Analecta Cyber Company Blog: Are you Managing the Risk Management Process?

2019-02-05

Are you Managing the Risk Management Process?

NIST risk management framework graphic Cyber Risk management strategy - Analecta LLC banner On December 20, 2018, the National Institute of Standards and Technology (NIST) released the final version of its NIST Special Publication 800-37 Revision 2, a Risk Management Framework (RMF) addressing both security and privacy concerns in IT risk management. This update connects the RMF with NIST’s well-known Cybersecurity Framework (CSF), highlighting relationships that exist between the two documents.

“Until now, federal agencies had been using the RMF and CSF separately… The update provides cross-references so that organizations using the RMF can see where and how the CSF aligns with the current steps in the RMF. Conversely, if you’re using the CSF, you can bring in the RMF and give your organization a robust methodology to manage security and privacy risks.”

Ron Ross, co-author NIST SP 800-37 Revision 2

Risk Management Framework (RMF) steps


The RMF is a disciplined and structured process that blends information security and risk management functions into the system development life cycle. Since your company needs to perform these tasks at every phase of the system development life cycle, it makes sense to incorporate them into the framework.

As with other risk management models, the RMF is a cyclical model. Its steps include:
  • Prepare to execute the RMF from both organization and system-level perspectives. This involves establishing a context for managing security and privacy risk and setting clear priorities.
  • Categorize the information system and the information processed, stored and transmitted by that system based on an impact analysis.
  • Select an initial set of baseline security controls for the information system and customize the controls as required to reduce risk to an acceptable level based on the risk assessment.
  • Implement the security controls and describe how the controls are employed within the information system and its environment of operation.
  • Assess the security controls to determine if they are implemented correctly, performing as intended and producing the desired outcome of satisfying security and privacy requirements.
  • Authorize the system or common controls based on a determination that the remaining level of risk (to organizational operations and assets, individuals, other organizations or the Nation) is acceptable.
  • Monitor the security and associated controls on an ongoing basis including assessing control effectiveness, documenting changes to the system and/or its environment of operation, conducting additional risk assessments and impact analyses, and reporting the security and privacy posture of the system to designated organizational officials. 
NIST risk management framework graphic
Image courtesy of NIST Special Publication 800-37 Revision 2

RMF’s relation to CSF


The direct correlation between RMF steps and applicable CSF constructs are clearly laid out in the documentation, and will be one of the most useful components of the RMF update.

RMFs relation to CSF graphic
Image courtesy of NIST Special Publication 800-37 Revision 2

As an example, the table above shows what tasks are a part of the Categorize step of the RMF and links each task to single or multiple components of the CSF. You can then examine the RMF for further clarification of the task or examine the subcategories of the CSF, for example ID.AM-1: Physical devices and systems within the organization are inventoried. Within the CSF documentation, you have additional informative resources listed for each subcategory available for ideas about controls or standards.

But what about that risk assessment?


Analecta has devised a 96-point Cyber Risk Assessment that asks tough, realistic questions that can identify the most critical next steps in your firm’s cybersecurity program to maximize protection. The Cyber Risk Assessment is designed to enable small and medium-sized businesses to minimize or even eliminate the risk of data breaches that can cause customer loss, reputational damage and severe bottom-line impact. For more information about the Cyber Risk Assessment and other ways to protect your business, email us at info@analecta-llc.com or visit our Cybersecurity website.

Analecta Cyber is a Maryland-based cybersecurity firm providing cyber risk assessments for small and medium sized businesses. Analecta is a trusted partner to help companies achieve their cybersecurity objectives. 



Further Resources


4 comments :