|
One of the fundamental goals of cybersecurity is the management of risk. A key element of managing that risk is the creation of a framework which allow an organization to categorize the impact of risk, select and implement appropriate controls, get them authorized, and then assess and monitor those controls to ensure they are performing as expected. The National Institute of Standards and Technology (NIST) has developed such a framework for improving cybersecurity as well as managing risk. Understanding risk is a critical output of the framework and allows the organization to make informed decisions about how to prioritize and manage it. The RMF is a structured and flexible process that integrates the security of the organization and its associated controls into a development life cycle. It is designed to provide a repeatable process that promotes the protection of information and systems commensurate with risk.
|
NIST Risk Management Framework
|
Categorization
To properly measure the risk associated with payroll systems one must first categorize the potential impact to the organization should certain events occur. That event may be malicious or accidental, an outside hack or inside job, or even a natural disaster beyond the control of the organization. Regardless of the cause of the risk to the business the potential impact of the loss of confidentiality, integrity, and availability (CIA) must be defined. The Federal Information Processing Standards Publication 199 (FIPS-199), referencing United States Code 44, Section 3542, has defined the CIA security objectives as follows:
To properly measure the risk associated with payroll systems one must first categorize the potential impact to the organization should certain events occur. That event may be malicious or accidental, an outside hack or inside job, or even a natural disaster beyond the control of the organization. Regardless of the cause of the risk to the business the potential impact of the loss of confidentiality, integrity, and availability (CIA) must be defined. The Federal Information Processing Standards Publication 199 (FIPS-199), referencing United States Code 44, Section 3542, has defined the CIA security objectives as follows:
|
|
FIPS 199 also defines three levels of potential impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability). The application of these definitions is measured with respect to our organization. Impact levels are defined as follows:
- The potential impact is LOW if— the loss of CIA could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
- The potential impact is MODERATE if— the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
- The potential impact is HIGH if— the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. (FIPS, 2004)
Selection
The next step in the risk management framework is the selection of security controls. Controls are the processes and methods by which an organization’s security and privacy requirements are met. Security requirements ensure the confidentiality, integrity, and availability of information being processed, stored, or transmitted by information systems. Privacy requirements maintain individual privacy or confidentiality associated with an organization’s collection, processing, storage, or disclosure of personally identifiable information. (Ross, 2017)
The next step in the risk management framework is the selection of security controls. Controls are the processes and methods by which an organization’s security and privacy requirements are met. Security requirements ensure the confidentiality, integrity, and availability of information being processed, stored, or transmitted by information systems. Privacy requirements maintain individual privacy or confidentiality associated with an organization’s collection, processing, storage, or disclosure of personally identifiable information. (Ross, 2017)
Table 1 - NIST SP 800-53 - Security Control Identifiers and Family Names
Implementation
The next step is to implement the security and privacy controls described in the security and privacy plans for the system and the organization and to document in a baseline configuration, the specific details of the control implementation. (Joint Task Force, 2012). This is where the selected security control are actually put into place which then uphold the organization's security and privacy policies.
Assessment
The purpose of an assessment is to determine if the security and privacy controls selected are implemented correctly, operating as intended, and producing the required outcome. (Joint Task Force, 2012). In other words, verify the security controls we chose actually work. This is accomplished with a test plan that is created based inputs from the security and privacy plans as well as the risk management plans created earlier. The assessment plan also takes into account how the security themselves were implemented and offers a chance to test remediation. The implementation of security controls we chose previously for access, training, and accounting will be assessed.
The next step is to implement the security and privacy controls described in the security and privacy plans for the system and the organization and to document in a baseline configuration, the specific details of the control implementation. (Joint Task Force, 2012). This is where the selected security control are actually put into place which then uphold the organization's security and privacy policies.
Assessment
The purpose of an assessment is to determine if the security and privacy controls selected are implemented correctly, operating as intended, and producing the required outcome. (Joint Task Force, 2012). In other words, verify the security controls we chose actually work. This is accomplished with a test plan that is created based inputs from the security and privacy plans as well as the risk management plans created earlier. The assessment plan also takes into account how the security themselves were implemented and offers a chance to test remediation. The implementation of security controls we chose previously for access, training, and accounting will be assessed.
NIST 800-171 - Sample Assessment Test Case for Access Control Policy
Authorization
Based on the findings and recommendations of the security assessment performed previously one is able to develop a Plan of Action and Milestones (POA&M). The POA&M describes the specific tasks that are planned to correct any weaknesses or deficiencies found during the assessment, perform continuous monitoring, and address vulnerabilities in the system. The plan also describes the specific tasks to be complemented either before or after implementation, required resources, milestones for those tasks, and completion dates. (Joint Task Force, 2010). The POA&M will be presented to management as part of the request for authorization to use the system being assessed. In the context of a POA&M the term “weakness” represents any information security or privacy vulnerability that could be exploited by a threat source resulting in the compromise of the confidentiality, integrity, or availability of an information system. (Centers for Medicare, 2015).
Monitoring
The purpose of the monitoring step is to maintain an ongoing situational awareness about the security and privacy posture of the system and the organization in support of risk management decisions. (Ross, 2017). Monitoring of the security controls and their efficacy allows us to ensure the system remains secure as aspects of the system change over time. This may include changes to the personnel, including their role and access privileges, software application or vendor changes, and changes to the physical environment in which the system is used. The output of continuous monitoring activities must analyzed and responded to appropriately and its findings incorporated back into the risk management process.
Based on the findings and recommendations of the security assessment performed previously one is able to develop a Plan of Action and Milestones (POA&M). The POA&M describes the specific tasks that are planned to correct any weaknesses or deficiencies found during the assessment, perform continuous monitoring, and address vulnerabilities in the system. The plan also describes the specific tasks to be complemented either before or after implementation, required resources, milestones for those tasks, and completion dates. (Joint Task Force, 2010). The POA&M will be presented to management as part of the request for authorization to use the system being assessed. In the context of a POA&M the term “weakness” represents any information security or privacy vulnerability that could be exploited by a threat source resulting in the compromise of the confidentiality, integrity, or availability of an information system. (Centers for Medicare, 2015).
Monitoring
The purpose of the monitoring step is to maintain an ongoing situational awareness about the security and privacy posture of the system and the organization in support of risk management decisions. (Ross, 2017). Monitoring of the security controls and their efficacy allows us to ensure the system remains secure as aspects of the system change over time. This may include changes to the personnel, including their role and access privileges, software application or vendor changes, and changes to the physical environment in which the system is used. The output of continuous monitoring activities must analyzed and responded to appropriately and its findings incorporated back into the risk management process.
References
- Centers for Medicare and Medicaid Services. (2015, Nov 5). Plan of Action and Milestones Guide. Retrieved from https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Downloads/RMH_VIII_6-2_Plan_of_Action_and_Milestones_Process_Guide.pdf
- Joint Task Force Transformation Initiative. (2010, February). Risk Management Framework for Systems and Organizations. Retrieved from https://csrc.nist.gov/publications/detail/sp/800-37/rev-1/final
- National Institute of Standards and Technology (NIST). (2004, February). FIPS PUB 199. Standards for Security Categorization of Federal Information and Information Systems. Retrieved from https://csrc.nist.gov/publications/detail/fips/199/final
- Ross, Ron, (2018, February). Assessing Security Requirements for Controlled Unclassified Information. Retrieved from https://csrc.nist.gov/publications/detail/sp/800-171a/draft.
- Ross, Ron. (August 2017). Security and Privacy Controls for Information Systems and Organizations. Draft NIST Special Publication 800-53 Revision 5. Retrieved from: https://ole.sandiego.edu/bbcswebdav/courses/CSOL-530-MASTER/M3/sp800-53r5-draft.pdf.
- U.S. Department of Health and Human Services (HHS). (2015, April 16). The HIPAA Privacy Rule. Retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/index.html.
