed, risk-based decisions. The authorizing official reviews the package, confirms the findings of control gaps and risks that are above the organization's tolerance level, evaluates whether the recommendations appropriately manage, mitigate, or accept those risks, and makes the final decision on the risks to the data, operations, systems, or organization in collaboration with senior organizational management.
Organizations can respond to risks in a variety of ways after they have been analyzed and assessed, including sharing or transferring the risk to another organization, accepting the risk, avoiding or eliminating the risk, and reducing or minimizing the risk. To assist select the preferable course of action for the organization's risk response, authorizing official should employ current risk management methodologies, strategies, and best practices. Prioritizing actions based on risk and organizational capabilities is one example. For example, requiring an organization to obtain a costly security equipment for low risk profile may not be feasible. All risk impacts will be documented in POAM reports as well as changes to the initial assessment report.
The authorized official’s responsibility is to decide whether the existing and prospective potential risks are acceptable after mitigation. The risks can only be accepted by authorized officials. The authorizing official is anyone who assumes the responsibility for an information system and is held accountable for ensuring the information system is operating at an acceptable level of risk. NIST indicate the authorizing decisions to the system owner or common control provider. The decisions about risks are documented in the authorization package. The organization IT system stakeholders are then notified of the risk decision, as well as any terms and limitations that apply to the system's operation. Playing the part of an authorized authority is a useful exercise. Use the case study example in this course and assume what risks you may or may not accept as an authorizing official. You may utilize the results of your prior activities to figure out what risk responses are suitable for any gaps you discovered before.
If your job requires you to manage cyber security risks in the high-stakes world of enterprise IT, this course is for you. You'll examine risks, threats, opportunities, and vulnerabilities at the strategic and operational levels. This includes Cybersecurity IT value generation for the business, and the IT NIST Risk Management Framework (RMF).
You'll also explore risk appetite, risk tolerance, and mitigation strategies, selecting, implementing, tailoring, assessing, and monitoring NIST security controls. The course case study will highlight issues related to legal and regulatory compliance and stakeholder communication.
By the end of this course, you will be able to:
Understand the seven-step NIST Risk management and compliance
Apply appropriate risk-management techniques and models including risk scenarios.
Conduct risk analysis and assessment
Align cyber security and enterprise risk management.
Manage and monitor the status of NIST risk-management strategies and plans.
Provide oversight of related legal and regulatory compliance such as HIPPA and credit card regulation PCI DSS
Design and use effective techniques to communicate Cybersecurity risks to stakeholders in a clear manner
Select and tailor the proper NIST security and privacy controls
Understand the difference between IT audit and assessment.
Track risks and create cyber security performance indicators
The course will provide you with a foundational understanding of risk and how to identify, assess, and mitigate risk. You will become familiar with the concepts, tools, and techniques used to develop a risk management process. You will also learn how to use these tools and techniques to effectively manage risk using the NIST seven-step approach along with security and privacy controls.