RISK MANAGEMENT FRAMEWORK
(RMF) STEPS 1-6 PROCESS OVERVIEW
Risk Management Framework (RMF) - ANSWER-The RMF addresses the security
concerns of organizations related t the design, developmet, implementation, operation,
and disposal of information systems and the environments in which those systems
operate.
Step 1 Categorize - Information System Phase 1 - ANSWER-Categorize the information
system based on the information type the system processes, stores, or transmits. SP
800-60 and FIPs Publication 199 to determine impact level (Low, Moderate or High)
assigned to the security objectives-Confidentiality, Integrity and Availability (CIA).
Highest watermark becomes the overall categorization of the system.
Categorization Process Kick Off Mtg. 1st Artifact FIPS 199 - ANSWER-Starts with a kick
off meeting System Owner (SO)
Security Control Assessor/C&A Analyst
Information System Security Officer (ISSO), AO, System Owner and Information Owner
Links:
http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60 Vol2- Rev1.pdf
http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
System is catgorize base on information type (Process, Store or Transmit)
FIPS 199-Overall system categorization is base on the high water mark of the CIA-Low,
Moderate or High. FIPS 199, SP 800-60
Initial Risk Assessment Report - Threat, vulnerability, Impact and recommendation. SP
800-30 and SP 800-37
PTA - To determine if system deals with PII. PTA is positive if PII is collected if not PTA
is negative. SP 800-122
PIA is conducted if PTA is positive- Identify risk for collecting PII and recommend
safeguards. SP 800-122
SORN is developed if system deal with PII-SORN is publish for public comments
(purpose for collecting PII, ensure accuracy and how the PII is protected)
E-authentication is applicable when system is accessible remotely. This identify the
appropriate authentication mechanism base on risk-single, multifactor et...SP 800-63
,TPWA - OMB Memorandum 10-23 requires that agencies assess third-party Websites
and applications to ensure privacy before using them. Ex. CMS page on FB. CMS
needs needs to complete TPWA on Facebook before creating a FB page.
High Value Asset (HVA) - ANSWER-CARVER - Criticality, Accessibility, Recoverability,
Vulnerability, Effect and Recognizability - Done on the enterprise level - Prioritize your
system.
Criticality, Accessibility, Recoverability, Vulnerability, Effect and Recognizability -
ANSWER-Criticality: The target value. How vital is this to the overall organization? A
target is critical when its compromise or destruction (failure to provide any of the CIA
triad components) has a highly significant impact in the overall organization.
Accessibility: How easily can I reach the target? What are the defenses? Do I need an
insider? Is the target computer off the internet?
Recoverability: How long will it take for the organization to replace, repair, or bypass the
destruction or damage caused to the target?
Vulnerability: What is the degree of knowledge needed to exploit the target? Can I use
known exploits or should I invest in new, possible Zero day exploits? (not known)
Effect: What's the impact of the attack on the organization? Similar to the first point
(Criticality) this point should also analyze possible reactions from the organization.
Recognizability: Can I identify the target as such? How easy is to recognize that a
specific system/network/device is the target and not a security countermeasure. Is it
visible to customers?
Initial Risk Assessment Report - ANSWER-Threat, Vulnerability/Weakness, Impact
Risk Assessment (RA) is conducted through:
Examination
Review existing documents (policies, procedures, previous assessment, etc.)
Observation-Observe the impleemtation of controls
Walkthrough-Take tour of a building to take note of security control implementation
Interview-System owner, system administrators, developer etc.
Testing-Test existing control (Test fail login attempt)
Internal Risk Assessment Report 800-30 and 800-37 - 2nd artifact - ANSWER-RAR is
the second deliverable/airtifact at the categorization Phase it contains:
System description
, Scope/boundary
Threat
Vulnerabiity/Weakness
Impact
Likelihood
Recommendation to avoid risk
Mechanism by which agencies perform this assessment - ANSWER-is Privacy Impact
Assessment (PIA)
Third-Party Privacy Policies: The agency should examine the third party's privacy policy
to evaluate the risks and determine whether the website or application is appropriate for
the agency use.
External Links: If an agency posts a link that leads to a third-party webite or any other
location that is not part of an official government domain, the agency should provide an
alert to the visitor.
Embedded Applications: If an agency incorporates or embeds a third-party application
on its website or any other official government domain, the agency should disclose the
third party's involvement.
Agency Branding: In general, when an agency uses a third-party website or application
that is not part of an official government domain, the agency should apply appropriate
branding to distinguish the agency's activities from those of nongovernment actors.
Electronic Authentication - 5 artifact - ANSWER-E-Authentication artifact is appicable
when the system is accessible remotely (e.g. Web)
Authentication artifact involves the following:
Conduct a risk assessment of the e-government system (Risk, vulnerability&threat)
Map identified risks to the applicable assurance level (Level 1, 2, 3, or 4)
Select technology based on e-authentication technical guidance (Single factor, Two
factor and Multi factor)
Validate that the implemented system has achieved the required assurance level (Test
the control)
Periodically reassess the system to determine technology refresh requirements
(Continuous assessment)
SP 800-63
Assurance Level
Authentication Method - ANSWER-Level 1: Little or no confidence in the asserted
identity's validity
Level 2: Some confidence in the asserted identity's validity
(RMF) STEPS 1-6 PROCESS OVERVIEW
Risk Management Framework (RMF) - ANSWER-The RMF addresses the security
concerns of organizations related t the design, developmet, implementation, operation,
and disposal of information systems and the environments in which those systems
operate.
Step 1 Categorize - Information System Phase 1 - ANSWER-Categorize the information
system based on the information type the system processes, stores, or transmits. SP
800-60 and FIPs Publication 199 to determine impact level (Low, Moderate or High)
assigned to the security objectives-Confidentiality, Integrity and Availability (CIA).
Highest watermark becomes the overall categorization of the system.
Categorization Process Kick Off Mtg. 1st Artifact FIPS 199 - ANSWER-Starts with a kick
off meeting System Owner (SO)
Security Control Assessor/C&A Analyst
Information System Security Officer (ISSO), AO, System Owner and Information Owner
Links:
http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60 Vol2- Rev1.pdf
http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
System is catgorize base on information type (Process, Store or Transmit)
FIPS 199-Overall system categorization is base on the high water mark of the CIA-Low,
Moderate or High. FIPS 199, SP 800-60
Initial Risk Assessment Report - Threat, vulnerability, Impact and recommendation. SP
800-30 and SP 800-37
PTA - To determine if system deals with PII. PTA is positive if PII is collected if not PTA
is negative. SP 800-122
PIA is conducted if PTA is positive- Identify risk for collecting PII and recommend
safeguards. SP 800-122
SORN is developed if system deal with PII-SORN is publish for public comments
(purpose for collecting PII, ensure accuracy and how the PII is protected)
E-authentication is applicable when system is accessible remotely. This identify the
appropriate authentication mechanism base on risk-single, multifactor et...SP 800-63
,TPWA - OMB Memorandum 10-23 requires that agencies assess third-party Websites
and applications to ensure privacy before using them. Ex. CMS page on FB. CMS
needs needs to complete TPWA on Facebook before creating a FB page.
High Value Asset (HVA) - ANSWER-CARVER - Criticality, Accessibility, Recoverability,
Vulnerability, Effect and Recognizability - Done on the enterprise level - Prioritize your
system.
Criticality, Accessibility, Recoverability, Vulnerability, Effect and Recognizability -
ANSWER-Criticality: The target value. How vital is this to the overall organization? A
target is critical when its compromise or destruction (failure to provide any of the CIA
triad components) has a highly significant impact in the overall organization.
Accessibility: How easily can I reach the target? What are the defenses? Do I need an
insider? Is the target computer off the internet?
Recoverability: How long will it take for the organization to replace, repair, or bypass the
destruction or damage caused to the target?
Vulnerability: What is the degree of knowledge needed to exploit the target? Can I use
known exploits or should I invest in new, possible Zero day exploits? (not known)
Effect: What's the impact of the attack on the organization? Similar to the first point
(Criticality) this point should also analyze possible reactions from the organization.
Recognizability: Can I identify the target as such? How easy is to recognize that a
specific system/network/device is the target and not a security countermeasure. Is it
visible to customers?
Initial Risk Assessment Report - ANSWER-Threat, Vulnerability/Weakness, Impact
Risk Assessment (RA) is conducted through:
Examination
Review existing documents (policies, procedures, previous assessment, etc.)
Observation-Observe the impleemtation of controls
Walkthrough-Take tour of a building to take note of security control implementation
Interview-System owner, system administrators, developer etc.
Testing-Test existing control (Test fail login attempt)
Internal Risk Assessment Report 800-30 and 800-37 - 2nd artifact - ANSWER-RAR is
the second deliverable/airtifact at the categorization Phase it contains:
System description
, Scope/boundary
Threat
Vulnerabiity/Weakness
Impact
Likelihood
Recommendation to avoid risk
Mechanism by which agencies perform this assessment - ANSWER-is Privacy Impact
Assessment (PIA)
Third-Party Privacy Policies: The agency should examine the third party's privacy policy
to evaluate the risks and determine whether the website or application is appropriate for
the agency use.
External Links: If an agency posts a link that leads to a third-party webite or any other
location that is not part of an official government domain, the agency should provide an
alert to the visitor.
Embedded Applications: If an agency incorporates or embeds a third-party application
on its website or any other official government domain, the agency should disclose the
third party's involvement.
Agency Branding: In general, when an agency uses a third-party website or application
that is not part of an official government domain, the agency should apply appropriate
branding to distinguish the agency's activities from those of nongovernment actors.
Electronic Authentication - 5 artifact - ANSWER-E-Authentication artifact is appicable
when the system is accessible remotely (e.g. Web)
Authentication artifact involves the following:
Conduct a risk assessment of the e-government system (Risk, vulnerability&threat)
Map identified risks to the applicable assurance level (Level 1, 2, 3, or 4)
Select technology based on e-authentication technical guidance (Single factor, Two
factor and Multi factor)
Validate that the implemented system has achieved the required assurance level (Test
the control)
Periodically reassess the system to determine technology refresh requirements
(Continuous assessment)
SP 800-63
Assurance Level
Authentication Method - ANSWER-Level 1: Little or no confidence in the asserted
identity's validity
Level 2: Some confidence in the asserted identity's validity
