NIST

Risk Management
Framework
By Kavinga Yapa Abeywardena
Sri Lanka Institute of Information Technology (SLIIT)
 Federal Information Security
Management Act. (FISMA)
• Act implemented in the US to promote the
development of key security standards &
guidelines to protect Federal IS.
• Main purpose – To protect critical information
infrastructure.
• Requires implementation of “information
security protections proportionate with the risk
and magnitude of the harm.”
• Resulting standards & guidelines have a universal
applicability.
 Federal Information Security
Management Act. (FISMA)
• The FISMA Implementation Project was
established in January 2003 to produce several
key security standards and guidelines. These
publications include FIPS 199, FIPS 200, and NIST
Special Publications 800-53, 800-59, and 800-60.
NIST Special Publications 800-37, 800-39, and
800-53A.
• “It should be noted that the Computer Security
Division continues to produce other security
standards and guidelines in support of FISMA.”
National Institute of Standards
& Technologies (NIST)
• NIST founded in 1901 and now part of the U.S.
Department of Commerce.
• Congress established the agency to remove a
major handicap to U.S. industrial
competitiveness at the time. Also to gain an
advantage on economic rival countries such as
Germany & England.
• Now develop standards & guidelines aligned
with FISMA.
 NIST & Risk Management

• FIPS (Federal Information Protection Standards)

• FIPS 199 – Standards for Security Categorization
• FIPS 200 – Minimum Security Requirements

• SP (Special Publications)
• SP 800-18 – Guide for System Security Plan development
• SP 800-30 – Guide for Conducting Risk Assessments
• SP 800-34 – Guide for Contingency Plan development
• SP 800-37 – Guide for Applying the Risk Management Framework
• SP 800-39 – Managing Information Security Risk
• SP 800-53/53A – Security controls catalog/assessment procedures
• SP 800-60 – Mapping Information Types to Security Categories
• SP 800-128 – Security-focused Configuration Management
• SP 800-137 – Information Security Continuous Monitoring
 Risk Management

Risk can never be eliminated, so it must be MANAGED!

 Managing Information Security Risk
( NIST SP-800-39)
Objectives:
• Ensure that senior executives recognize the
importance of managing information security risk
and establish appropriate governance structures for
managing such risk

• Ensure that the organization’s risk management

process is being effectively conducted across the
three tiers of organization, mission/business
processes, and information systems;
 Managing Information Security Risk
( NIST SP-800-39)
Objectives: (Cont.)
• Foster an organizational climate where information
security risk is considered within the context of the
design of mission/business processes, the definition
of an overarching enterprise architecture, and system
development life cycle processes;

• Help individuals understand how information security

risk associated with their systems translates into
organization-wide risk that may ultimately affect the
mission/business success.
 Managing Information Security Risk
( NIST SP-800-39)
Target Audience: Individuals with…
• Oversight responsibilities for risk management (e.g. CEO)
• Responsibilities for conducting organizational missions/business functions
(e.g. Managers)
• Responsibilities for acquiring information technology products, services, or
information systems (e.g. procurement officers)
• Information security oversight, management, and operational
responsibilities (e.g. CIO, CISO, Information security managers, information
system owners)
• Information system/security design, development and implementation
responsibilities (e.g., program managers, enterprise architects, information
security architects)
• Information security assessment and monitoring responsibilities (e.g.,
system evaluators, penetration testers, security control assessors, auditors)
Managing Information Security Risk
( NIST SP-800-39)

• Organization-wide view for managing risk is identified

• Provides uniform & consistent ways to manage risks
• Involve senior management! (Issues?)
• Risk Executive Function – REF(More on this later)
• Risk Management done at three distinct tiers
• Align risk management & mission of a business
• Should be used as part of a more comprehensive
Enterprise Risk Management (ERM) program.
 Overall Picture: NIST SP-800-39
Starting Point
FIPS 199 / SP 800-60

SP 800-37 / SP 800-53A
information system according to
MONITOR
Security State
Continuously track changes to the
information system that may affect
security controls and reassess
control effectiveness.
CATEGORIZE
Information System
FIPS 200 / SP 800-53
Define criticality/sensitivity of
potential worst-case, adverse SELECT
impact to mission/business. Security Controls
Select baseline security controls;
apply tailoring guidance and
supplement controls as needed
Security Life Cycle based on risk assessment.

SP 800-37 SP 800-70
SP 800-39
AUTHORIZE IMPLEMENT
Information System Security Controls
Determine risk to organizational SP 800-53A Implement security controls within
operations and assets, individuals, enterprise architecture using sound
other organizations, and the Nation; ASSESS systems engineering practices; apply
if acceptable, authorize operation. security configuration settings.
Security Controls
Determine security control effectiveness
(i.e., controls implemented correctly,
operating as intended, meeting security
requirements for information system).
Key Elements: NIST SP-800-39
• Senior leaders are assigned with RM responsibilities.
• Establish risk tolerance(REF) & communicate across
the organization.
• Guidance on how risk tolerance impacts RM
decisions.
• Accountability for RM decisions (Senior Leaders).
• Three Tiers are identified:
• Tier 1 - Organization (Governance)
• Tier 2 - Business Process
• Tier 3 – Information System
Four Components (NIST SP-800-39)
• Frame Risk
• Asses Risk (SP-800-30)
• Respond to Risk
• Monitor Risk

NIST provides ‘tasks’ that helps to achieve each component

Four Components (NIST SP-800-39)
• Frame Risk
• Establish a risk context
• A realistic and credible risk frame requires that organizations
identify:
• Risk assumptions (e.g., assumptions about the threats,
vulnerabilities, consequences/impact, and likelihood of
occurrence)
• Risk constraints (e.g., constraints on the risk assessment,
response, and monitoring alternatives under consideration);
• Risk tolerance (e.g., levels of risk, types of risk, and degree of risk
uncertainty that are acceptable)
• Priorities and trade-offs (e.g., the relative importance of business
functions, trade-offs among different types of risk that
organizations face, time frames in which organizations must
address risk)
Four Components (NIST SP-800-39)
• Asses Risk (SP-800-30)
• Identifies threats to organizations (i.e., operations, assets,
or individuals)
• Identifies vulnerabilities (internal & external) to
organization
• Identifies the harm (i.e., consequences/impact) to
organizations that may occur given the potential for
threats exploiting vulnerabilities
• Identifies the likelihood that harm will occur
• The end result is a determination of risk (i.e., the degree
of harm and likelihood of harm occurring).
Four Components (NIST SP-800-39)
• Respond to Risk
• Developing alternative courses of action for responding to
risk and Evaluating the alternative courses of action
• Determining appropriate courses of action consistent with
organizational risk tolerance
• Implementing risk responses based on selected courses of
action.
• Types of risk responses that can be implemented
• Accepting
• Avoiding
• Mitigating
• Sharing
• Transferring
Four Components (NIST SP-800-39)
• Monitor Risk
• Verify that planned risk response measures are implemented
• Evaluate the effectiveness of risk responses
• Identify risk-impacting changes to organizational information
systems

To integrate the risk management process

throughout the organization seamlessly,
a three-tiered approach is employed!
Three Tiers : NIST SP-800-39

‘REF’

Note: Diagram extracted from NIST SP-800-39 overview

 Tier 1 - Organization
• Provide context for all RM activities within the
organization (Risk Framing)
• Provides a prioritization of business functions which
in turn drives investment strategies and funding
decisions
• Tier 1 models: Centralized, De-centralized & Hybrid
• Establishes & implements governance structure to
monitor RM activities
• REF – Risk tolerance levels are defined and established
• Establish overall RM strategy
• Ensure objectives are achieved
• Verification of resource utilization
• Measure, monitor & report RM activities
 Tier 1 – Risk Tolerance (REF)
• REF is a functional role established within
organizations to provide a more comprehensive,
organization-wide approach to risk management.
• REF
• Acceptable level of Risk to the organization
• This is a key component of the overall RM Strategy
• A fine balance needs to be achieved between extreme
tolerance & low tolerance
• Has an impact on:
• Nature & extent of RM Oversight
• Extent & thoroughness of risk assessment
• Response strategies (resources?)
 Tier 2 – RM Activities
• Defining the business processes
• Prioritizing the mission/business processes with respect
to the strategic goals and objectives of organizations
• Defining the types of information needed to
successfully execute the business processes, the
criticality/sensitivity of the information, information
flow internal & external
• Incorporating information security requirements into
the mission/business processes(C.I.A)
• Promotes cost-effective and efficient information
technology solutions consistent with the strategic goals
and objectives of the organization and measures of
performance
 Tier 3 – Information System Level
• All information systems, including operational
systems, systems under development, and systems
undergoing modification, are in some phase of the
system development life cycle (SDLC)
• Integrate RM activities to the SDLC (Extremely cost
effective compared to introducing them later)
• Tier 3 provide essential feedback to Tiers 1 and 2.
• E.g. New vulnerabilities, latest threat information
• SP 800-37 provides specific guidelines for system
level RM activity guidelines
QUESTIONS ?