Risk Management Framework 1

Risk Management Framework

Cameron W

CSOL 530: Pappas

8/26/2019
Risk Management Framework 2

Risk Management Framework

The National Institute of Standards and Technology, NIST, provides organizations a

helping hand in protecting information systems through the implementation and use of the Risk

Management Framework. The Risk Management Framework offers a disciplined, structured, and

flexible step by step process for managing security and privacy (NIST Special Publication 800-

37, 2018). The process for managing security and privacy involves steps such as preparation,

information security categorization, security control selection, implementation of security

controls, assessment of security controls, the determination of risk, and how to maintain and

monitor the security posture (NIST Special Publication 800-37, 2018). ACME Inc. applies the

Risk Management Framework to ensure that customer information is secured and to create a path

to ensure confidentiality, integrity, and availability throughout the process.

Preparation
In the Risk Management Framework, preparation is required because it provides the

organization with the essential activities and business processes for managing security and

privacy risks. During preparation, key individuals are identified and assigned as core members

in executing the framework. Current security controls, policy documents, priorities, and overall

strategy for monitoring is documented, as this information will provide a basis on what and how

the Risk Management Framework will operate. The preparation is used to execute the framework

from an organization and system-level perspective by understanding what the business is driving

towards.

Security Categorization
Security categorization would address the potential impact on an organization if an

incident were to occur. Information types are broken down and then are assigned an impact level

focusing on security objectives with importance on confidentiality, integrity, and availability. An

Risk Management Framework 3

organization can use security categorization to provide an understanding of how an incident

would affect its operations. With the knowledge of how an impact would affect their system, an

organization can implement adequate levels of security depending on the potential risk impact on

each information system. A security categorization, once applied, can provide an organization an

understanding of what level of lawful responsibilities it has, then apply security controls

depending on the priority level.

Security objectives, such as confidentiality, integrity, and availability, are used to apply

different types of security controls on an organization's information systems. Confidentiality

focuses on preventing information from being disclosed without authorization. The primary goal

for integrity is to prevent unauthorized modification or destruction of information. Availability

grants users uninterrupted access or the use of system information. Using confidentiality,

integrity, and availability, otherwise known as the CIA Triad, organizations can make informed

and accurate judgments to the extent of security controls that are needed.

When creating an information systems categorization, an organization must understand

the provisional impact level a threat would have on each of the CIA Triad. The impact levels are

documented as low, moderate, and high. Low is defined as a loss to one of the CIA Triad that

would have limited negative effects on the organization. Moderate is defined as a loss to one of

the CIA Triad that would have serious negative effects on the organization. High is defined as a

loss of one of the CIA Triad that would have severe or catastrophic negative effects on the

organization (NIST Special Publication 800-37, 2018). Using the CIA Triad and the provisional

impact level, an organization can assign an overall impact level with the understanding of the

level of security required.

Risk Management Framework 4

Security Categorization of Customer Information

The National Institute of Standards and Technology, Special Publication 800-60, states

that the security categorization will be decided upon the basis of the most sensitive or critical

information system being reviewed (Special Publication 800-60, 2008). Therefore ACME Inc.

customer information categorization has been decided as an overall impact level of high.

Justification for the rating of high is because confidentiality has been rated as high, and the

overall impact level is always assigned to the highest level of impact. Below is the security

categorization for customer information.

Security Category Customer Information = {(confidentiality, high), (integrity, moderate), (availability, low)}

Security Controls
Protecting mission-critical systems is done through security controls focused on

confidentiality, integrity, and availability with the use of provisional impact levels on

information systems. Categorization provides ACME Inc. the foundation for implementing

security controls on information systems. Due to personally identifiable information being kept

within ACME servers, privacy controls must be enacted. Privacy controls can be technical,

physical, or administrative controls designed to ensure compliance with the privacy requirements

and to manage privacy risks (NIST Special Publication 800-53, 2013). Security controls provide

additional layers because they are safeguards for information systems designed to

countermeasure a threat. Access control, identification and authorization, physical and

environmental protection, and media protection are security and privacy controls. They are

implemented to protect customer information based on an impact level of high.

Access Control
Access control focuses on securing what users can and cannot see or use within a

network environment. Account management, a subsection of access control, details how to

handle user and privileged accounts, using security schemes to manage them. The primary goal
Risk Management Framework 5

in implementing account management in ACME Inc. is to stop unauthorized access to customer

information. The first desired control to protect user and privileged accounts is to assign an

account manager to maintain the accounts access. Next, create role-based schemes to enforce the

principle of least privilege, only allowing users access to what is needed. Then design and create

procedures employees can follow to attain accounts and gain access to the network, as well as

procedures on how to disable accounts. The last control would create procedures for managers to

perform account audits to prevent privilege creep, which is when a user gains too much access

and becomes a risk.

Identification and Authorization

Identification and authorization focus primarily on securing privileged accounts through

different types of controls. Privileged accounts are a primary target for attackers because these

accounts allow full access to the network. Privileged accounts must require multi-factor

authentication such as an employee badge scan, biometric scan (fingerprint scan), and a

password prompt. Through the use of all three authentications, adequate protection will be

provided to ensure integrity and confidentiality of customer information.

Media Protection
Media protection applies cryptographic techniques as a method of securing digital

information in transit or at rest. ACME Inc. uses full disk encryption, which encrypts an entire

drive through a cryptographic protocol. ACME Inc. applies Advanced Encryption Standards or

AES, set at 256-bit length to provide more than adequate security needed to ensure high

confidentiality to customer information. ACME Inc. also uses cryptographic hashes to document

alterations to data, as the hash will reflect any information changes.

Risk Management Framework 6

Physical and Environmental Protection

Physical protection of ACME Inc. servers is paramount because if a malicious actor were

to gain access to a server, compromise of the system would be inevitable. Therefore, physical

access to a server room should be limited to only authorized individuals. Physical barriers at

entry/exit points will prevent unauthorized access, providing confidentiality, integrity, and

availability. The physical barriers placed at all organizational entry points require employees to

present authorization badges. An additional line of physical security is provided by badge

scanners on all access doors to internal server rooms. A further measure is video surveillance of

all entry/exit points, with additional cameras on server room entry points. Lastly, audit logs are

kept of every badge scan at every point, in order to keep access records in case of a possible

incident. 

Security Controls Assessment

A security controls assessment is conducted to determine what threats an organization is

up against, as well as an assessment of the security solutions in place and their effectiveness.

Before the test for ACME Inc. was conducted, all members and leaders were informed of the

steps and timeline of the assessment plan. The assessment plan was created to verify the security

controls in place were in working order. The plan included what security controls were to be

examined, the methods needed to test each security control, a schedule of testing, and the

intended procedures. After the assessment was established and completed, it was given to key

leaders and members for review, who then gave their approval.

Conducting the Security Controls Assessment

Outlined in the assessment were procedures to verify each security control in order to

acquire a passing score. If during the evaluation, a security control were to fail, a score of not

satisfied would be assigned, indicating a review of the security control would be required. To
Risk Management Framework 7

verify security access control, an inspector was provided organizational roles such as marketing,

developer, IT, manager, and system admin, to check each role had limited access to what they

needed. To verify privileged account access, the inspector was provided a privileged account,

and worked with an admin documenting how to log in, and checking procedures are being

followed. The inspector attempted to confirm that each admin login was using three factors of

authentication, verifying each tool used (such as the fingerprint scanner, employee badge

scanner, and password prompt) was valid. To verify the encryption protocol for data in transit,

the inspector was provided a network tap, which is a program that captures and analyzes the

network traffic. The inspector then verified network traffic was being encrypted while in transit,

following required encryption standards. To verify encryption protocol for data while at rest, the

inspector was granted access to server data and confirmed all data remained encrypted to

required encryption standards. To check physical access and safety of server information, the

inspector checked that all server racks were locked and in working order. Once the physical

servers were inspected, the inspector tested that all entry point doors were locked and remained

locked unless a valid badge was scanned. The inspector also verified that all server room badge

scanners were in working order. Physical video surveillance (closed-circuit cameras or CCTV)

of the server room entry/exit point cameras was inspected, as well as the video angles. The

inspector then verified that each camera was recording 24/7 and that recordings for each day

were securely stored. Once the evaluation was completed, the inspector reviewed and passed on

the results to management for review and remediation.

Security Controls Assessment Results

All of the security controls assessment security objectives outlined in the plan were

tested, and the results are the following: Two security objectives were rated as satisfied, and two

security objectives were rated as not satisfied. The physical security access controls were found
Risk Management Framework 8

to be not satisfied in providing compliance and security requirements. The first security objective

rated as not satisfied was the access control for gaining entry to the server room. Upon testing,

the inspector found engineers were sharing a security badge to gain access to the server room. A

remediation action was recommended, requiring all engineers to keep individual badges on their

person at all times. The second security objective rated as not satisfied was the video surveillance

used to monitor employee access to server rooms. Camera 029 and 030 had ineffective viewing

angles of each person coming and going from outside of the server room. A remediation action

recommended having these cameras realigned into proper video angles, capturing the faces of

each individual. The two not satisfied security objectives were submitted into the security

controls assessment report, and a change management process form was added to the Plan of

Action and Milestones document. The risk management plan includes plans for long-term goals

to continue testing, and verification of the security control objectives, ensuring no security

control becomes unacceptable.

Plan of Action and Milestones

The Plan of Action and Milestones outlines tasks that were planned and is used to

monitor the process and progress of vulnerabilities, and test failures during a security control

assessment (NIST Special Publication 800-37, 2018). The two failed security controls were set

as not satisfied, requiring a review and authorization decision on how to remediate. The primary

remediation to address the first of the security objective failures is to require all employees to

carry security badges on their person at all times. A timeline has been marked as a one-week

implementation. The remediation for the second security objective failure is to adjust the video

angles of cameras 029 and 030. A timeline of one week has been noted. Management has

approved the Plan of Action and Milestones and has also scheduled a required retest assessment
Risk Management Framework 9

to be conducted in one month to confirm new and previous security controls are all rated as

satisfied.

Authorization Decision
An authorizing decision is a determination by an approved official, that is based upon

risk factors as to whether an information system is authorized to operate or not. The authorizing

decision was decided as "authorization to operate." The justification behind the decision is that

the two failed security objectives do not place the operations risk high enough to issue a "denial

of authorization." Management has approved the continued operation as there are compensating

security controls providing redundant security. The risk determination has been set as accepted

and mitigated through the Plan of Action and Milestones document, which has been approved by

management.

Continuous Monitoring
Continuous monitoring is the process that supports and manages security risks that come

from changes to the system. While changes are bound to happen as an organization evolves and

grows security risk must also be managed. The security controls must be checked to ensure they

are still working and providing adequate protection. A review of the controls should be

conducted through a change management process and routine verification checks. The first tool

to help manage the changes to ACME Inc. customer information is to develop a process for

random audits by an inspector working through a security checklist. The checklist begins with

the use of automated vulnerability scanners that will inspect the servers for known

vulnerabilities. Next, a configuration management detection tool is used to ensure no

unauthorized changes have occurred. Next the security checklist will go through a high-level

inspection of all security controls, quickly verifying controls and systems integrity. The high-

level inspection will verify security badge scanners are working, role-base schemes are
Risk Management Framework 10

employed on users, and privileged accounts are protected and monitored. ACME Inc. will

require a change management process documenting how a new device, tool, or program will be

implemented, verifying the integrity of customer information has been protected. Continuous

monitoring will provide ACME Inc. a layered defense in detecting new risks as well as a process

to verify that new implementations do not regress the security posture. It is important that

continuous monitoring is analyzed bi-annually, ensuring the required coverage is met, and the

tools remain effective.

Conclusion
ACME Inc. used the Risk Management Framework to provide appropriate security and

privacy for its customer information. The Risk Management Framework granted ACME Inc. a

process to validate its security measures and their effectiveness. Providing adequate safety and

validation of the security measures for customer information is paramount. Using the process,

moving through each step will continue to provide ACME Inc. the ability to grow and thrive by

understanding the risks involved. Though the Risk Management Framework process, ACME

Inc.'s security posture improved, providing adequate security measures to ensure continued

operation.
Risk Management Framework 11

References
National Institute of Standards and Technology. (2018, December). Risk Management

Framework for Information Systems and Organizations: A System Life Cycle Approach for

Security and Privacy.

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf

National Institute of Standards and Technology. (2013, April). Security and Privacy

Controls for Federal Information Systems and Organizations.

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

National Institute of Standards and Technology. (2008, August). Volume I: Guide for

Mapping Types of Information and Information Systems to Security Categories

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf