Professional Documents
Culture Documents
Cameron W
8/26/2019
Risk Management Framework 2
helping hand in protecting information systems through the implementation and use of the Risk
Management Framework. The Risk Management Framework offers a disciplined, structured, and
flexible step by step process for managing security and privacy (NIST Special Publication 800-
37, 2018). The process for managing security and privacy involves steps such as preparation,
controls, assessment of security controls, the determination of risk, and how to maintain and
monitor the security posture (NIST Special Publication 800-37, 2018). ACME Inc. applies the
Risk Management Framework to ensure that customer information is secured and to create a path
Preparation
In the Risk Management Framework, preparation is required because it provides the
organization with the essential activities and business processes for managing security and
privacy risks. During preparation, key individuals are identified and assigned as core members
in executing the framework. Current security controls, policy documents, priorities, and overall
strategy for monitoring is documented, as this information will provide a basis on what and how
the Risk Management Framework will operate. The preparation is used to execute the framework
from an organization and system-level perspective by understanding what the business is driving
towards.
Security Categorization
Security categorization would address the potential impact on an organization if an
incident were to occur. Information types are broken down and then are assigned an impact level
would affect its operations. With the knowledge of how an impact would affect their system, an
organization can implement adequate levels of security depending on the potential risk impact on
each information system. A security categorization, once applied, can provide an organization an
understanding of what level of lawful responsibilities it has, then apply security controls
Security objectives, such as confidentiality, integrity, and availability, are used to apply
focuses on preventing information from being disclosed without authorization. The primary goal
grants users uninterrupted access or the use of system information. Using confidentiality,
integrity, and availability, otherwise known as the CIA Triad, organizations can make informed
and accurate judgments to the extent of security controls that are needed.
the provisional impact level a threat would have on each of the CIA Triad. The impact levels are
documented as low, moderate, and high. Low is defined as a loss to one of the CIA Triad that
would have limited negative effects on the organization. Moderate is defined as a loss to one of
the CIA Triad that would have serious negative effects on the organization. High is defined as a
loss of one of the CIA Triad that would have severe or catastrophic negative effects on the
organization (NIST Special Publication 800-37, 2018). Using the CIA Triad and the provisional
impact level, an organization can assign an overall impact level with the understanding of the
that the security categorization will be decided upon the basis of the most sensitive or critical
information system being reviewed (Special Publication 800-60, 2008). Therefore ACME Inc.
customer information categorization has been decided as an overall impact level of high.
Justification for the rating of high is because confidentiality has been rated as high, and the
overall impact level is always assigned to the highest level of impact. Below is the security
Security Category Customer Information = {(confidentiality, high), (integrity, moderate), (availability, low)}
Security Controls
Protecting mission-critical systems is done through security controls focused on
confidentiality, integrity, and availability with the use of provisional impact levels on
information systems. Categorization provides ACME Inc. the foundation for implementing
security controls on information systems. Due to personally identifiable information being kept
within ACME servers, privacy controls must be enacted. Privacy controls can be technical,
physical, or administrative controls designed to ensure compliance with the privacy requirements
and to manage privacy risks (NIST Special Publication 800-53, 2013). Security controls provide
additional layers because they are safeguards for information systems designed to
environmental protection, and media protection are security and privacy controls. They are
Access Control
Access control focuses on securing what users can and cannot see or use within a
handle user and privileged accounts, using security schemes to manage them. The primary goal
Risk Management Framework 5
information. The first desired control to protect user and privileged accounts is to assign an
account manager to maintain the accounts access. Next, create role-based schemes to enforce the
principle of least privilege, only allowing users access to what is needed. Then design and create
procedures employees can follow to attain accounts and gain access to the network, as well as
procedures on how to disable accounts. The last control would create procedures for managers to
perform account audits to prevent privilege creep, which is when a user gains too much access
different types of controls. Privileged accounts are a primary target for attackers because these
accounts allow full access to the network. Privileged accounts must require multi-factor
authentication such as an employee badge scan, biometric scan (fingerprint scan), and a
password prompt. Through the use of all three authentications, adequate protection will be
Media Protection
Media protection applies cryptographic techniques as a method of securing digital
information in transit or at rest. ACME Inc. uses full disk encryption, which encrypts an entire
drive through a cryptographic protocol. ACME Inc. applies Advanced Encryption Standards or
AES, set at 256-bit length to provide more than adequate security needed to ensure high
confidentiality to customer information. ACME Inc. also uses cryptographic hashes to document
to gain access to a server, compromise of the system would be inevitable. Therefore, physical
access to a server room should be limited to only authorized individuals. Physical barriers at
entry/exit points will prevent unauthorized access, providing confidentiality, integrity, and
availability. The physical barriers placed at all organizational entry points require employees to
scanners on all access doors to internal server rooms. A further measure is video surveillance of
all entry/exit points, with additional cameras on server room entry points. Lastly, audit logs are
kept of every badge scan at every point, in order to keep access records in case of a possible
incident.
up against, as well as an assessment of the security solutions in place and their effectiveness.
Before the test for ACME Inc. was conducted, all members and leaders were informed of the
steps and timeline of the assessment plan. The assessment plan was created to verify the security
controls in place were in working order. The plan included what security controls were to be
examined, the methods needed to test each security control, a schedule of testing, and the
intended procedures. After the assessment was established and completed, it was given to key
leaders and members for review, who then gave their approval.
acquire a passing score. If during the evaluation, a security control were to fail, a score of not
satisfied would be assigned, indicating a review of the security control would be required. To
Risk Management Framework 7
verify security access control, an inspector was provided organizational roles such as marketing,
developer, IT, manager, and system admin, to check each role had limited access to what they
needed. To verify privileged account access, the inspector was provided a privileged account,
and worked with an admin documenting how to log in, and checking procedures are being
followed. The inspector attempted to confirm that each admin login was using three factors of
authentication, verifying each tool used (such as the fingerprint scanner, employee badge
scanner, and password prompt) was valid. To verify the encryption protocol for data in transit,
the inspector was provided a network tap, which is a program that captures and analyzes the
network traffic. The inspector then verified network traffic was being encrypted while in transit,
following required encryption standards. To verify encryption protocol for data while at rest, the
inspector was granted access to server data and confirmed all data remained encrypted to
required encryption standards. To check physical access and safety of server information, the
inspector checked that all server racks were locked and in working order. Once the physical
servers were inspected, the inspector tested that all entry point doors were locked and remained
locked unless a valid badge was scanned. The inspector also verified that all server room badge
scanners were in working order. Physical video surveillance (closed-circuit cameras or CCTV)
of the server room entry/exit point cameras was inspected, as well as the video angles. The
inspector then verified that each camera was recording 24/7 and that recordings for each day
were securely stored. Once the evaluation was completed, the inspector reviewed and passed on
tested, and the results are the following: Two security objectives were rated as satisfied, and two
security objectives were rated as not satisfied. The physical security access controls were found
Risk Management Framework 8
to be not satisfied in providing compliance and security requirements. The first security objective
rated as not satisfied was the access control for gaining entry to the server room. Upon testing,
the inspector found engineers were sharing a security badge to gain access to the server room. A
remediation action was recommended, requiring all engineers to keep individual badges on their
person at all times. The second security objective rated as not satisfied was the video surveillance
used to monitor employee access to server rooms. Camera 029 and 030 had ineffective viewing
angles of each person coming and going from outside of the server room. A remediation action
recommended having these cameras realigned into proper video angles, capturing the faces of
each individual. The two not satisfied security objectives were submitted into the security
controls assessment report, and a change management process form was added to the Plan of
Action and Milestones document. The risk management plan includes plans for long-term goals
to continue testing, and verification of the security control objectives, ensuring no security
monitor the process and progress of vulnerabilities, and test failures during a security control
assessment (NIST Special Publication 800-37, 2018). The two failed security controls were set
as not satisfied, requiring a review and authorization decision on how to remediate. The primary
remediation to address the first of the security objective failures is to require all employees to
carry security badges on their person at all times. A timeline has been marked as a one-week
implementation. The remediation for the second security objective failure is to adjust the video
angles of cameras 029 and 030. A timeline of one week has been noted. Management has
approved the Plan of Action and Milestones and has also scheduled a required retest assessment
Risk Management Framework 9
to be conducted in one month to confirm new and previous security controls are all rated as
satisfied.
Authorization Decision
An authorizing decision is a determination by an approved official, that is based upon
risk factors as to whether an information system is authorized to operate or not. The authorizing
decision was decided as "authorization to operate." The justification behind the decision is that
the two failed security objectives do not place the operations risk high enough to issue a "denial
of authorization." Management has approved the continued operation as there are compensating
security controls providing redundant security. The risk determination has been set as accepted
and mitigated through the Plan of Action and Milestones document, which has been approved by
management.
Continuous Monitoring
Continuous monitoring is the process that supports and manages security risks that come
from changes to the system. While changes are bound to happen as an organization evolves and
grows security risk must also be managed. The security controls must be checked to ensure they
are still working and providing adequate protection. A review of the controls should be
conducted through a change management process and routine verification checks. The first tool
to help manage the changes to ACME Inc. customer information is to develop a process for
random audits by an inspector working through a security checklist. The checklist begins with
the use of automated vulnerability scanners that will inspect the servers for known
unauthorized changes have occurred. Next the security checklist will go through a high-level
inspection of all security controls, quickly verifying controls and systems integrity. The high-
level inspection will verify security badge scanners are working, role-base schemes are
Risk Management Framework 10
employed on users, and privileged accounts are protected and monitored. ACME Inc. will
require a change management process documenting how a new device, tool, or program will be
implemented, verifying the integrity of customer information has been protected. Continuous
monitoring will provide ACME Inc. a layered defense in detecting new risks as well as a process
to verify that new implementations do not regress the security posture. It is important that
continuous monitoring is analyzed bi-annually, ensuring the required coverage is met, and the
Conclusion
ACME Inc. used the Risk Management Framework to provide appropriate security and
privacy for its customer information. The Risk Management Framework granted ACME Inc. a
process to validate its security measures and their effectiveness. Providing adequate safety and
validation of the security measures for customer information is paramount. Using the process,
moving through each step will continue to provide ACME Inc. the ability to grow and thrive by
understanding the risks involved. Though the Risk Management Framework process, ACME
Inc.'s security posture improved, providing adequate security measures to ensure continued
operation.
Risk Management Framework 11
References
National Institute of Standards and Technology. (2018, December). Risk Management
Framework for Information Systems and Organizations: A System Life Cycle Approach for
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
National Institute of Standards and Technology. (2013, April). Security and Privacy
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
National Institute of Standards and Technology. (2008, August). Volume I: Guide for
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf