Professional Documents
Culture Documents
Risk Management
Framework
By Kavinga Yapa Abeywardena
Sri Lanka Institute of Information Technology (SLIIT)
Federal Information Security
Management Act. (FISMA)
• Act implemented in the US to promote the
development of key security standards &
guidelines to protect Federal IS.
• Main purpose – To protect critical information
infrastructure.
• Requires implementation of “information
security protections proportionate with the risk
and magnitude of the harm.”
• Resulting standards & guidelines have a universal
applicability.
Federal Information Security
Management Act. (FISMA)
• The FISMA Implementation Project was
established in January 2003 to produce several
key security standards and guidelines. These
publications include FIPS 199, FIPS 200, and NIST
Special Publications 800-53, 800-59, and 800-60.
NIST Special Publications 800-37, 800-39, and
800-53A.
• “It should be noted that the Computer Security
Division continues to produce other security
standards and guidelines in support of FISMA.”
National Institute of Standards
& Technologies (NIST)
• NIST founded in 1901 and now part of the U.S.
Department of Commerce.
• Congress established the agency to remove a
major handicap to U.S. industrial
competitiveness at the time. Also to gain an
advantage on economic rival countries such as
Germany & England.
• Now develop standards & guidelines aligned
with FISMA.
NIST & Risk Management
• SP (Special Publications)
• SP 800-18 – Guide for System Security Plan development
• SP 800-30 – Guide for Conducting Risk Assessments
• SP 800-34 – Guide for Contingency Plan development
• SP 800-37 – Guide for Applying the Risk Management Framework
• SP 800-39 – Managing Information Security Risk
• SP 800-53/53A – Security controls catalog/assessment procedures
• SP 800-60 – Mapping Information Types to Security Categories
• SP 800-128 – Security-focused Configuration Management
• SP 800-137 – Information Security Continuous Monitoring
Risk Management
CATEGORIZE
Information System
SP 800-37 / SP 800-53A FIPS 200 / SP 800-53
Define criticality/sensitivity of
information system according to
MONITOR potential worst-case, adverse SELECT
Security State impact to mission/business. Security Controls
Continuously track changes to the Select baseline security controls;
information system that may affect apply tailoring guidance and
security controls and reassess supplement controls as needed
control effectiveness. Security Life Cycle based on risk assessment.
SP 800-37 SP 800-70
SP 800-39
AUTHORIZE IMPLEMENT
Information System Security Controls
Determine risk to organizational SP 800-53A Implement security controls within
operations and assets, individuals, enterprise architecture using sound
other organizations, and the Nation; ASSESS systems engineering practices; apply
if acceptable, authorize operation. security configuration settings.
Security Controls
Determine security control effectiveness
(i.e., controls implemented correctly,
operating as intended, meeting security
requirements for information system).
Key Elements: NIST SP-800-39
• Senior leaders are assigned with RM responsibilities.
• Establish risk tolerance(REF) & communicate across
the organization.
• Guidance on how risk tolerance impacts RM
decisions.
• Accountability for RM decisions (Senior Leaders).
• Three Tiers are identified:
• Tier 1 - Organization (Governance)
• Tier 2 - Business Process
• Tier 3 – Information System
Four Components (NIST SP-800-39)
• Frame Risk
• Asses Risk (SP-800-30)
• Respond to Risk
• Monitor Risk
‘REF’