Risk Management Framework



Risk Management Framework – Final ProjectVincent PanaliganUniversity of San Diego26 August 2019AbstractThis document will go over all aspects of the Risk Management Framework (RMF), including continuous monitoring strategy. This includes the process of assessing risk, authorizing the system for operation, and monitoring the system once it is in operation. The system in this document will be Classified Laptops within the organization.The RMF is a multi-step life cycle that includes these steps: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor. PrepareThe Preparation step in the RMF is where an organization needs to identify and plan the necessary actions at each level in the organization, from senior leaders/executives providing strategic vision and top-level goals and objectives for the organization; to mid-level leaders planning, executing, and managing projects; to individuals on the front lines operating the information systems supporting the organization’s missions/business functions, as mentioned in NIST SP 800-39, Ch. 2.1.CategorizeThe Categorization step in the RMF is where the Information System (IS), Classified Laptop, will be assigned its impact levels using the Confidentiality-Integrity-Availability (CIA) Triad.This format is referenced from FIPS 199:SC Classified Laptop = {(confidentiality, HIGH), (integrity, MODERATE), (availability, LOW)}The potential impact from a loss of confidentiality of a Classified Laptop is marked HIGH because this type of IS can contain sensitive information of the organization and individuals within the organization. If this sensitive information is accessed by unauthorized individuals, then this can lead to severe/catastrophic adverse effects on organizational operations, organizational assets, or individuals.The potential impact from a loss of integrity of a Classified Laptop is marked MODERATE because this type of IS can contain sensitive information of the organization and individuals within the organization. However, the adverse effects will only be severe not catastrophic on organizational operations, organizational assets, or individuals.The potential impact from a loss of availability of a Classified Laptop is marked LOW because it would only have limited adverse effects on organizational operations, organizational assets, or individuals.SelectThe Selection step in the RMF is where the organization provides common controls for the IS and document the controls in their security plan. The selected security controls are based on the organization’s Classified Laptops. Selected Security Controls The following security controls and descriptions are referenced from NIST SP 800-53 Rev. 5, Chapter 3.AC-3: Access EnforcementEnforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. This security control allows Classified Laptops to enforce authorize access at the system level and can also be employed at the application and service level to provide increased information security.AC-4: Information Flow EnforcementEnforces approved authorizations for controlling the flow of information within the system and between interconnected systems. This security control allows Classified Laptops to have their information flow regulated, from accidental classified information leakage to blocking off outside traffic that claims to be from within the organization.AC-7: Unsuccessful Logon AttemptsEnforce a limit of [3] consecutive invalid logon attempts by a user, which automatically locks the account from gaining access to the Classified Laptop. User will have to contact organization help desk to have account unlocked to gain access to laptop. AC-8: System Use NotificationDisplays a notification reminder to users that they are accessing a classified organization device; the user’s usage may be monitored, recorded, and subject to audit; unauthorized use of the system is prohibited and subject to criminal and civil penalties; and use of the system indicates consent to monitoring and recording. This security control allows users to be reminded that they are accessing a Classified system that may contain Classified information of the organization.AC-11: Device LockPrevent further access to the system by initiating a device lock after [15 minutes] of inactivity or upon receiving a request from a user; and retains the device lock until the user reestablishes access using the establish identification and authentication procedures. This security control will help prevent unauthorized access to Classified Laptops if the user moves away from the immediate vicinity of the laptop.AC-17: Remote AccessEstablish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and authorize remote access to the system prior to allowing such connections. This security control is for required VPN connections on Classified Laptops.AT-2: Awareness TrainingProvides basic security and privacy awareness training to Classified Laptop users. This training will be conducted for all on-boarding employees and as annual training for current employees in the organization. This security control will allow Classified Laptop users to retain proper security and privacy knowledge when using the devices.AU-13: Monitoring for Information DisclosureMonitor any sensitive information or any information that can be harmful to an organization from being posted on social networking websites.CM-2: Baseline ConfigurationDevelop, document, and maintain under configuration control, a current baseline configuration of the system; and review and update the baseline configuration of the system. This security control is important because this ensures Classified Laptops have the current/approved patches and updates on its laptops. If a system does not meet the baseline configuration, then that can be a threat to the organization.CM-7: Least Functionality Configure the system to provide only essential capabilities; prohibit or restrict the use of certain functions, services, etc. This security control can limit what a user can perform on a Classified Laptop, such as program executions. Host-based Intrusion Systems can be installed to prevent users from performing certain actions.CM-10: Software Usage RestrictionsEstablish an approval process for governing the installation of software by users. Users of Classified Laptops will have to submit a request to have [Software X] installed on their device. This request will have to go through an approval process and if the request if approved, then a user with Administrative Rights will install [Software X] for that user. IR-6: Incident ReportingRequire personnel to report suspected security and privacy incidents to the organizational incident response capability within [30 days]; and report security privacy, and supply chain incident information to [Information Assurance Team]. This security control will allow the IA team to have employees reporting any suspicious emails or activity going on within the organization.ImplementThe Implementation step in the RMF is where the organization puts its security and privacy plan in action. According to NIST SP 800-37, Rev. 2, an organization will use best practices when implementing controls, including systems security and privacy engineering methodologies, concepts, and principles. Risk assessments guide and inform decisions regarding the cost, benefit, and risk trade-offs in using different technologies or policies for control implementation. Organizations also ensure that mandatory configuration settings are established and implemented on system elements in accordance with federal and organizational policies. However, not everything can go as planned and some controls cannot not be implemented as expected. Organizations will have to update its security and privacy plan with its “as-implemented” control and ensure the documentation of these changes.AssessThe Assessment step in the RMF is where the organization determines if the controls selected for implementation are implemented correctly, operating as intended and producing the desired outcome with respect of the organization’s security and privacy requirements. The organization will develop security and privacy assessment reports detailing its findings and recommendations for correcting any deficiencies found in the implemented controls. Once any deficiencies are found, the organization will have to conduct initial remediation actions to such deficiencies. The changes made to any implementations will be reassessed and updates will be made to the security and privacy plan the organization initially put out. During this stage, The Plan of Action and Milestones (POA&Ms) are introduced, which are the actions that are planned to correct any deficient controls found during the assessment, these will also be looked at during the Continuous Monitoring step.As stated in NIST SP 800-37, Rev. 2, The POA&Ms includes tasks to be accomplished with a recommendation for completion before or after system authorization; resources required to accomplish the tasks; milestones established to meet the tasks; and the scheduled completion dates for the milestones and tasks.AuthorizeThe Authorization step in the RMF is where the selected system is approved or denied for operation within the organization. The senior management official must determine if the risk from the operation of the system is tolerable based on the controls put in place. Once the risk determination has been made, the organization can respond by either accepting or mitigating the risk. The existing remediation actions and POA&Ms can be referenced for the risk response.Finally, the authorization decision is explicitly made by the Authorizing Official (AO). According to in NIST SP 800-37, Rev. 2, the decision can be expressed as an Authorization to Operate (ATO), an Interim Approval to Test (IATT), or a Denial of Authorization to Operate (DATO). When the decision is made, the AO establishes the authorization termination date, which indicates when the authorization expires. The authorization termination date can be avoided if the system is determined as an ongoing authorization.Monitoring The Monitoring step in the RMF is where the organization must maintain ongoing situational awareness about the security and privacy posture of the recently approved IS and its environment. This can be done with ongoing assessments, ongoing risk response, authorization package updates, security and privacy reporting, ongoing authorization, and system disposal. Ongoing assessments for the organization’s IS, Classified Laptops, can monitored with automated tools such as DISA’s Assured Compliance Assessment Solution (ACAS) and McAfee’s Host Based Security System (HBSS). These tools can provide ongoing reports and information needed to maintain risk tolerance within an organization. The organization will continue to respond to any new assessment reports with its remediation actions put in place and continue to track its progress of continuous monitoring with the POA&Ms. Once these actions are taken, the organization must update and document any changes to the authorization package, from its security and privacy plans to the POA&Ms. When it comes to keeping Classified Laptops secured within the organization, whether it is changes to personnel, hardware/software/firmware, or the environment, maintaining up-to-date documentation will allow the organization to stay on top of risk related changes. For example, when it comes to system disposal and the current model of Classified Laptops must be updated to a newer model, the organization must to ensure that inventory management is continuously updated and that the new Classified Laptops are configured to the proper organizational baseline. Inventory management information can be inputted and updated within an Active Directory within the organization, where the description of each Classified Laptop, has the current user, model, configurations, and OS version. As with the old models, the organization must dispose these systems properly and this can be done with an agency such as the Department of Defense’s Defense Reutilization and Marketing Office (DRMO), which properly reutilize or disposes any serialized systems.Conclusion This document covered all aspects of the Risk Management Framework (RMF), including continuous monitoring strategy based on the organization’s IS, Classified Laptops. Each organization will vary of how the RMF is implemented within their environment. This document was a fictitious scenario of applying the RMF to an organization and a selected IS.ReferencesNational Institute of Standards and Technology Federal Information Processing Standards Publication 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006. Institute of Standards and Technology Special Publication 800-37, Revision 2, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, December 2018. Institute of Standards and Technology Special Publication 800-39, Managing Information Security Risk: Organization, Mission, and Information System View, March 2011. Institute of Standards and Technology Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013. Institute of Standards and Technology Special Publication 800-53A, Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans, July 2008. , Department of Defense. (2019).?Risk Management Framework Practitioner's Guide[Press release]. Author. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download