NIST RISK MANAGEMENT FRAMEWORK
WITH COMPLETE SOLUTIONS
Difference between Nist cyber security framework and Risk management framework? -
NRMF is mandatory for government systems to abide by and but NCSF is not
compulsory for organizations to abide by. It is a recommendation but not a demand.
FIPS 199 - Standards for Security Categorization of Federal Information and Information
Systems
FISMA (Federal Information Security Management Act) - It is a federal law that was
passed in 2002 to protect government information, operations, and assets against any
security threats. When the Fisma law was passed all federal entities in the 50 states
where obliged to heed to the law.
How to categorize an information system? - 1. Software/System development life cycle
(SDLC) : is the various stages systems development right from building the coding until
the system decomposed or is of no use just like human life: from young to old
2. Information Type (category of information)
The individual types of information that goes into the application
3. Security Objectives (CIA):
-Insure Confidentiality (no one should see info unless authorized individual can access
info)
-integrity means that only authorized people should be able to modify or make changes
to the system
-availability: Application or system is always available for customers use
4. Potential impacts/impact levels to protect data or information for ex: Cashapp : HML
High, Moderate, Low determines how information system is categorized from HML
5. The High-water mark (security categorization/ overall categorization): It means the
Highest impact level out the impact levels of being HML
NIST 800-37 R2 - Is the mother document that NRMF procedure (7 steps) is based on
in order to protect federal organizations. It is the document that says every government
agency must comply with NRMF.
NIST 800-37 R2 .... Has 7 steps process - NIST 800-37 R2 is the guideline for Applying
the NIST Risk Management Framework to Federal Information Systems with 7 steps
which is:
WITH COMPLETE SOLUTIONS
Difference between Nist cyber security framework and Risk management framework? -
NRMF is mandatory for government systems to abide by and but NCSF is not
compulsory for organizations to abide by. It is a recommendation but not a demand.
FIPS 199 - Standards for Security Categorization of Federal Information and Information
Systems
FISMA (Federal Information Security Management Act) - It is a federal law that was
passed in 2002 to protect government information, operations, and assets against any
security threats. When the Fisma law was passed all federal entities in the 50 states
where obliged to heed to the law.
How to categorize an information system? - 1. Software/System development life cycle
(SDLC) : is the various stages systems development right from building the coding until
the system decomposed or is of no use just like human life: from young to old
2. Information Type (category of information)
The individual types of information that goes into the application
3. Security Objectives (CIA):
-Insure Confidentiality (no one should see info unless authorized individual can access
info)
-integrity means that only authorized people should be able to modify or make changes
to the system
-availability: Application or system is always available for customers use
4. Potential impacts/impact levels to protect data or information for ex: Cashapp : HML
High, Moderate, Low determines how information system is categorized from HML
5. The High-water mark (security categorization/ overall categorization): It means the
Highest impact level out the impact levels of being HML
NIST 800-37 R2 - Is the mother document that NRMF procedure (7 steps) is based on
in order to protect federal organizations. It is the document that says every government
agency must comply with NRMF.
NIST 800-37 R2 .... Has 7 steps process - NIST 800-37 R2 is the guideline for Applying
the NIST Risk Management Framework to Federal Information Systems with 7 steps
which is:
