assignment finalproject.csol530.week7.sergio ginocchio · &62/ 02'8/( ),1$/ 352-(&7...
TRANSCRIPT
Running head: CSOL530 MODULE 7 FINAL PROJECT 1
Final Project White Paper
Sergio Ginocchio
University of San Diego
CSOL530 MODULE 7 FINAL PROJECT 2
Final Project White Paper
Introduction
This paper provides a description of the Risk Management Framework (RMF) as
described in SP 800-37 [1] and it describes each of the six steps of the RMF and their importance
in helping organizations manage risks related to operating information systems. This paper
describes the process of assessing risk, authorizing systems for operation and continuously
monitoring systems in operation as part of the concept of near real-time risk management and
ongoing system authorization as promoted by the RMF. [12] [1]
The Risk Management Framework
NIST in partnership with the Department of Defense, the Office of the Director of
National Intelligence, and the Committee on National Security Systems, developed a Risk
Management Framework(RMF) to improve information security, strengthen risk management
processes, and encourage reciprocity among organizations [1]. The RMF emphasizes managing
risk by building security and privacy capabilities into systems through:
The application of security and privacy controls
Maintaining awareness of the security and privacy state of systems on an ongoing basis
though enhanced monitoring processes
Providing essential information to senior leaders and executives to facilitate their risk-
based decisions regarding the operation and use of systems [1].
The RMF consist of a six-step process: Categorize, Select, Implement, Assess, Authorize, and
Monitor. RMF activities are applied on an on-going basis and throughout the lifecycle of a
system. The following sections describe each of the steps in the RMF.
CSOL530 MODULE 7 FINAL PROJECT 3
Step 1 – Categorize: Security Categorization
What is security categorization and why is it important? Security categorization provides
a method to determine the criticality and sensitivity of the information being processed, stored,
and transmitted by an information system. The security category is based on the potential impact
to an organization should certain events occur that would jeopardize the information and
information systems needed by the organization to accomplish its goals, prevent the organization
from protecting its assets or fulfilling its legal responsibilities, or maintain its day-to-day
functions [2]. FIPS 199[4] establishes security categories for both information and information
systems.
Information and information system owners identify the types of information associated
with the systems. Then based on these types, security impact values are assigned for the security
objectives of confidentiality, integrity, or availability for each type. An overall security impact
level is determined applying the high-water mark concept. This overall security impact level is
used to prioritize information security efforts and select security controls [3].
The importance of the security categorization is that it guides organizations in subsequent
risk management processes to determine the adverse impact or consequences to the organization
with respect to the compromise or loss of confidentiality, integrity, and availability of
organizational systems and the information processed, stored, and transmitted by those systems
[3].
Step 2 – Select: Security Control Selection Process
Security controls are the management, operational, and technical safeguards or
countermeasures employed to protect the confidentiality, integrity, and availability of the
information and information system. Selecting the appropriate set of security controls helps
CSOL530 MODULE 7 FINAL PROJECT 4
organizations accomplish their goals and provide adequate security or security commensurate
with risk resulting from the unauthorized access, use, disclosure, disruption, modification, or
destruction of information. A significant challenge for organizations is to determine the
appropriate set of security controls that will cost-effectively mitigate risk and comply with the
security requirements [5].
It is important that organizations go through this process to identify and select an
appropriate set of security controls that will enable protection of the confidentiality, integrity, and
availability of the organizations’ information and information systems. The security control
selection process takes as an input the output from the security categorization process, a system
impact level of low, moderate or high. For federal information systems, organizations must select
an appropriate set of security controls for their information systems that satisfy the minimum
security requirements as specified by FIPS-200[6], but organizations in the private sector can
benefit from following this process as well. The selected set of security controls must include
one of three, appropriately tailored security control baselines from NIST Special Publication
800-53[7] that are associated with the designated impact levels determined during the security
categorization process. [6]. Outcomes from this process include: Security and privacy plans
reflecting the system-specific, hybrid, and common controls necessary to protect the system and
a system level monitoring strategy that complements the organizational continuous monitoring
strategy.
Step 3 - Implement: Implementation Process
Systems security engineering, as part of the Implementation process, realizes the security
aspects of all system elements. Security aspects include mechanisms that provide a security
capability, that serve as a control, safeguard, or countermeasure and as the passive protection
CSOL530 MODULE 7 FINAL PROJECT 5
capability realized through the implementation methods, processes, and tools. This process
results in a system element that satisfies specified system security requirements, architecture, and
design. [8].
As part of the implementation strategy, it is important that organizations have a clear
understanding of what change is being implemented, what impact will be, in the case of an
existing system, how different will it be from the current situation, who is impacted and how. It
is important that all stakeholders understand and have agreed to specific outcomes, that they
understand the risks being mitigated and what the residual risk may be. Only when there has
been full agreement and the project is able to deliver the agreed upon outcome an
implementation can be successful.
This scenario assumes that all roles and responsibilities for the implement step have been
assigned and there is a change control process and all approvals are in place for implementation.
The implementation of the security controls should document:
How the controls are deployed within the system and environment of operation.
Who, when and where the selected controls will be deployed
What the expected outcome is and how it will be measured.
How continuous evaluation and reporting will be done
Step 4 – Assess: Security Control Assessment Process
Security controls provide safeguards for an information system and are designed to
protect the confidentiality, integrity and availability of its information. Selecting and
implementing appropriate security controls is an important task as it can have significant
implications on the operations and assets of an organization. Assessing these controls is as
CSOL530 MODULE 7 FINAL PROJECT 6
important. Once these controls have been implemented, there is the need to assess them to
determine their overall effectiveness, that is, validate if they are operating as intended and
producing the desired outcome [9]. The NIST Special Publication 800-53A provides an
assessment framework and initial starting point for assessment procedures. These procedures can
be used as guidelines and can be tailored to adequately meet the risk management needs of the
organization. The following is an overview at a high level of the steps leading to, during and
after the assessment process:
The organization preparation:
All steps in the RMF prior to the assessment step, have completed successfully.
Assessor/Assessment Team is identified.
The objective, timeline, and scope of assessments is clearly defined and all stakeholders
properly informed.
Assessor preparation:
Understand organization's mission functions and business process.
Understand the information system architecture.
Understand the controls selected for the assessment.
Develop an assessment plan.
Obtain assessment plan approval.
Assessment:
Implement security and privacy assessment plans.
Execute assessment procedures to achieve the assessment objectives.
Produce assessment findings; Recommend specific remediation actions.
Produce the Assessment Reports.
CSOL530 MODULE 7 FINAL PROJECT 7
Post Assessment Process:
Review assessment findings.
Determine and initiate appropriate response actions.
Develop Plans of Action and Milestones.
Update Security and Privacy Plans.
Special Publication 800-53A[9] provides assessment procedures for each security and privacy
control and control enhancement in Special Publication 800-53[7]. For each security or privacy
control in the security plan to be included in the assessment, assessors select the corresponding
assessment procedure from Appendix F of 800-53A and tailor the assessment procedure to match
the characteristics of the information system under assessment.
The purpose of the Assessment step is to determine if the security and privacy controls
selected are implemented correctly, operating as intended, and producing the desired outcome
with respect to meeting the security and privacy requirements for the system. [1]
Step 5 – Authorize: Authorization Process
“The purpose of the Authorization step is to provide strict accountability by requiring a
senior management official to determine if the security and privacy risk to organizational
operations and assets, individuals, other organizations, or the Nation based on the operation of a
system or the use of common controls, is acceptable.” [1]. Organizations use this authorization
step to arrive to an authorization decision regarding the operation of an information system. The
following are the tasks in the authorization process as describe in SP 800-37 [1]:
CSOL530 MODULE 7 FINAL PROJECT 8
Plan of Action and Milestones (POA&M) Prepare the plan of action and milestones based on
the findings and recommendations of the security and privacy assessment reports excluding any
remediation actions taken.
Authorization Package Assemble the authorization package to submit to the authorizing official
for adjudication. The package can include the POA&M, system security plan, security
assessment report (SAR).
Risk Determination Determine the risk from the operation or use of the system.
Risk Response Identify course of action including accepting risk, avoiding risk, mitigating risk,
sharing risk, transferring risk or a combination of these.
Authorization Decision Determine if the risk from the operation or use of the system and use of
common controls is acceptable or not.
Authorization Reporting Report the authorization decision and any weaknesses or deficiencies
in security and privacy controls that represent significant vulnerabilities to the system or the
organization.
Step 6 – Monitor: Monitoring Process
The purpose of the Monitoring step is to maintain an ongoing situational awareness about
the security and privacy posture of the system and the organization in support of risk
management decisions. Continuous monitoring addresses the security impacts on information
systems resulting from changes to the hardware, software, firmware, or the operational
environment. The objective of continuous monitoring is to determine if the security controls in
the information system continue to be effective over time. Changes occur over time to the system
as well as in the environment in which the system operates. Continuous monitoring also
CSOL530 MODULE 7 FINAL PROJECT 9
provides an effective mechanism to update security plans, security assessment reports, and plans
of action and milestones. An effective continuous monitoring process includes:
Configuration management and control processes for organizational information systems
Security impact analyses on actual or proposed changes to information systems and
environments of operation
Assessment of selected security controls based on a continuous monitoring strategy
Security status reporting to appropriate organizational officials
Active involvement by authorizing officials in the ongoing management of information
system-related security risks. [10].
Change is Inevitable
Business needs evolve, information systems need to change to support evolving mission
and business functions and processes.
Technology evolves, upgrade and configuration management processes need to keep up
with the change.
Workforce is in constant flux, new hires, terminations, temporary workers, role changes,
access control needs to keep with this constant change
Threat landscape changes, there is a need for continuous vulnerability and patch
management and continuous monitoring.
In this dynamic landscape, continuous monitoring is the first step that can provide assurance that
the system remains within an acceptable level of risk. Continuous monitoring can provide
ongoing awareness of information security, vulnerabilities, and threats to support organizational
risk management decisions. An ISCM program can be established to collect the necessary data to
CSOL530 MODULE 7 FINAL PROJECT 10
be used in risk-based decisions. Establishing a continuous monitoring program can enable
ongoing assessment and ongoing authorization and provide an acceptable level of assurance that
the system remains secure. “Ongoing authorization is part of RMF Step 5, the Authorize step,
and is dependent on the organization’s Information Security Continuous Monitoring (ISCM)
strategy and program which is implemented as part of RMF Step 6, the Monitor step. Ongoing
authorization is fundamentally related to the ongoing understanding and ongoing acceptance of
information security risk.” [12]
Conclusion
The Risk Management Framework process in not a one-time process. Change is
inevitable and with this change there has to be a Continuous Monitoring Strategy in place to
provide adequate information about security control effectiveness and organizational security
status allowing organizational officials to make informed, timely security risk management
decisions. That is, the implementation, effectiveness, and adequacy of all security controls are
monitored along with the current organizational security status. [11]
In order to maintain ongoing awareness of information security, vulnerabilities, and
threats to support organizational risk management decisions there are a variety of tools and
technologies available that can be used to efficiently and effectively gather, aggregate, analyze,
and report data ranging from continuously monitoring the security status of its enterprise
architecture and operating environment(s) down to components of individual information
systems. [11]
Some of these tools are:
Configuration Management Tools
Vulnerability and Patch Management tools
CSOL530 MODULE 7 FINAL PROJECT 11
Asset Management Tools
IDS/IPS
SIEM
All the collected data from these tools can be analyzed, aggregated and consolidated into SIEM
tools and management dashboards and report. This data can be used to provide overall picture of
the effectiveness of the security controls and the organizational security status. [11] Automation
should be leveraged as much as possible to assist in providing the necessary information in a
time-efficient manner to AOs to make risk-based decisions.
CSOL530 MODULE 7 FINAL PROJECT 12
References
[1] NIST. (2017, September). Risk Management Framework for information systems and
organizations - Draft NIST Special Publication 800-37
Revision 2. Retrieved from https://csrc.nist.gov/CSRC/media/Publications/sp/800-37/rev-
2/draft/documents/sp800-37r2-discussion-draft.pdf pp.16-61
[2] NIST (2008, August). NIST SP 800-60 Vol. I Rev.1: Guide for mapping types of information
and information systems to security categories. Retrieved from
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf
[3] NIST (2009, January 27). Categorize step FAQs - Draft. Retrieved from
https://csrc.nist.gov/CSRC/media/Projects/Risk-Management/documents/categorize/faq-
categorize-step1.pdf
[4] NIST (2004, February). FIPS Pub 199: Standards for security categorization of federal
information and information systems. Retrieved from
http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf
[5] NIST. (2011, January 18). Select step FAQs NIST Risk Management Framework - Draft
Retrieved from https://csrc.nist.gov/CSRC/media/Projects/Risk-
Management/documents/select/faq-Select-step2.pdf
[6] NIST. (2006, March). Minimum Security Requirements for Federal Information and
Information Systems - FIPS 200. Retrieved from
http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf pp. 4-5
[7] NIST. (2017, August). Security and privacy controls for information systems and
organizations - Draft NIST Special Publication 800-53 Revision 5. Retrieved from
CSOL530 MODULE 7 FINAL PROJECT 13
https://csrc.nist.gov/CSRC/media//Publications/sp/800-53/rev-5/draft/documents/sp800-53r5-
draft.pdf
[8] Ross, R., McEvilley, M. & Oren, J.C. (2016, November). Systems security engineering:
Considerations for a multidisciplinary approach in the engineering of trustworthy secure systems
- NIST special publication 800-160. Retrieved from
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160.pdf
[9] NIST. (2014, December). Assessing security and privacy controls in federal information
systems and organizations: Building effective assessment plans - NIST special publication 800-
53A revision 4. Retrieved from https://csrc.nist.gov/publications/detail/sp/800-53a/rev-4/final
[10] NIST. (2009, April 30). Monitor step FAQs: NIST risk management framework.
Retrieved from https://csrc.nist.gov/CSRC/media/Projects/Risk-
Management/documents/monitor/faq_monitor-step6.pdf
[11] Dempsey, K., Chawla, N.S., Johnson, A., Johnston, R., Jones, A.C., Orebaugh, A., Matthew
Scholl, M & Stine, K. (2011, September). Information security continuous monitoring (ISCM)
for federal information systems and organizations: NIST Special Publication 800-137 Retrieved
from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf
[12] Dempsey, K., Ross, R. & Stine, K. (2014, June). Supplemental guidance on ongoing
authorization transitioning to near real-time risk management. Retrieved from
http://ws680.nist.gov/publication/get_pdf.cfm?pub_id=916095
CSOL530 MODULE 7 FINAL PROJECT 14
Appendix
Figure 1. The RMF integrates information security and risk management activities into the system development life cycle. [1] p.8
RMF Step NIST Publications CATEGORIZE Information System
FIPS 199 Standards for Security Categorization of Federal Information and Information Systems SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories
SELECT Security Controls
FIPS 200 Minimum Security Requirements for Federal Information and Information Systems SP 800-53 Security and Privacy Controls for Information Systems and Organizations
IMPLEMENT Security Controls
SP 800-160 Risk Management Framework for Information Systems and Organizations
ASSESS Security Controls
SP 800-53A Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans
AUTHORIZE Information Systems
SP 800-37 Risk Management Framework for Information Systems and Organizations
MONITOR Security State
SP 800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations SP 800-53A Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans
Table 1. RMF Steps and NIST Publication used for Guidance at each step.