Final Project

Sabrina Toubbeh

University of San Diego

CSOL 530: Cyber Security Risk Management

Professor Nzeata

August 15, 2022

 1

Purpose

Cyber risk management is essential to any organization, as it allows a company to

mitigate risks unique to the business. Effective risk management helps reduce costs and protect

revenue, improve business reputation, alleviates the cyber-risks, and prevent attacks towards the

organization (CS Risk Management, 2021). For an organization’s mission and business functions

to be successful, “the confidentiality, integrity, and availability of information processed, stored,

and transmitted by those systems and privacy of individuals” must be implemented (NIST,

2018). Confidentiality, integrity, and availability are the main goals of a security plan and are

considered the most crucial security elements. According to NIST (2018), the processes in the

Risk Management Framework include the need to Prepare, Categorize, Select, Implement,

Assess, Authorize, and Monitor, which will all be detailed and explained further below.

Step 1 Prepare

Before enacting the RMF, the organization must first prepare itself by assuring

company-wide governance and appropriate resources to invoke a consistent risk management

process. The first step of the RMF includes all the steps necessary to execute the framework

from an organizational and system-level perspective (NIST, 2011a). In this stage, the key

outcomes are to provide a clear understanding of the Risk Management Roles, Risk Management

Strategy, Organizational Risk Assessment, and Continuous Monitoring Strategy (Veltsos, 2019).

These outcomes can be achieved by: (i) providing a general overview of the risk management

process; (ii) establish how organizations determine the context for risk-based decisions; (iii)

determine how organizations assess risk considering threats, vulnerabilities, likelihood, and

impact; (iv) decide how risk should be responded to once detected; and (v) define how risks can
 2

be monitored over time with changes to the operating environment (NIST, 2011a).

Accomplishing these tasks can minimize complexity by recognizing and removing irrelevant

functions that may be ineffective to system security and privacy.

Step 2 System Categorization

System categorization within RMF is the process of assigning one of “three levels of

potential impact on organizations or individuals should there be a breach of security” (NIST,

2004). Each of the CIA triad principles is assigned an impact level based on the type of data

stored, transmitted, or processed, and importance in relation to system operation. Additionally,

the system as a whole is categorized. These categorizations are intended to be used in

conjunction with vulnerability and threat details discovered in the risk assessment. The impact

levels and definitions are listed in the table below.

Table 2: Risk Impact Levels

Impact Level Impact Definition

Low Loss of either of the CIA principals is likely to have

minimal impact to the system, organization, or
personnel.

Moderate Loss of either of the CIA principals is likely to have a

serious impact on the system, organization, or
personnel.

High Loss of either of the CIA principals is likely to have

disastrous or fatal impact to the system, organization,
or personnel.

Given the appropriate impact levels, the categorization of the system is determined and allows an

organization to understand consequences that may pose resulting in the compromise of security

objectives.
 3

Step 3 Selection

The selection step aims to select, tailor, and document the controls necessary to protect

the system and organization (NIST, 2018). The organization must select an initial set of baseline

security controls essential to reducing security categorization risk. These baseline controls pose

as a starting reference that may be enhanced based on business needs. The selected controls

embrace a holistic quality by not excluding considering operational needs to remain

system-focused. Since risk cannot be completely eliminated, these controls are intended to

minimize risk to an acceptable level based on the risk assessment. However, to select proper

security controls, the organization must accurately and correctly determine the security system's

categorization and impact levels. This phase also includes producing tailored control baselines,

allocating controls to specific system elements, documenting the planned control

implementations, developing a continuous monitoring strategy, and reviewing and approving the

security and privacy plans that reflect the control selections (NIST, 2018). This selection process

is a critical step in the RMF, as it sets the foundation for the subsequent phases.

Step 4 Implementation

As controls have been selected and approved, the Implementation step commences. This

phase involves implementing the security controls and documenting how they are deployed

within the system and operational environment (NIST, 2018). The implementation of controls

brings forth reality to the security plan. However, in doing so, the implementation must also be

carefully executed to comply with any regulations and policies. The outcomes of the

Implementation step are to employ the controls specified in the security and privacy plans using

systems security best practices and engineering methodologies for its enactment and update
 4

control implementation documentation by documenting any changes to the planned

implementation (NIST, 2018).

Step 5 Assessment

Once the implementation has been employed, an assessment must be completed to

determine whether the selected and applied controls are executed correctly, performing as

intended, and delivers the anticipated outcome with respect to satisfying the security and privacy

requirements of both the system and organization (NIST, 2018). First, the organization must

determine which team or individual is responsible for performing the assessment. Upon selecting

the assessor, an assessment plan must be provided to carry out the evaluation. This includes

reviewing and approving the evaluation plan and providing any necessary documentation

required to conduct the assessment to the assessor.

The control assessment itself should be conducted in accordance with the assessment plan

and should seize the opportunity to reuse any assessment results from previous evaluations for a

timely and cost-effective process (NIST, 2018). To maximize this process, automation should be

used wherever possible to increase speed, effectiveness, and efficiency. The evaluation results

are valuable to an organization because they provide officials with: (i) evidence about the

effectiveness of implemented controls; (ii) an indication of the quality of the risk management

process employed within the organization; and information about the strengths and weaknesses

of the systems supporting the business (NIST, 2014).

Once the assessments are complete, a report should be generated to share findings and

present recommendations to the organization. From the results, the assessor should provide

remediation actions that address any control deficiencies. As changes to the implementation are
 5

changed from these remediation actions, the security and privacy plans should be updated to

reflect the applied modifications. The remediation actions that were detailed can then be

documented in the Plan of Actions and Milestones (POA&M) for the organization. This

POA&M itemizes the necessary tasks for completion to comply with organizational requirements

(NIST, 2006). Depending on the assessment results and whether the residual risk level is

acceptable, the listed action items may require completion before reassessment. The assessment

phase is an essential step, as it stimulates an improved understanding and awareness of the risks

towards the organization and its assets.

Step 6 Authorization

The authorization phase includes the preparation of the Plan of Action and Milestones

(POA&M) and submission of a security authorization package to the AO (CDSE, 2020). The AO

evaluates the assessment reporting results to determine if the residual risks are acceptable to the

organization (Peacock, n.d.). Since the objective of the RMF is to preserve an element’s ability to

fulfill its mission, the AO judges the organization’s current security posture against the

operational obligations of the system. Risk must be evaluated given the mission or business

requirements, risk-related considerations, and any technical, operational, cost or scheduling

constraints (CDSE, 2020). This includes weighing out the competing elements of mission and

security, as well as considering budgeting consequences due to potential costs of implemented

security measures when determining the accepted level of risk. Once the AO establishes the risk

determination, the authorizing decision can be concluded.

The authorizing decision is carried out by the AO and possesses the following outcomes:

Approval to Operate (ATO), Interim Approval to Test (IATT), or Denied Approval to Operate
 6

(DATO). If the overall system risk is permissible due to its mission criticality, then an ATO may

be issued with required conditions (DoD, 2014). In contrast, if risk is unacceptable or a system is

undergoing a decommissioning strategy, a DATO will be issued. If the overall system risk is

acceptable, then an IATT provides a temporary authorization that is only operable for testing

conditions and expires when testing is complete.

Step 7 Monitoring

When a system is authorized, the organization must ensure that it continues to remain

effective against changes over time. This Monitoring step is intended to "maintain an ongoing

situational awareness" about the system's security posture (NIST, 2018). Since cybersecurity is

dynamic, security-related processes must be proactively managed to detect and react to new

vulnerabilities, advance threats, and continuously shifting architecture and environment.

Continuous monitoring is often used to address the impacts change has on security. Information

Security Continuous Monitoring (ISCM) refers to the process of sustaining the ongoing

understanding of security, vulnerabilities, and threats as it relates to risk management decisions

(NIST, 2011). To establish, implement, and maintain a robust ISCM, an organization must define

an ongoing monitoring strategy, develop and implement the program, analyze the outputted data

and report discoveries, respond to the findings, and review and update the process (NIST,

2011b). As with the Assessment step of the RMF, automation should be employed for timely

decision-making and facilitating near real-time results (NIST, 2018). Automation can be applied

to numerous tasks, such as configuration, antivirus, patch management, and audits. This

automation allows for the ongoing control efficacy assessment to be completed and responded to

with ease. Also, automation can generate necessary documentation for reporting to AO and
 7

senior executives. For continuous monitoring to remain impactful, it must include configuration

management and control processes, an impact analysis on any system or environmental change,

assessment that assures security control efficacy, appropriate security reporting to executives,

and ongoing AO participation in risk management decisions.

As changes occur, such as those to personnel, modifications to hardware, software, or

firmware used by the system, or transitioning to a new environment, the challenge resides in

upholding the security of the organization in those states. However, just as business needs

fluctuate, so do the security systems in place. The framework gets revisited, and to adhere to

various operating needs, the implemented security controls may require changes. With any

addition or removal of controls, new risks are present. It is the organization's responsibility to

reassess the controls in place and determine which need to be modified, removed, or added.

Again, given all these changes, new controls must be selected, implemented, assessed, and

authorized. Continuous monitoring can be used to observe the efficacy of the new system and

how it also performs over time.

Conclusion

In short, effective risk management requires the flexibility of an organization to adhere to

situational adaptability. The Risk Management Framework is a risk-based approach that

considers the impact information systems carry on critical mission objectives. This structured

process involves preparing the organization to enact the framework company-wide, categorizing

the system based on its risk, selecting appropriate controls to mitigate the system at appropriate

levels, implementing the controls to bring the system to live, assessing the implemented controls
 8

to warrant the desired outcome, authorizing the system for use, and monitoring the system to

ensure its efficacy and relevance over time.

 9

References

CDSE. (2020, September). Introduction to the Risk Management Framework.

https://www.cdse.edu/documents/student-guides/CS124-guide.pdf

CS Risk Management. (2021). The Importance of Cyber Risk Management.

https://www.csriskmanagement.co.uk/the-importance-of-cyber-risk-management/

DoD. (2014, March 12). Risk Management Framework (RMF) for DoD Information Technology

(IT). https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/851001p.pdf

NIST. (2004, February). Standards for Security Categorization of Federal Information

and Information Systems. https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf

NIST. (2006, February). Guide for Developing Security Plans for Federal information

Systems. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf

NIST. (2011a, March). Managing Information Security Risk.

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf

NIST. (2011b, September). Information Security Continuous Monitoring for Federal Information

Systems and Organizations.

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf

NIST. (2014, December). Assessing Security and Privacy Controls in Federal Information

Systems and Organizations.

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf

NIST. (2018, December). Risk Management Framework for Information Systems and

Organizations.https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-

37r2.pdf
 10

Peacock, J. (n.d.). Infographic: The Six Steps of the NIST Risk Management Framework (RMF).

https://www.cybersaint.io/blog/six-steps-of-the-nist-risk-management-framework

Veltsos, C. (2019, July 22). NIST Says Preparation is Key to the Risk Management Framework.

https://securityintelligence.com/articles/nist-says-preparation-is-key-to-the-risk-

management-framework/