I talked a little about IT RMF Certifications in previous articles. One of my previous co-workers asked me more about Risk Management Framework Training paths and I just wanted to add more on this subject. From my experience, the best common body of knowledge for training in the RMF space is the ISC2 CAP:
- Risk Management Framework (RMF)
- Categorization of Information Systems
- Selection of Security Controls
- Security Control Implementation
- Security Control Assessment
- Information System Authorization
- Monitoring of Security Controls
Based on www.isc2.org the ideal candidate will have the following:
- IT Security experience
- Information Assurance experience
- Information Risk Management experience
- Certification
- Systems Administration
- One – two years of general technical experience
- Two years of general systems experience
- One – two years of database/systems development/network experience
- Information Security Policy
- Technical or auditing experience within government, the U.S. Department of Defense, the financial or health care industries, and/or auditing firms
- Strong familiarity with NIST documentation
A higher of NIST RMF study goes beyond the Certified Information System Security Professional (CISSP). This body of knowledge is a concentration of the CISSP called Information System Security Engineering Professional (ISSEP). There are (4) domains for the ISSEP:
- Systems Security Engineering
- Certification and Accreditation (C&A) / Risk Management Framework (RMF)
- Technical Management
- U.S. Government Information Assurance Related Policies and Issuances
The ISSEP includes everything from CAP but also includes other policies, issuances and processes that you find within the government.
The CAP and ISSEP both have the best path to understand and master the RMF.
