Introduction

The National Institute of Standards and Technology (NIST) maintains important publications about risk management and security. This is part of its mission to promote innovation and industrial competitiveness [1]. One of the most notable is special publication (SP) 800-37 ‘Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy’. The target audience is any individual or organization associated with the design, development, implementation, assessment, operation, maintenance, and disposition of information systems [2]. This document provides a Risk Management Framework (RMF) for any information systems. Although designed for cyber risks, the framework applies as well to physical risks.

Sources are cited below, original article available free of charge here.

Purpose of Publication

Quoting the publication [2]:

" The guidelines have been developed:

  • To ensure that managing system-related security and privacy risk is consistent with the mission and business objectives of the organization and risk management strategy established by the senior leadership through the risk executive (function);
  • To achieve privacy protections for individuals and security protections for information and information systems through the implementation of appropriate risk response strategies;
  • To support consistent, informed, and ongoing authorization decisions, reciprocity, and the transparency and traceability of security and privacy information;
  • To facilitate the integration of security and privacy requirements and controls into the enterprise architecture, SDLC processes, acquisition processes, and systems engineering processes;
  • To facilitate the implementation of the Framework for Improving Critical Infrastructure Cybersecurity [NIST CSF] within federal agencies. "

This publication provides means for handling organizational risks to information systems. Establishing rules for data privacy, data owners, data transparency, and secure software development. The focus is on a framework for addressing, understanding, mitigating, and accepting risk. It provides no specific countermeasures for risks instead focusing at the organization level.

Fundamentals and the Risk Management Process

This publication takes a three tiered approach to managing risk as demonstrated in the following diagram [2]:

NISTSP80037

Summarizing figure 1:

  • Organization
    • This tier focuses on governance and program-related risk management [1]. Preparing the organization to execute the RMF [3]. Here, important decisions linked to the business objectives, system modernization, enterprise architecture, and resource allocation are made. The primary responsibilities are: to understand risk, to assign roles, to identify critical functions, and to prioritize security requirements.
  • Mission/Business Process
    • This level focuses on the business or mission objectives. Such as defining the criticality of information flow between the organization and its partners [1]. Although related to level one, the focus is information flow, communication, and assigning task criticality.
  • Information System
    • This level defines the risk to information technology. Where risk to physical and digital information becomes less organizational and more practical.

Communication of risks and priorities flow down the diagram. Incident reporting flows up. Feedback is provided from the information system level to the organization level. Ensuring every keyholder is up to date on the critical threats. New directives and priorities will flow down. Returning to the information system level. Once careful consideration of the reports and threat intelligence collected adn analyzed.

Once a conceptualization of the framework is understood, stakeholders should execute the process. The NIST RMF isolates seven key steps to ensure that activities are successfully executed [2]:

  1. Prepare
    • Both organization and system level preparation is needed to establish a context and priorities for managing security and privacy risks.
  2. Categorize
    • The system and information processed, stored, and transmitted should be categorized based on the impact of loss.
  3. Select
    • Select an initial set of controls and tailor the controls as needed to reduce risk to an acceptable and manageable level.
  4. Implement
    • Implement the controls and document thoroughly.
  5. Assess
    • Determine if all controls are implemented correctly, operating as intended, and producing desirable outcomes.
  6. Authorize
    • Authorize system controls based on a risk assessment.
  7. Monitor
    • Monitor control efficaciousness, perform ongoing maintenance, and document all changes, assessments, feedback, and analysis.

The publication provides further insight into each step. Including the smallest set of required tasks for full implementation of each step. Providing critical information on potential inputs, executed outputs, and the primary role responsible. Reviewing this set of tasks and covering the enumerated risk is essential. Any team or organization will gain from this type of review.

Conclusion

The RMF provides more than the fundamentals for organizational risk management. Including supply chain risk management, security and privacy, authorization boundaries, and more. Understanding the full conceptual framework for determining and addressing risk is critical. NIST RMF is by no means a one size fits all solution to risk management. Only a framework that highlights common risks and strategies used in the field. This publication provides crucial insight into any organization’s information infrastructure and data security.

Sources

  1. B. Chapman and F. Maymi, CompTIA CySA+ cybersecurity analyst certification all-in-one exam guide, second edition (exam CS0-002), 2nd ed. Columbus, OH: McGraw-Hill Education, 2020.
  2. Joint Task Force Transformation Initiative, “Risk management framework for information systems and organizations: A system life cycle approach for security and privacy,” National Institute of Standards and Technology, Gaithersburg, MD, 2018.

Acronym Dictionary

NIST: National Institute of Standards and Technology RMF: Risk Management Framework SP: Special Publication