• Skip to main content
  • Skip to primary sidebar

ConvoCourses

Cyber Security Compliance and IT Jobs

  • Cyber Security Training
  • about me.
  • Information Assurance Jobs

risk assessment

Cybersecurity IT Job Market and the impact of Covid-19 – RMF vs Risk Assessment

March 30, 2020 by Leave a Comment

We talk about the Cybersecurity IT Job Market and the impact of Covid-19. We also breakdown the differences between Risk Management Framework and Risk Assessment

http://www.nist80037rmf.com/wp-content/uploads/2020/03/Cybersecurity-IT_-Job-Market-Effected-by-Covid-19-RMF-vs-Risk-Assessment.mp3
http://www.nist80037rmf.com/wp-content/uploads/2020/03/Cybersecurity-IT_-Job-Market-Effected-by-Covid-19-RMF-vs-Risk-Assessment.mp3

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | Google Podcasts | Pandora | iHeartRadio | Stitcher | TuneIn | Deezer | RSS

Filed Under: Risk Management For DoD IT Tagged With: podcast, risk assessment, risk management framework, rmf

security risk

February 6, 2014 by Bruce Brown Leave a Comment

NIST SP 800-39, Manage Information Security Risk

NIST SP 800-39 deals entirely with fixing the challenge of security risk in an organization.  Chapter 2 of 800-39 discusses the basics of security risk management & chapter 3 goes into the process of applying security risk management across and organization.

The Fundamentals of Security Risk Management (Chapter 2, 800-39)
The philosophy security risks and how to manage information security at multiple levels of an organization are discussed in Chpt 2 of NIST SP 800-39. The three layers of security risk are:

  1. Tier 1: Organization level
  2. Tier 2: Mission/Business Process level
  3. Tier 3: Information System level

Tier 1: Organization Level security risk management
Tier 1 addresses security risk from the organizations perspective. This include the implementation of the first component of security risk management which is called risk framing.

In tier 1 or security risk management, the management of the organization establishes governance structure that are in compliance with laws, regulations and policies. Tier 1 activities include establishment of the Risk Executive Function, establishment of the risk management strategy and determination of the risk tolerance.

 

Security Risk framing provides context for all the security risk activities within an organization, which affects the risk tasks of tier 1 & 2. The result of risk framing is Security Risk Management Strategy.

Security Risk Management Tier 2: Mission/Business Process 

Tier 2 Security risk management tasks include: 1) defining the mission processes. 2) Prioritize the mission process with respect to the long term goals of the organization. 3) Define the type of information needed to successfully execute the mission/business processes, critical/sensitivity of the information and the information flows both internal and external of the information.

 

Tier 3: Information System Security Risk management

From the information system perspective, tier 3 addresses the following tasks:

  1. Categorization of the information system
  2. Allocating the organizational security control
  3. Selection, implementation, assessment, authorization, and ongoing

Chapter 3 focuses on the step to have a comprehensive security risk management program. The tasks discussed include:

  • Risk Framing
  • Risk Assessing
  • Risk Response
  • Risk Monitoring

Risk Assessment

NIST 800-30 goes into Risk Assessment process.  800-39 covers from a high level.  Risk assessment is threat & vulnerability identification and risk determination. Organizational risk framing is a prerequisite to risk assessments, because methods of risk assessment must be established by the contexts of the organizations risk.

Risk Response
Risk response identifies, evaluates, decides on, and implements appropriate courses of action to accept, avoid, mitigate, share, or transfer risk to organizational operations and assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems.

Risk identification is key to risk response. Risk types include:
Risk accept- is the appropriate risk response when the identified risk is within the organizational risk tolerance. Organizations can accept risk deemed to be low, moderate, or high depending on particular situations or conditions.

Risk avoidance– Organizations may conduct certain types of activities or employ certain types of information technologies that result in risk that is unacceptable. In such situations, risk avoidance involves taking specific actions to eliminate the activities or technologies that are the basis for the risk or to revise or reposition these activities or technologies in the organizational mission/business processes to avoid the potential for unacceptable risk.

Risk mitigation-adding management, technical, administrative safeguards to minimize identified risks to the system.
Risk share & transfer- Risk sharing or risk transfer is the appropriate risk response when organizations desire and have the means to shift risk liability and responsibility to other organizations. Risk transfer shifts the entire risk responsibility or liability from one organization to another organization (e.g., using insurance to transfer risk from particular organizations to insurance
companies).

Risk Monitoring Risk changes with each modification of the system. It’s important to monitor the changes of the risk of a system. Changes to threats can also change risk.  This is where Continuous monitoring comes in.

Filed Under: DIARMF, diarmf - authorize, diarmf assess, NIST Security Framework, risk management Tagged With: business risk, continuous monitoring risk scoring, corporate risk, DIARMF, DIARMF - Continuous Monitoring, nist risk, nist risk management framework, nist risk management framework 800-37, NIST Risk Management Framework 800-39, risk assessment, risk management, risk management framework, rmf, security risk

risk assessment table

February 5, 2014 by Bruce Brown Leave a Comment

Risk assessment table is usually a 2 dimensional matrix used to measure the likelihood of risk by matching vulnerability, assets, threats and/or impacts of threats to vulnerability of assets.

A risk assessment table can be homemade.  Homemade might be best because the no one knows better than they organization the landscape within their information systems infrastructure, the threats associated or the importance of the assets should they get compromised.

risk management table1
risk management table1

risk management table

Filed Under: NIST Security Framework, risk management Tagged With: risk assessment, risk assessment table, risk management, rmf, rmf security controls

risk assessment model

January 23, 2014 by Bruce Brown Leave a Comment

The risk assessment model is decomposed in NIST SP 800-37, Guide for Risk Assessments.

risk identification
risk identification

The risk assessment model is designed to identify threat sources and events, identify vulnerabilities and predisposing conditions, determine likelihood of occurrence, determine magnitude of impact and finally determine risk. Some of the devices used to do this are risk register:

Risk Register Template – version a Risk Register Template – version b

The risk assessment model is only one part of the risk management process in DIARMF and other risk management frameworks:

risk evaluation
risk evaluation

 

Filed Under: NIST Security Framework, risk management Tagged With: risk, risk assessment, risk assessment model, risk assessment reports, risk management, risk mangement framework, rmf, security assessment reports

risk register template

January 23, 2014 by Bruce Brown 1 Comment

As risk register is a tool in the form or spread sheet, application or database that you can use during risk assessments for risk identification.  It allows the person conducting the risk assessment to log the threat, asset and impact and give some idea of the probability of the threat.  It is used in DIARMF, DIACAP, project management and other risk management processes to help decision makers.

Its also known as a risk log.

Here is a risk register template I got from British Colombia gov site http://www.gov.bc.ca/fin/):

Risk Register Template

Here is another risk register template from the Israel Institute of Technology(webcourse.cs.technion.ac.il):

Risk Register Template

 

Filed Under: risk management Tagged With: business risk, DIARMF, diarmf diacap, DIARMF Process, nist risk management framework, risk, risk assessment, risk determination, risk evaluation, risk identification, risk mangement, risk register template, rmf

what is a risk assessment

January 23, 2014 by Bruce Brown 1 Comment

What is a risk assessment?

To answer this question we must first know what “risk” is.

There are many kinds of risks:  financial risks, safety risks, investment risk.  But we are talking about Security Risk.  In the context of SECURITY, risk is the likelihood that something harmful (a threat) will happen to something of value (an asset).  The asset must be vulnerable to the the harmful event.

So a risk is the probability that a threat will exploit the weakness of an asset.

A risk assessment is the process of identifying the actual risk.  This done by identifying the threat, the asset, the associated weaknesses and countermeasures and then determining the impact should the threat harm the asset.

Risk identification is done with a risk assessment.  NIST SP 800-30, Guide for Conducting Risk Assessments breaks down the entire process of risk determination, risk identification.

As described in the earlier post DIACAP Process:

Risk = ((Vulnerability * Threat) / Countermeasure) * Asset Value at Risk IT Risk

Risk is the likelihood that a threat will compromise the weakness of an asset.  So risk identification is based on knowing the threat, the vulnerability and the asset.

Risk assessment report_Example

risk assessment report
risk assessment report

Filed Under: risk management Tagged With: diarmf assess, nist risk management framework, risk, risk assessment, risk determination, risk evaluation, risk identification, rmf, security risk, what is a risk assessment

  • Go to page 1
  • Go to page 2
  • Go to Next Page »

Primary Sidebar

search

Learn to Make 6 Figures in CyberSecurity

Cyber Security How to make up to 6 Figures
6 figures in Cyber Security

This course explains how I have been able to consistently make 6 figures doing cyber security. There is a method that I have used during my development in cyber security. I am presenting that method to you.

View Course

Teleworking - IT Remote Work
Teleworking – IT Remote Work

Teleworking is something I have been doing for the last 5 years. This is how I did it.

Find Teleworking IT Jobs

View Course

RMF ISSO Foundations Training
RMF ISSO Foundations Training

RMF ISSO Foundations

I was an Information System Security Officer (ISSO) doing Risk Management Framework (NIST SP 800-37) for over a decade. I am a Cybersecurity veteran and I can explain (in plain English) what you DO in the Risk Management Framework process as an ISSO.

View Course

NIST SP 800-37 Presentation
NIST SP 800-37 Presentation

View Course

login

  • Register
  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Recent Posts

  • Implementation of security controls resources part 1
  • Convocourses Podcast: course update continuous monitoring and other issues
  • Convocourses Podcast: RMF Course Updates New & NIST-53a
  • ConvoCourses Podcast: Get Into IT from other fields
  • convocourses podcast: RMF Course Updates New NIST 800-53

Meta

  • Register
  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Recent Comments

  • horloge on SCAP Compliance Checker SCC)
  • 218 Information assurance Success Criteria – ITSECURITYSURVIVAL.COM on Information Assurance Vulnerability Alert
  • Disa Help Desk | VinHomesData.com on STIG Update – DISA has released the Oracle Java Runtime Environment (JRE) 8 STIG Version 1
  • Bruce Brown on DIARMF – Continuous Monitoring
  • dpresbit on DIARMF – Continuous Monitoring

Tags

8140 8570 ArcSight c&a CISSP colorado cyber cybersecurity cyber security denver DIACAP DIARMF diarmf - implement disa DISA STIG dodd 8140 dodd 8140 cyberspace workforce HBSS IA implement implementation info assurance information assurance information security ISSO job jobs Linux mcafee nist nist risk management framework nist risk management framework 800-37 podcast risk risk assessment risk management risk management framework rmf security SIEM STIG stigs unix VMWare windows

Copyright © 2021 · Author Pro on Genesis Framework · WordPress · Log in