Module 7 Final Project - Keith E. Anderson, Sr.



centercenterModule 7 Final ProjectMarch 8, 2020Keith AndersonCSOL-530-04-SU19 Cyber Security Risk Management University of San Diego9410077300Module 7 Final ProjectMarch 8, 2020Keith AndersonCSOL-530-04-SU19 Cyber Security Risk Management University of San DiegoContents TOC \o "1-3" \h \z \u Abstract PAGEREF _Toc34566110 \h 2Module 7 Final Project PAGEREF _Toc34566111 \h 31.Steps of the RMF PAGEREF _Toc34566112 \h 32.Protocol for Continuous Monitoring and On-going Assessments PAGEREF _Toc34566113 \h 83.Configuration and Change Management PAGEREF _Toc34566114 \h 9References PAGEREF _Toc34566115 \h 12Appendix A: RMF Tasks PAGEREF _Toc34566116 \h 13Appendix B: Cybersecurity Framework and Controls Mapping PAGEREF _Toc34566117 \h 21AbstractThe purpose of this paper is to provide a recommended protocol for ensuring the resiliency of an authorized system that has successfully gone through the seven steps of the Risk Management Framework (RMF). We will ensure that changes to personnel, hardware/software/firmware, and/or the environment are properly postured against appropriate assessment guidelines, and that the system, with respect to risk, remains functional within the accepted risk appetite of the organization.Module 7 Final ProjectSteps of the RMFWith an ever-growing dependency on information systems and technology, it has become commonplace for organizational leadership to acknowledge the concept of information security and privacy risks rising to a level requiring the attention and scrutiny of other existential threats to the enterprise business model. To manage these risks, there must be a means to govern the lifecycle of information and information systems that is inclusive of all levels of the organization, as well as with a mindset to make informed decisions based on risk.NIST (2018). Framework for Improving Critical Infrastructure CybersecurityThe overall success of an organizational risk management program is dependent upon the protection of the confidentiality, integrity, and availability (CIA) of information processed, stored, and transmitted by information systems, as well as the systems themselves, to a level agreed-upon and accepted by organizational leadership (risk appetite). In order to provide assurances to the organization of the resiliency of a given system, we will follow the guidelines provided by the National Institute for Standards and Technology’s (NIST) Special Publication (SP) 800-37, Risk Management Framework for Information systems and Organizations.Threats to information systems include equipment failure, environmental disruptions, human or machine errors, and purposeful attacks that are often sophisticated, disciplined, well-organized, and well-funded (NIST, 2018). In order to ensure the risk associated with these threats is reduced to a level aligned with organizational risk appetite, information system lifecycles will follow the steps of the RMF, as depicted in the image below, courtesy of NIST: NIST (2018). Risk Management Framework for Information Systems and OrganizationThe table below provides an explanation of each of the RMF steps which, after the initial system implementation, may have a different starting point, depending on the change occurring within the lifecycle of the system:StepPurposePreparePrepare to execute the RMF from an organization- and a system-level perspective by establishing a context and priorities for managing security and privacy risk (NIST, 2018).CategorizeFIPS 199SP 800-60Categorize the system and the information processed, stored, and transmitted by the system based on an analysis of the impact of loss (NIST, 2018).SelectFIPS 200SP 800-53Select an initial set of controls for the system and tailor the controls as needed to reduce risk to an acceptable level based on an assessment of risk (NIST, 2018).ImplementSP 800-70Implement the controls and describe how the controls are employed within the system and its environment of operation (NIST, 2018).AssessSP 800-53AAssess the controls to determine if the controls are implemented correctly, operating as intended, and producing the desired outcomes with respect to satisfying the security and privacy requirements (NIST, 2018).AuthorizeSP 800-37Authorize the system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the Nation is acceptable (NIST, 2018).MonitorSP 800-37SP 800-53AMonitor the system and the associated controls on an ongoing basis to include assessing control effectiveness, documenting changes to the system and environment of operation, conducting risk assessments and impact analyses, and reporting the security and privacy posture of the system (NIST, 2018).Each of the steps in the RMF process provide deliverables that feed into other processes as key inputs during various stages of the information system lifecycle. The methods and activities taken to yield said deliverables varies between the steps, and have been outlined in the table below:Step Key ActivitiesArtifacts/DeliverablesPrepareDefine Risk Management RolesDefine Risk Management StrategyRisk AssessmentEstablish control baselines and cybersecurity framework profilesImpact-level prioritizationDevelop continuous monitoring strategy (organization)Documented Risk Management Framework role assignmentsRisk management strategy and statement of risk tolerance Organization-level risk assessment resultsList of approved or directed organizationally-tailored control baselinesList of common control providers and common controls available for inheritanceOrganizational systems prioritized into low-, moderate-, and high-impact sub-categoriesAn implemented organizational continuous monitoring strategy (organization-wide)CategorizeDescribe/document system descriptionDefine a security categorization of the systemReview and approval of system categorizationDocumented system descriptionImpact levels determined for each information type and for each CIA security objectiveApproval of security categorization for the systemSelectControl selectionControl tailoringControl allocationDocument planned control implementationsContinuous monitoring strategy (system)Plan review/approvalControls selected for the system and the environment of operationList of tailored controls for the system and environment of operationList of security and privacy controls allocated to the system, system elements, and the environment of operation (NIST, 2018)Security and privacy plans for the systemContinuous monitoring strategy for the system including time-based trigger for ongoing authorization (NIST, 2018)Security and privacy plans approved by the authorizing officialImplementControl implementationUpdate control implementation informationImplemented controlsSecurity and privacy plans updated with implementation detail sufficient for use by assessors; system configuration baseline (NIST, 2018)AssessAssessor selectionAssessment planControl assessmentsAssessment reportsRemediation actionsPlan of action and milestonesElection of assessor or assessment team responsible for conducting the control assessment (NIST, 2018)Security and privacy assessment plans approved by the authorizing officialCompleted control assessments and associated assessment evidenceCompleted security and privacy assessment reports detailing the assessor findings and recommendationsCompleted initial remediation actions based on the security and privacy assessment reportsA plan of action and milestones detailing the findings from the security and privacy assessment reports that are to be remediated (NIST, 2018)AuthorizeAuthorization package developmentRisk analysis and determinationRisk responseAuthorization decisionAuthorization reportingAuthorization package for submission to the authorizing officialRisk determinationRisk responses for determined risksAuthorization decisionMonitorMonitoring system and environment changesOn-going assessmentsOn-going risk responseAuthorization package updatesSecurity and privacy reportingOn-going authorizationSystem disposalUpdated security and privacy plansUpdated plans of action and milestonesUpdated security and privacy assessment reportsMitigation actions or risk acceptance decisionsUpdated risk assessment resultsSecurity and privacy posture reportsDetermination of risk; ongoing authorization to operate, ongoing authorization to use, ongoing common control authorization; denial of ongoing authorization to operate, denial of ongoing authorization to use, denial of ongoing common control authorization (NIST, 2018)Disposal strategy; updated system component inventory; updated security and privacy plans (NIST, 2018)Protocol for Continuous Monitoring and On-going AssessmentsUpon authorization to operate/use in an enterprise environment, there will be a need for on-going monitoring and reassessments of the system to ensure it is operating as expected, with regards to risk. Systems and environments of operation are in a constant state of change, with changes occurring in the technology or machine elements, human elements, and physical or environmental elements (NIST, 2018). Because any of these changes can have an impact on the reliability of a system to maintain the level of acceptable risk to the organization, there’s an on-going requirement to request/approve change, monitor change, and assess the system(s) impacted after the changes have been completed.The on-going monitoring process will align with Tasks M-1 – M-7 of the RMF, as well as the NIST SP 800-53 CA and Cybersecurity Framework DE.CM families of controls. Any issues identified that could increase the risk of the system to an unacceptable level will be documented and tracked to completion by a Plan of Action and Milestones (POA&M). These actionable projects/tasks will be resourced and processed based on criticality, with those of the most critical nature elevating to the highest priority.The steps of the RMF process will remain a requirement throughout the lifecycle of an information system. Changes in the physical environment, virtual environment, personnel, and configurations (maintenance/events) will necessitate further iterations through select steps, depending on the scope of the change. These changes could include:Hardware/software/firmware upgradesPersonnelStaff turnover or reductionModification to the surrounding physical and environmental elementsFacility locationPhysical access controlsAccording to NIST, a disciplined and structured approach to managing, controlling, and documenting changes to systems and environments of operation, and adherence with terms and conditions of the authorization, is an essential element of security and privacy programs (NIST, 2018). Organizations establish configuration management and control processes to support configuration and change management (NIST, 2018).For the process of managing change and assuring that the resiliency of the system remains at an acceptable level, adherence to change management guidelines must be strictly enforced. In addition, configuration management, in alignment with the NIST SP 800-53 CM family of controls, as well as appropriate re-assessment in alignment with the following guidelines/procedures, will be required:RMF Tasks A-1 – A-6NIST SP 800-53 CA family of controlsNIST SP 800-53A proceduresCybersecurity Framework ID.RA CategoryConfiguration and Change ManagementAn Information system, once successfully through the first iteration of the seven RMF steps, undergoes changes on a constant basis throughout its lifecycle. These changes are typically in response to new, enhanced, corrected, or updated hardware and software capabilities, patches for correcting software flaws and other errors to existing components, new security threats, changing business functions, etc... (NIST, 2011), and will always result in a change (or adjustment) to the security posture of the system itself, or the environment in which the system is operating.To ensure the required adjustments to the system configuration do not adversely affect the security of the information system or the organization from operation of the information system, a well-defined configuration management process that integrates information security is needed (NIST, 2011). This process, known as Security-Focused Configuration Management (SecCM), is the management and control of secure configuration for an information system to enable security and facilitate the management of risk (NIST, 2011). It is structured to integrate with existing organizational configuration management processes, and is outlined in the diagram below, courtesy of NIST:The following table provides a high-level overview of each of the steps in the SecCM process:StepPurposePlanningIncludes developing policy and procedures to incorporate SecCM into existing information technology and security programs, and then disseminating the policy throughout the organization (NIST, 2011).Identifying and Implementing ConfigurationsSecure baseline configuration for the information system is developed, reviewed, approved, and implemented (NIST, 2011).Controlling Configuration ChangesThe management of change to maintain the secure, approved baseline of the information system (NIST, 2011).MonitoringUsed as the mechanism within SecCM to validate that the information system is adhering to organizational policies, procedures, and the approved secure baseline configuration (NIST, 2011).While the steps above represent the those necessary for carrying-out the SecCM process, we will still require an overarching plan to indicate how this process will fit into an overall configuration management initiative. This Configuration Management Plan, in alignment with the NIST SP 800-53 CM family of controls, will describe how the SecCM process will be implemented within the context of our organizational CM process. To integrate within the fabric of our enterprise risk management strategy, the Configuration Management Plan will consist of the items outlined below:StepPurposeConfiguration Control Board (CCB)A group typically consisting of two or more individuals that have the collective responsibility and authority to review and approve changes to an information system (NIST, 2011).Component InventoryA descriptive record of the components within an organization down to the information system level (NIST, 2011).Configuration ItemsAn aggregation of information system components that is designated for configuration management and treated as a single entity throughout the SecCM process (NIST, 2011).Secure Configuration of SystemsDesigned to reduce the organizational security risk from operation of an information system, and may involve using trusted or approved software loads, maintaining up-to-date patch levels, applying secure configuration settings of the IT products used, and implementation of endpoint protection platforms (NIST, 2011).Baseline ConfigurationA set of specifications for a system, or Configuration Item (CI) within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures (NIST, 2011).Configuration Change ControlThe documented process for managing and controlling changes to the configuration of an information system or its constituent CIs (NIST, 2011).Security Impact AnalysisThe analysis conducted by qualified staff within an organization to determine the extent to which changes to the information system affect the security posture of the system (NIST, 2011).Configuration MonitoringActivities to determine whether information systems are configured in accordance with the organization’s agreed-upon baseline configurations (NIST, 2011).When implementing a change to an information system or the environment for which it is operating, the processes and plans identified above will need to be followed to ensure the functioning system remains within the boundaries necessary to provide assurances to our stakeholders that it is operating within risk parameters aligned with organizational risk appetite. Changes to the system hardware, software, firmware, or physical environment, along with personnel and any other factors possible, will require a corresponding step through the RMF processes at the appropriate starting point. Any deficiencies resulting from the changes implemented will need to be prioritized and remediated with the tracking of a POA&M.ReferencesNIST (2014). Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. Retrieved August 25, 2019 from .NIST (2018). Framework for Improving Critical Infrastructure Cybersecurity. Retrieved August 25, 2019 from (2017). Security and Privacy Controls for Information Systems and Organizations. Retrieved August 25, 2019 from (2018). Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. Retrieved August 25, 2019 from (2011). Guide for Security-Focused Configuration Management of Information Systems. Retrieved August 25, 2019 from A: RMF TasksAppendix B: Cybersecurity Framework and Controls Mapping ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download