cybersecurity-risk-management-implementation-plan-2017-08 ... · august 10, 2017 version...
TRANSCRIPT
![Page 1: Cybersecurity-Risk-Management-Implementation-Plan-2017-08 ... · August 10, 2017 version Implementation Plan - Page 4 of 5 Reduce Risk (RMF Step 5 and 6) The acceptable level of risk](https://reader031.vdocuments.site/reader031/viewer/2022030815/5b26e2da7f8b9a104d8b4daa/html5/thumbnails/1.jpg)
ImplementationPlan
fortheUW-MadisonCybersecurityRiskManagementPolicy
August10,2017version
![Page 2: Cybersecurity-Risk-Management-Implementation-Plan-2017-08 ... · August 10, 2017 version Implementation Plan - Page 4 of 5 Reduce Risk (RMF Step 5 and 6) The acceptable level of risk](https://reader031.vdocuments.site/reader031/viewer/2022030815/5b26e2da7f8b9a104d8b4daa/html5/thumbnails/2.jpg)
![Page 3: Cybersecurity-Risk-Management-Implementation-Plan-2017-08 ... · August 10, 2017 version Implementation Plan - Page 4 of 5 Reduce Risk (RMF Step 5 and 6) The acceptable level of risk](https://reader031.vdocuments.site/reader031/viewer/2022030815/5b26e2da7f8b9a104d8b4daa/html5/thumbnails/3.jpg)
WORKINGDOCUMENT
Implementation Plan for the UW-Madison Cybersecurity Risk Management Policy
August10,2017version ImplementationPlan-Page1of5
ThisworkingdocumentistheimplementationplanfortheCybersecurityRiskManagementPolicy.Theplanwillbereviewedbythecommunity,ITgovernance,andtheITC.
IMPLEMENTATION
TheOfficeofCybersecuritywillmaintainaseparateanddetailedimplementationplanthatisjointlydevelopedwiththeSystemOwner,alsoknownasaSystemSecurityPlan,foreachinformationsystem.TheOfficeofCybersecuritywillassistdistributedInformationTechnologygroupswithdevelopingimplementationplanstailoredtotheirgroup’sneeds.
DataClassifications1
UW-Madisonhasclassifieditsinstitutionaldataassetsintoriskbasedcategoriesfordeterminingwhoisallowedtoaccessinstitutionaldataandwhatsecurityprecautionsmustbetakentoprotectitagainstunauthorizedaccessanduse.
Restricted DatashouldbeclassifiedasRestrictedwhentheunauthorizeddisclosure,alteration,lossordestructionofthatdatacouldcauseasignificantlevelofrisktotheUniversity,affiliatesorresearchprojects.DatashouldbeclassifiedasRestrictedif:
• protectionofthedataisrequiredbylaworregulationor• UW-Madisonisrequiredtoself-reporttothegovernmentand/or
providenoticetotheindividualifthedataisinappropriatelyaccessed
Sensitive DatashouldbeclassifiedasSensitivewhentheunauthorizeddisclosure,alteration,lossordestructionofthatdatacouldcauseamoderatelevelofrisktotheUniversity,affiliatesorresearchprojects.DatashouldbeclassifiedasSensitiveifthelossofconfidentiality,integrityoravailabilityofthedatacouldhaveaseriousadverseeffectonuniversityoperations,assetsorindividuals.
Internal DatashouldbeclassifiedasInternalwhentheunauthorizeddisclosure,alteration,lossordestructionofthatdatacouldresultinsomerisktotheUniversity,affiliates,orresearchprojects.Bydefault,allInstitutionalDatathatisnotexplicitlyclassifiedasRestricted,SensitiveorPublicdatashouldbetreatedasInternaldata.
Public DatashouldbeclassifiedasPublicpriortodisplayonweb-sitesoroncepublishedwithoutaccessrestrictions;andwhentheunauthorizeddisclosure,alterationordestructionofthatdatawouldresultinlittleornorisktotheUniversityanditsaffiliates.
1 From https://data.wisc.edu/data-governance/data-classifications/
![Page 4: Cybersecurity-Risk-Management-Implementation-Plan-2017-08 ... · August 10, 2017 version Implementation Plan - Page 4 of 5 Reduce Risk (RMF Step 5 and 6) The acceptable level of risk](https://reader031.vdocuments.site/reader031/viewer/2022030815/5b26e2da7f8b9a104d8b4daa/html5/thumbnails/4.jpg)
WORKINGDOCUMENT
Implementation Plan for the UW-Madison Cybersecurity Risk Management Policy
August10,2017version ImplementationPlan-Page2of5
Timeline
WiththevolumeofsystemsandnetworksatUW-Madison,afullimplementationoftheRiskManagementFrameworkwilltakefiveyearstocomplete.ImplementationwillinitiallyfocusonsystemshandlingorstoringdataclassifiedasRestricted,thenSensitive.SinceexposureorlossofInternalorPublicdatadoesnotposeanimmediateoperationalimpactorsignificantfinancialrisk,thoseinformationsystemswillbereviewedasresourcesallow.
1. SystemswithRestrictedData(SSN’s,FinancialAccounts,HIPAA,…) 2017+
2. Researchsystemswheregrantfundingistiedtosecurityrequirements 2017+
3. NeworsignificantlyupdatedsystemswithSensitiveData 2019+
4. RemainingsystemswithSensitiveData 2020+
5. SystemsthatonlyhandleInternalData 2021+
6. SystemsthatonlyhandlePublicData 2022+
Throughouttheimplementationperiod,systemsofallkindswillbenefitfromadvancedfirewallsandnetworkprotectionsasthosecapabilitiesarefurtherdeployed.Publicfacingwebserverswillbemonitoredonamonthlybasisforunwantedtraffic,evidenceofcyber-attackorpotentiallyharmfuldatalossactivitytoensureopenlyaccessibledataisprotected.
Training
Trainingontheprocesses,toolsanduseoforcompletionofartifactswillbeprovidedbytheOfficeofCybersecuritywiththedetailsconsideredtobeoutofscopeforthisdocument.OngoingsecurityawarenesstrainingwillbeprovidedandaccesstotrainingtoolswillbewidelypublicizedontheOfficeofCybersecuritywebpages(https://it.wisc.edu/about/office-of-the-cio/cybersecurity/risk-management-framework/).
PROCESSFORMANAGINGCYBERSECURITYRISK
ThissectiondescribesprocessspecificactivitiesnecessarytocarryouttheCybersecurityRiskManagementPolicy.Theprocessstepssummarizedbelowarerequiredbythepolicy.AmplificationofprocessstepsandahelpfulbackgroundontheRiskManagementFramework(RMF)areintheAppendixtothisImplementationPlan.
RiskRegister
InformationsystemsproposedtoundergoRiskAssessmentareenteredintotheRiskRegistermanagedbytheOfficeofCybersecurity.ARiskAnalystwillbeassignedasresourcesbecomeavailable.OrganizationsdesiringtoacceleratetheprocesscancontacttheChiefInformationSecurityOfficerforguidanceandoptionsformeetingRiskAnalystresourcerequirements.
![Page 5: Cybersecurity-Risk-Management-Implementation-Plan-2017-08 ... · August 10, 2017 version Implementation Plan - Page 4 of 5 Reduce Risk (RMF Step 5 and 6) The acceptable level of risk](https://reader031.vdocuments.site/reader031/viewer/2022030815/5b26e2da7f8b9a104d8b4daa/html5/thumbnails/5.jpg)
WORKINGDOCUMENT
Implementation Plan for the UW-Madison Cybersecurity Risk Management Policy
August10,2017version ImplementationPlan-Page3of5
AssessRisk(RMFStep4)
Theacademic/functionalunitandtheOfficeofCybersecuritycooperativelyassessthecybersecurityriskassociatedwithasystem.
CertifyRisk(RMFStep5)
TheUW-MadisonChiefInformationSecurityOfficer(CISO)signstheRiskAssessmenttocertifythattherepresentedriskisaccurate.TheCISOmayincluderecommendedriskreductionstrategies.
AcceptRisk(RMFStep5)
TheriskofoperatingthesystemisacceptedbytheRiskExecutiveonbehalfofUW-Madison.Thisisaleadershipdecisionandshouldbebasedonthefollowing:
a. AssessedriskandimpacttotheUniversityshouldasystembecompromisedordatalostb. Recommendedremediationtoincludeconsiderationforcosttoimplementc. Impactonthebusinessprocessshouldthesystem,whileinoperation,loseavailabilityof
thesystemordata,encounterdataintegrityissues,orbreachconfidentialityofRestrictedorSensitivedata.
d. TheRiskExecutiveroleisguidedbythefollowing:(1) RiskExecutiveswillbenamedwithin60daysoftheCybersecurityRiskManagement
Policybeingfinalized.(2) TheRiskExecutiveshouldbeanexecutiveordirector(e.g.,Deanortheirappointee,
departmentchair,directorofaresearchlab,etc.)withintheacademic/functionalunit,orinthelineofauthorityabovethatunit.TheRiskExecutivemusthavetheauthoritytoaccepttheriskofoperatingthesystemonbehalfoftheinstitutionandshouldbeintheunitwhowillultimatelyberesponsibleforpayingforabreech(i.e.,Deanortheirappointee,department,researchlab,etc.).
(3) TheRiskExecutivebalancesthebusinessneeds,thepotentialfinancialandreputationalcostofadverseevents,andthecostofreducingthelikelihoodandseverityofthoseevents.
(4) DelegationoftheRiskExecutiveroleisnotencouraged.IfdelegationoftheworkismadeundertheRiskExecutive’sauthority,theresponsibilitywillnot.
(5) RiskExecutivesmayaccesstheexpertise,trainingandsupportavailablefromtheOfficeofCybersecurityforadviceinmakingtheirriskdeterminationorforadditionalguidance.
(6) TheRiskExecutivemustbeaffordedasufficientunderstandingoftheinformationsystemthroughthetechnicalexpertsandmanagersassociatedwiththesystem.AfterreviewingtheRiskAssessmentandrecommendationsoftheOfficeofCybersecurity,theRiskExecutivewill:
a) accepttheriskascertified,orb) assurethatrecommendedactionistakentoreducetherisktoanacceptable
level,orc) declinetoauthorizethesystemtooperate.
![Page 6: Cybersecurity-Risk-Management-Implementation-Plan-2017-08 ... · August 10, 2017 version Implementation Plan - Page 4 of 5 Reduce Risk (RMF Step 5 and 6) The acceptable level of risk](https://reader031.vdocuments.site/reader031/viewer/2022030815/5b26e2da7f8b9a104d8b4daa/html5/thumbnails/6.jpg)
WORKINGDOCUMENT
Implementation Plan for the UW-Madison Cybersecurity Risk Management Policy
August10,2017version ImplementationPlan-Page4of5
ReduceRisk(RMFStep5and6)
Theacceptablelevelofriskmaybeconstrainedbylegal,regulatoryorcontractualrequirements,andissubjecttoreviewbyuniversityleadership.
Ifthecertifiedlevelofriskisunacceptable:
a. TheRiskExecutiveassuresthatchangesaremadetothesystemthatreducetherisktoanacceptablelevel.
b. TheassessmentandcertificationdescribedinAssessRiskandCertifyRiskarerevisedfollowingconfirmationofcorrectiveactions.ThereducedlevelofriskisthenacceptedasdescribedinAcceptRisk.
FollowingtheRiskAssessmentandsubsequentacceptancebytheRiskExecutive,informationsystemswithvulnerability,threatandimpactchangesthatelevatethelevelofriskwillhavetobecorrectedormitigatedbacktotheassessedlevel(orlower)withinthefollowingtimelimits:
a. IssuesthatelevatetheriskleveltoCriticalshouldbecorrectedormitigatedtonogreaterthanHighwithin72–96hoursorthesystemshouldbedisconnected.
b. IssuesthatelevatetherisktoHighshouldbecorrectedormitigatedtoModeratewithin15calendardays.
c. IssuesthatelevatetherisktoModerateshouldbecorrectedormitigatedtoLowwithin90calendardays.
d. IftheissueoccursonasystemevaluatedatLowrisk,butdoesnotelevatetherisktoMedium,itshouldbecorrectedwithinoneyear.
Inallcases,theRiskRegistermaintainedbytheofficeofCybersecurityshouldbeupdatedalongwithadjustingtheexistingriskassessmentandplanofactionandmilestones.
MonitorRisk(RMFStep6)
Theacademic/functionalunitandtheOfficeofCybersecuritycontinuallymonitorthesystemtoassurethatthelevelofriskremainsatorbelowthelevelacceptedinAcceptRisk.
a. Theremustbepolicyandproceduralsafeguardstoassurethatmonitoringactivityrespectsprivacyandacademicfreedom.
b. ThedesignandimplementationofmonitoringisincludedintheassessmentandcertificationdescribedinAssessRiskandCertifyRisk.Monitoringmustbedesignedandimplementedto,ataminimum:
(1) detectknownsecurityvulnerabilitiesandthreats,and(2) detectknownindicationsthatthesystemmaybecompromised;
c. WheretheidentifiedproblemsareindividuallyorcollectivelysignificantenoughtoincreasethelevelofriskabovethelevelacceptedinAcceptRisk.IdentifiedproblemsmustbesufficientlymitigatedtoreturnthelevelofrisktothelevelacceptedinAcceptRisk.
Re-evaluateRisk(RMFStep6)
Riskevaluationoccursthroughoutthesystemlifecycleasfollows:
![Page 7: Cybersecurity-Risk-Management-Implementation-Plan-2017-08 ... · August 10, 2017 version Implementation Plan - Page 4 of 5 Reduce Risk (RMF Step 5 and 6) The acceptable level of risk](https://reader031.vdocuments.site/reader031/viewer/2022030815/5b26e2da7f8b9a104d8b4daa/html5/thumbnails/7.jpg)
WORKINGDOCUMENT
Implementation Plan for the UW-Madison Cybersecurity Risk Management Policy
August10,2017version ImplementationPlan-Page5of5
a. ThescheduleforriskevaluationispartoftheassessmentandcertificationdescribedinAssessRiskandCertifyRisk.Atypicalscheduleincludesaformalevaluationeverythreeyearsandaninformalevaluationannually.
b. ChangemanagementispartoftheassessmentandcertificationdescribedinAssessRiskandCertifyRisk.Changestothesystemthatincreaseriskmayrequiremoreimmediateevaluation.
c. Followinganevaluation,theassessmentandcertificationdescribedinAssessRiskandCertifyRiskarerevised,theriskisacceptedorreducedasdescribedinAcceptRiskandReduceRisk,andmonitoringcontinuesasdescribedinMonitorRisk.
Specialcases
Non-UW-Madison-owneddevicesandservicesusedforuniversitybusinessmaybetreatedaspartofaUW-Madisoninformationsystem,andifso,aresubjecttothispolicy.Theremustbepolicyandproceduralcontrolsinplacetoassurerespectforpropertyandprivacy.
CONTACT
QuestionsandcommentstothisdocumentcanbedirectedtotheOfficeofCybersecurityatcybersecurity@cio.wisc.edu.
HELPFULREFERENCES
UW-MadisonCybersecurityRiskManagementProcedureswebsite[underdevelopment],https://it.wisc.edu/about/office-of-the-cio/cybersecurity/risk-management-framework/]
NationalInstituteforStandardsandTechnologySpecialPublication800-37Revision1,GuideforApplyingtheRiskManagementFrameworktoFederalInformationSystems:ASecurityLifeCycleApproach,http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf
NationalInstituteforStandardsandTechnologySpecialPublication800-53Revision4,SecurityandPrivacyControlsforFederalInformationSystems,andOrganizations,http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
NationalInstituteforStandardsandTechnologySpecialPublication800-171,ProtectingControlledUnclassifiedInformationinNonfederalInformationSystemsandOrganizations,http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf
ControlledUnclassifiedInformation(32CFRPart2002),https://www.gpo.gov/fdsys/pkg/FR-2015-05-08/pdf/2015-10260.pdf
![Page 8: Cybersecurity-Risk-Management-Implementation-Plan-2017-08 ... · August 10, 2017 version Implementation Plan - Page 4 of 5 Reduce Risk (RMF Step 5 and 6) The acceptable level of risk](https://reader031.vdocuments.site/reader031/viewer/2022030815/5b26e2da7f8b9a104d8b4daa/html5/thumbnails/8.jpg)
FINALDRAFT(forITSCEndorsementtoITC)
Appendix - UW-Madison Cybersecurity Risk Management Framework
August10,2017version RMFAppendix-Page1of5
BACKGROUND
Riskisdefinedasthemeasureoftheextenttowhichanentityisthreatenedbyapotentialcircumstanceorevent,andtypicallyafunctionof:(i)theadverseimpactsthatwouldariseifthecircumstanceoreventoccurs;and(ii)thelikelihoodofoccurrence2.
Cybersecurityriskmaybepresentedfromexternalsourcesorbyindividualactionsofthoseworkinginsidethenetworkorinformationsystems.Theconceptofcybersecurityriskincludesoperationalrisktoinformationandtechnologyassetsthathaveconsequencesaffectingtheavailability,integrityorconfidentiality,ofinformationorinformationsystems.Thisincludestheresultingimpactfromphysicalortechnicalthreatsandvulnerabilitiesinnetworks,computers,programsanddata.Thedatafocusincludesinformationflowingfromorenabledbyconnectionstodigitalinfrastructure,informationsystems,orindustrialcontrolsystems,includingbutnotlimitedto,informationsecurity,supplychainassurance,informationassurance,andhardwareandsoftwareassurance3.Theprocessdescribedinthispolicyisatoolusedtoarriveatanunderstandingofriskinvolvinginformationsystems.Riskcanbemodeledasthelikelihoodofadverseeventsoveraperiodoftime,multipliedbythepotentialimpactofthoseevents.Riskisneverreducedtozero.Thereisalwaysalevelofriskthatmustbeacceptedasacostofdoingbusiness.Reducingtherisktoanacceptablelevelisalsoacostofdoingbusiness.
Systemsaremonitoredtoassurethatthelevelofcybersecurityriskismaintainedatorbelowanacceptablelevel.Therearepolicyandproceduralsafeguardstoassurethatpersonalprivacyandacademicfreedomarerespected.Thecontentoruseofthedataisonlyofinteresttotheextentthatitindicatesthepresenceofavulnerabilityorthreat,suchasincomingdatathatispartofanattackonuniversitysystems,oroutgoingdatathatindicatesasystemhasalreadybeencompromised.Universityorpersonaldatathatisstolenbyanattackerisnolongerprivate.Scrupulousmonitoringhelpsprotectdatafromunscrupuloususe.
THEINFORMATIONSYSTEM
Aninformationsystemcanbedefinedasdiscretesetofinformationresourcesorganizedforthecollection,processing,maintenance,use,sharing,dissemination,ordispositionofinformation.Informationsystemsalsoincludespecializedsystemssuchasindustrial/processcontrolssystems,telephoneswitchingandprivatebranchexchange(PBX)systems,andenvironmentalcontrolsystems.4Eachinformationsystemshouldincludeasecurityboundarywhichclearlydefinestheperimeterofthesystemandtheextentofapplicablesecuritycontrols
2FromNISTIR7298Revision2,GlossaryofKeyInformationSecurityTerms,datedMay20133FromATaxonomyofOperationalCyberSecurityRisksbyJamesCebulaandLisaYoung,Carnegie-MellonUniversitySoftwareEngineeringInstitute,datedDecember2010.4FromNISTIR7298Revision2,GlossaryofKeyInformationSecurityTerms,datedMay2013
![Page 9: Cybersecurity-Risk-Management-Implementation-Plan-2017-08 ... · August 10, 2017 version Implementation Plan - Page 4 of 5 Reduce Risk (RMF Step 5 and 6) The acceptable level of risk](https://reader031.vdocuments.site/reader031/viewer/2022030815/5b26e2da7f8b9a104d8b4daa/html5/thumbnails/9.jpg)
FINALDRAFT(forITSCEndorsementtoITC)
Appendix - UW-Madison Cybersecurity Risk Management Framework
August10,2017version RMFAppendix-Page2of5
tobedefinedandbuiltintothesystem.Figure1below5showsasimpleclient-serverbasedsystemwiththesecurityboundaryshowningreen.
Figure1:TheSystemSecurityBoundary
TheSystemSecurityPlanshouldaddressthehardware,software,securitycontrols,andadministrativeorconfigurationissuesassociatedwithsecuritythesystemandthedatawithinthatboundary.Theplanshouldalsodescribetheinteractionswithadjacentsystemsandnetworksand,wherenecessary,describethesecuritycontrolsthatprotectaccessandsecurethedata.
RISKMANAGEMENTFRAMEWORK
TheRiskManagementFramework,alsocalledtheRMF,isderivedfromtheNationalInstituteforStandardsandTechnologySpecialPublication800-37Revision1,GuideforApplyingtheRiskManagementFrameworktoFederalInformationSystems:ASecurityLifeCycleApproachandspecificallytailoredtomeettherequirementsandcultureatUW-Madison.ThisdocumentdescribestheRMFprocessesandimplementationdetailsandservesasaguidetodeterminingcybersecurityrisktoinformationsystemsandnetworkarchitectures.TheUW-MadisonCybersecurityRiskManagementFrameworkisdesignedtoprovidedepartmentaldirectors,researchers,andinformationtechnologistswithatooltodeterminerisktodataandoperationsofeachnetworkorsystemconnectedtoorservicedbythecampusinformationtechnologyarchitecture.TheRMFconsistsofsixstepsthatguidethedevelopmentofasystemwithinformationsecuritycontrolsbuiltin.Oncedevelopmentiscompleted,aformalrisk
5FromUniversityofFloridaarticleCreatinganInformationSystem/DataFlowDiagramfoundathttps://security.ufl.edu/it-workers/risk-assessment/creating-an-information-systemdata-flow-diagram/
![Page 10: Cybersecurity-Risk-Management-Implementation-Plan-2017-08 ... · August 10, 2017 version Implementation Plan - Page 4 of 5 Reduce Risk (RMF Step 5 and 6) The acceptable level of risk](https://reader031.vdocuments.site/reader031/viewer/2022030815/5b26e2da7f8b9a104d8b4daa/html5/thumbnails/10.jpg)
FINALDRAFT(forITSCEndorsementtoITC)
Appendix - UW-Madison Cybersecurity Risk Management Framework
August10,2017version RMFAppendix-Page3of5
assessmentandcontinuedoperatingchecksensuremaintenanceofdefinedrisklevels.Thetablesandgraphicbelowdescribethesteps:
Step ActivityTitle Description
Pre PlanningConductingdiscoverywiththeSystemOwnertoaidintheirunderstandingofthe RMF and associated tools and processes. Identification of time andresourcesoccurshere.
1 CategorizetheSystem
A data driven processwhere the security requirements of the system aredefinedbythehighestclassificationofdatahandledby,orstoredwithin,thesystemorprocesses
2SelectSecurityControls
Assignmentoftheadministrative,physicalandtechnicalcontrolsrequiredtoprotectthedataaredrawnfromanagreedsecuritycontrolsframework(e.g.,NIST800-53)
3
ImplementandValidateControls
Duringdesignanddevelopment,theselectedcontrolsareincorporatedinthesystemdesign,validatedtoprovidethedesiredprotections,andverifiedasoperational.
Figure2:TheRiskManagementFramework
![Page 11: Cybersecurity-Risk-Management-Implementation-Plan-2017-08 ... · August 10, 2017 version Implementation Plan - Page 4 of 5 Reduce Risk (RMF Step 5 and 6) The acceptable level of risk](https://reader031.vdocuments.site/reader031/viewer/2022030815/5b26e2da7f8b9a104d8b4daa/html5/thumbnails/11.jpg)
FINALDRAFT(forITSCEndorsementtoITC)
Appendix - UW-Madison Cybersecurity Risk Management Framework
August10,2017version RMFAppendix-Page4of5
Step ActivityTitle Description
4 RiskAssessment
Independent to the development team, a documented assessment isperformed to test the selected controls. Residual risk is determined withmitigatingfactorsapplied.Thisstageleadstoaformaldeclarationofriskforthesystemornetwork.
5 AuthorizetheSystem
AfinalriskreviewisconductedwithaformaldeclarationofriskprovidedtotheresponsibleRiskExecutivewhomakesthedeterminationwhetherto(1)operatethesystematthedefinedrisklevel;(2)furthermitigaterisk;or(3)declinetoallowcontinuedoperation.
SystemisOperational
6MonitorandMitigate
Continually assess the operational controls against evolving vulnerability,threatand impact factors. Disruption tooperationsor lossofdataoccurswhencontrolsfail,systemupgradesoccurwithoutpropertestingorexternalfactorsdictate,determineandimplementmitigatingcontrolsorreturnthesystem to an earlier RMF step. This step is also known as ContinuousDiagnosticsandMitigation.
TheRMFalignswiththesystemdevelopmentlifecycleandrequiresinputdocumentationandinformationforeachstep.Outputartifactsareproducedthatareusedinplanning,developmentandtesting,andcertificationofriskleadingtoimplementationasshowninthetablebelow.
Step ActivityTitle
ProjectPhase
Input Documents andActivities
Output Documents andActivities
1 CategorizetheSystem
PlanningandDesign
• DatadefinitionincludingClassification
• FISMAdeterminationfromContract
• Datadescription• Systemdescriptionfrom
SDLC• CISBenchmarks
• CybersecurityProjectCharter
• SystemSecurityPlan(SSP)Questionnairechecklist
• DataSecurityTriageForm• ITSecurityBaselinefor
ResearchandAcademicComputingTemplate
• InterviewChecklist(s):e.g.,FISMAControls,HIPPATestPlan,SAChecklist
2SelectSecurityControls
• CompleteandValidatedSSPQuestionnairechecklist
• SecurityControlsInventory
![Page 12: Cybersecurity-Risk-Management-Implementation-Plan-2017-08 ... · August 10, 2017 version Implementation Plan - Page 4 of 5 Reduce Risk (RMF Step 5 and 6) The acceptable level of risk](https://reader031.vdocuments.site/reader031/viewer/2022030815/5b26e2da7f8b9a104d8b4daa/html5/thumbnails/12.jpg)
FINALDRAFT(forITSCEndorsementtoITC)
Appendix - UW-Madison Cybersecurity Risk Management Framework
August10,2017version RMFAppendix-Page5of5
Step ActivityTitle
ProjectPhase
Input Documents andActivities
Output Documents andActivities
3
ImplementandValidateControls
DevelopandTest
• ConfigureSecurityControlsasdetermined.
• CompletedPackageArtifactso SSPo Topology,DataFlow,
SystemSecurityBoundary
o Ports&ProtocolsTable
• SecurityControlsWorkbook(Pre-Assessment)
• SubmittedCybersecurityRiskAcceptanceRequestForm
4 RiskAssessment
• ProvideAllAuditScan(hostbasedscans&applicationbasedtesting)
• CompletedSecurityControlsChecklistvalidatedbyscanningandmanualreview
• DevelopandExecuteTestingPlans(ArtifactsnotprovidedwillbecreatedbytheOfficeofCybersecurity)
• StepThreeDeliverables
• Scanningtool(i.e.,Qualys)generatedRiskAssessmentReportplusAnalystnotes
• ExecutedCCIandNISTchecklists
• UpdatedsystemsPOAM• ValidatedStepThree
Artifacts• ResidualRiskReport
5 AuthorizeSystem Implement
• ResidualRiskReport• StepFourdeliverables
• ChiefInformationSecurityOfficersignedRiskLetterplusRiskExecutive’sEndorsement/ApprovaltoOperate
ProjectHandofftoOperations
6MitigateandMonitor
Operate
• Approvedscanningtool• ControlValidationPlan• StepFivedeliverables
• ProvideMonthlyRiskReports&POAMupdates
• SecurityControlValidationReport