Risk Management

Risk Management, as it pertains to organizational information security and privacy functions, constitutes the management of risks associated with information systems and assets that, if realized, could have an impact on the confidentiality, integrity, and/or availability of technology-related assets that are strategically key to an organization's ability to carry-out its mission and business objectives.

Applying this approach toward the protection of an organization's information assets facilitates the management of risk down to a level that is in alignment with the overall risk appetite of the organization...in other words, the amount of risk the organization is willing to assume.

As guardians of information security and privacy, we are professionally bound to ensure the organizations we represent are ethically carrying-out their due-diligence and due-care in protecting the information of all stakeholders.

NIST (2018). RMF for Information Systems and Organizations

Risk Management Framework

The Risk Management Framework (RMF) provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categorization, control selection, implementation, and assessment; system and common control authorization; and continuous monitoring (NIST, 2018). It provides senior and executive leadership with the information necessary to make risk-based decisions on behalf of the organization.

The RMF incorporates security and privacy into the system development lifecycle (SDLC), and links essential risk management processes at the system level to risk management processes at the organization level (NIST, 2018).

The RMF is broken down into seven steps that coalesce to form the lifecycle of a system...the SDLC, if you will:

Prepare

establish a context and priorities for managing security and privacy risk (NIST, 2018)

Categorize

categorize the system and the information processed, stored and transmitted by the system based on an analysis of the impact of loss (NIST, 2018)

Select

select an initial set of controls for the system to reduce risk to an acceptable level, based on an assessment of risk (NIST, 2018)

Implement

implement the controls and describe how they are employed within the system and operational environment (NIST, 2018)

Assess

assess the controls to determine effectiveness against desired outcomes (NIST, 2018)

Authorize

authorize the system or common controls based on a determination that overall risk is at an acceptable level (NIST, 2018)

Monitor

monitor the system and associated controls on an ongoing basis...this includes assessing control effectiveness, documenting changes to the system and operating environments, conducting risk assessments and impact analyses, and reporting the security and privacy posture of the system (NIST, 2018)

NIST (n.d.). FISMA Implementation Project

Documentation of a Risk Management Program
File Size:	4022 kb
File Type:	docx

Download File

Categorization Example
File Size:	70 kb
File Type:	docx

Download File

Implementation Example
File Size:	114 kb
File Type:	docx

Download File

Assessment Example
File Size:	115 kb
File Type:	docx

Download File

Authorization Example
File Size:	115 kb
File Type:	docx

Download File

Reflection

FIPS PUB 199 (Security Categorization)

NIST SP 800-70 (Checklist for IT Products)

NIST SP 800-37 (RMF for IS and Organizations)

FIPS PUB 200 (Minimum Security Requirements)

NIST SP 800-53 (Security and Privacy Controls)

NIST SP 800-60 (Mapping Info Systems to Categories)

NIST SP 800-53A Assessing Security and Privacy Controls