• Skip to main content
  • Skip to primary sidebar

ConvoCourses

Cyber Security Compliance and IT Jobs

  • Cyber Security Training
  • about me.
  • Information Assurance Jobs
  • Log in

risk management

Network Engineer to Risk Management Framework

September 14, 2021 by Bruce Brown Leave a Comment

Many more videos on https://www.youtube.com/convocoursesshort videos at https://www.tiktok.com/@convocourses?lang=enand https://www.instagram.com/convocourseqs/https://www.facebook.com/ConvoCourses-108091850619388Podcast version of the content:https://podcasts.apple.com/us/podcast/convocourses/id1500188278http://www.nist80037rmf.com/google_podcast

Filed Under: DIARMF Jobs, Information Assurance Jobs, Risk Management For DoD IT Tagged With: engineer, network, Network Engineer to Risk Management Framework, risk management

What is Risk Management Framework NIST 800 37

June 20, 2016 by Bruce Brown Leave a Comment

Risk Management is being aware of and taking actions to prepare for probable unfavorable outcomes.

Risk Management Framework is a process the implement risk management in an organization.

There are (6) steps to the RMF:
1. Categorize
2. Select
3. Implement
4. Assess
5. Authorize
6. Continuous Monitoring

More on the Risk Management Framework Steps here:
http://diarmfs.com/risk-management-framework-steps/

Filed Under: certification & accreditation, DIACAP, DIARMF, Information Assurance, Risk Management For DoD IT Tagged With: authorize, categorization, Continuous Monitoring, implement, nist sp 800-137, nist sp 800-37, nist sp 800-53, risk management, rmf, select

FCC – Cybersecurity Risk Management Best Practice Working Group

April 16, 2015 by Bruce Brown Leave a Comment

The Federal Communication Commission (FCC) Communications Security, Reliability and Interoperability Council (CSRIC) developed a Cybersecurity Risk Management and Best Practice Final Report dated March 2015.

The 400 page document discusses voluntary mechanisms that give the Federal Communications Commission (FCC) and the public assurance that communication providers are taking the necessary measures to manage cybersecurity risks across the 5 major parts of communications: broadcasting, satellite, cable, wireless and wireline.

courtesy of gohsep.la.gov
courtesy of gohsep.la.gov

The document also details implementation guidance to help communication providers adapt to NIST Cybersecurity Framework.  The NIST Cybersecurity Framework was created to satisfy the President’s Executive Order 13636 – Improving Critical Infrastructure Cybersecurity.

Each of the 5 major components of FCC communications ( broadcasting, satellite, cable, wireless and wireline) have been be treated as critical infrastructure and evaluated by the NIST Cybersecurity Framework.

The segment and feeder subgroup findings and resulting NIST Cybersecurity Framework implementation guidance are contained in the appendices to this report. – more info here

Filed Under: risk management Tagged With: Cybersecurity Risk Management, Cybersecurity Risk Management Best Practice Working Group, FCC, NIST Cybersecurity Framework, risk management

Risk Management Principles

February 7, 2014 by Bruce Brown Leave a Comment

Risk management principles can be found in ISO 31000:2009,  Risk management – Principles and guidelines and its companion guides ISO Guide 73:2009, Risk management – Vocabulary with has a collection of definitions relevant to the management of risk.  ISO/IEC 31010:2009, Risk management – Risk assessment techniques focuses on risk.

Other documents with risk management principles include NIST SP 800-39,  and NIST SP 800-30.

The principle of risk management center around looking at corporate risk.  What is the risk to the bottom-line of the organization?  Whether the bottom-line is money, reputation, a mission, or process.  How will the organization address risk from the top down?  Risk is addressed at every level of the organization from the very top to the bottom.  NIST 800-39 breaks this all down in tiers.

Risk management principles
Risk management principles

To address the actual risk and organization must be able to predict the likelihood of a harmful event (threat) adversely affecting an asset vulnerability.

Risk = ((Vulnerability * Threat) / Countermeasure) * Asset Value at Risk IT Risk

An organization uses a quantitative approach to analyzing and managing the risk to its resources.  To do this, they must identify the threat, the asset, the vulnerability and countermeasures (security controls) of the asset.  They must determine the level of impact that the organization would suffer if the harmful event occurs.  To determine all this they must do risk assessments.

 

 

Filed Under: NIST Security Framework, risk management Tagged With: 31000, 800-39, at risk management, ISO 31000 2009 Risk Management, nist risk management framework 800-37, NIST Risk Management Framework 800-39, risk management, risk management framework, risk management principles, rmf

business risk

February 7, 2014 by Bruce Brown Leave a Comment

You should deal with business risk BEFORE disaster strikes.

Business risk deal with negative impacts to an organizations bottom line.  If harm should strike exposed weaknesses, the business needs to know how they will deal with it and how do they adjust to the situation.

A Business Impact Analysis (BIA) is sometimes done to identify the threats, vulnerabilities, assess, the likelihood of threats acting on identified weakness and the impact if they do.  DIARMF pulls for NIST and the NIST is robust enough to address address BIA / business risks.  The main documents dealing with business risks are 800-39, 800-30, and 800-34.

NIST SP 800-39, Manage Information Security Risk deals with the process of business risks by way of explaining the risk management necessary for an organization.

NIST SP 800-30, Guide for Conducted Risk Assessment describe the tasks and steps of business impact assessments:

A Business Impact Analysis (BIA) identifies high-value assets and adverse impacts with respect to the loss of integrity or availability. DHS Federal Continuity Directive 2 provides guidance on BIAs at the organization and mission/business process levels of the risk management hierarchy, respectively.

NIST Special Publication 800-34 provides guidance on BIAs at the information system level of the risk management hierarchy.

One of the biggest business risks capture while doing business impact assessments is interruptions of service.  After all, if the business is not DOING business then mission, work and revenue stop.  So the business/organization and or department must have  a contingency plan.  NIST Special Publication 800-34, Contingency Planning Guide for Federal Information Systems covers what to do in case of interruptions.

A contingency plan covers what to do in the event of service disruptions including procedures, and technical measures that can get systems back quickly for a while until the disruption passes.  NIST 800-34 covers information system contingency plans (ISCPs) who documents them and how. This is also a major part of the security controls addressed in 800-53/DIARMF.

 

ƒ

Filed Under: NIST Security Framework, risk management Tagged With: BIA, business impact assessment, business risk, cold site, contingency plan, continuity plan, COOP, corporate risk, hot site, ISCP, nist risk management framework 800-37, risk management, rmf, warm site

security risk

February 6, 2014 by Bruce Brown Leave a Comment

NIST SP 800-39, Manage Information Security Risk

NIST SP 800-39 deals entirely with fixing the challenge of security risk in an organization.  Chapter 2 of 800-39 discusses the basics of security risk management & chapter 3 goes into the process of applying security risk management across and organization.

The Fundamentals of Security Risk Management (Chapter 2, 800-39)
The philosophy security risks and how to manage information security at multiple levels of an organization are discussed in Chpt 2 of NIST SP 800-39. The three layers of security risk are:

  1. Tier 1: Organization level
  2. Tier 2: Mission/Business Process level
  3. Tier 3: Information System level

Tier 1: Organization Level security risk management
Tier 1 addresses security risk from the organizations perspective. This include the implementation of the first component of security risk management which is called risk framing.

In tier 1 or security risk management, the management of the organization establishes governance structure that are in compliance with laws, regulations and policies. Tier 1 activities include establishment of the Risk Executive Function, establishment of the risk management strategy and determination of the risk tolerance.

 

Security Risk framing provides context for all the security risk activities within an organization, which affects the risk tasks of tier 1 & 2. The result of risk framing is Security Risk Management Strategy.

Security Risk Management Tier 2: Mission/Business Process 

Tier 2 Security risk management tasks include: 1) defining the mission processes. 2) Prioritize the mission process with respect to the long term goals of the organization. 3) Define the type of information needed to successfully execute the mission/business processes, critical/sensitivity of the information and the information flows both internal and external of the information.

 

Tier 3: Information System Security Risk management

From the information system perspective, tier 3 addresses the following tasks:

  1. Categorization of the information system
  2. Allocating the organizational security control
  3. Selection, implementation, assessment, authorization, and ongoing

Chapter 3 focuses on the step to have a comprehensive security risk management program. The tasks discussed include:

  • Risk Framing
  • Risk Assessing
  • Risk Response
  • Risk Monitoring

Risk Assessment

NIST 800-30 goes into Risk Assessment process.  800-39 covers from a high level.  Risk assessment is threat & vulnerability identification and risk determination. Organizational risk framing is a prerequisite to risk assessments, because methods of risk assessment must be established by the contexts of the organizations risk.

Risk Response
Risk response identifies, evaluates, decides on, and implements appropriate courses of action to accept, avoid, mitigate, share, or transfer risk to organizational operations and assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems.

Risk identification is key to risk response. Risk types include:
Risk accept- is the appropriate risk response when the identified risk is within the organizational risk tolerance. Organizations can accept risk deemed to be low, moderate, or high depending on particular situations or conditions.

Risk avoidance– Organizations may conduct certain types of activities or employ certain types of information technologies that result in risk that is unacceptable. In such situations, risk avoidance involves taking specific actions to eliminate the activities or technologies that are the basis for the risk or to revise or reposition these activities or technologies in the organizational mission/business processes to avoid the potential for unacceptable risk.

Risk mitigation-adding management, technical, administrative safeguards to minimize identified risks to the system.
Risk share & transfer- Risk sharing or risk transfer is the appropriate risk response when organizations desire and have the means to shift risk liability and responsibility to other organizations. Risk transfer shifts the entire risk responsibility or liability from one organization to another organization (e.g., using insurance to transfer risk from particular organizations to insurance
companies).

Risk Monitoring Risk changes with each modification of the system. It’s important to monitor the changes of the risk of a system. Changes to threats can also change risk.  This is where Continuous monitoring comes in.

Filed Under: DIARMF, diarmf - authorize, diarmf assess, NIST Security Framework, risk management Tagged With: business risk, continuous monitoring risk scoring, corporate risk, DIARMF, DIARMF - Continuous Monitoring, nist risk, nist risk management framework, nist risk management framework 800-37, NIST Risk Management Framework 800-39, risk assessment, risk management, risk management framework, rmf, security risk

  • Go to page 1
  • Go to page 2
  • Go to page 3
  • Go to Next Page »

Primary Sidebar

search


This is a breakdown of each of the NIST 800-53 security control families and how they relate to each step in the NIST 800-37 risk management framework process.

also available on Amazon!

View Book


This is a breakdown of each of the NIST 800-53 security control families and how they relate to each step in the NIST 800-37 risk management framework process.

also available on Amazon!

View Book


This book is an overview of how the NIST SP 800-37 risk management framework works from the perspective of an information system security officer (ISSO).

also available on Amazon!

View Book

NIST RMF 800-37 templates
Free 800-37 templates

The NIST 800 Template download contains a .doc file template and xls templates for POAMs, Federal, State, cloud based and a legacy template as well as resources where you can find more on NIST 800-37 documents for your use.

View Book

Learn to Make 6 Figures in CyberSecurity

RMF ISSO Foundations Training
RMF ISSO Foundations Training

RMF ISSO Foundations

I was an Information System Security Officer (ISSO) doing Risk Management Framework (NIST SP 800-37) for over a decade. I am a Cybersecurity veteran and I can explain (in plain English) what you DO in the Risk Management Framework process as an ISSO.

View Course

NIST SP 800-37 Presentation
NIST SP 800-37 Presentation

View Course

login

  • Register
  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Recent Posts

  • Convocourses Podcast: Plan of Action and Milestone
  • Start with These IT Certifications (Part 1)
  • How to Tailor Security Controls in NIST 800
  • #cybersecurityjobs are recession proof
  • What IT Certifications for Information Security (part 2) (8140)

Meta

  • Register
  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Recent Comments

  • http://Www.Finance.Ipt.Pw/ on SRG/STIG Applicability Guide and Collection Tool Update
  • Elsa7 on ConvoCourses podcast: Cyber Security day to day activity
  • Tony on STIG Update – DISA has released the Microsoft SQL Server 2016 STIG Version 1
  • horloge on SCAP Compliance Checker SCC)
  • 218 Information assurance Success Criteria – ITSECURITYSURVIVAL.COM on Information Assurance Vulnerability Alert

Tags

8140 8570 ArcSight c&a CISSP convocourses cyber cybersecurity cyber security DIACAP DIARMF diarmf - implement disa DISA STIG dodd 8140 dodd 8140 cyberspace workforce IA implement implementation info assurance information assurance information security ISSO IT it jobs it jobs in usa job jobs Linux mcafee network nist nist risk management framework nist risk management framework 800-37 podcast risk risk assessment risk management risk management framework rmf security STIG stigs unix windows


This is a breakdown of each of the NIST 800-53 security control families and how they relate to each step in the NIST 800-37 risk management framework process.

also available on Amazon!

View Book

Copyright © 2023 · Author Pro on Genesis Framework · WordPress · Log in