Professional Documents
Culture Documents
Matthew Chiappone
Professor Raines
Continuous Monitoring
Change is inevitable, and preparation is key. BioHuman relies on the NIST Risk
Management Framework (RMF), which “provides a process that integrates security, privacy, and
cyber supply chain risk management activities into the system development life cycle. (NIST,
2022)” By leveraging the seven steps within the framework, BioHuman can methodically step
through each system, assess risk, obtain authorization, and continually monitor for changes and
risks. BioHuman’s control development and policies create the foundation for the security-
focused culture it has strived to achieve. Continuous monitoring lowers risk, protects assets, and
ensures BioHuman stays a leader within its business sector. The image below illustrates the
The first step of the RMF is preparation. Understanding the business goals and objectives
establishes the boundaries and focus of new implementations within the environment and allows
for layering security throughout the entire development process. Protecting assets requires all
affected stakeholders' input, from system to personnel impact. Determining the roles and
responsibilities, with regards to projects and the RMF, within the organization is necessary for
the correct implementation of each project and allowing for approvals and authorization to occur
on time. Time spent in preparation saves time and money and minimizes confusion and
unforeseen roadblocks. The essential tasks and definitions of the preparation step according to
● Risk Management Roles: Determine key roles organization-wide and project specific.
● Risk Management Strategy: Determine what the current risk tolerance is within
BioHuman.
Categorize
The categorization step focuses on the impact on the overall system and impact on
security. Controls and policies are set by separating and categorizing the risk level and
assessment results. The potential impact is weighed against the Confidentiality, Integrity, and
Availability (CIA) Triad to determine the overall risk of each system. The rating follows the
FIPS 199 scale of potential impact with a rating of low, moderate, or high (U.S. Department of
4
Commerce, 2004). The scale accounts for system impact, the overall impact on the business, and
external circumstances that may raise or lower the overall rating. The essential tasks and
definitions of the categorize step according to NIST are (Joint Task Force, 2018):
● System Description: This describes the system and its business function. The rating for
and utilization of the business risk rubric and risk management strategy.
● Security Categorization Review and Approval: Once the risk level and categorization are
complete; the executive leadership team makes the final decision on the overall risk.
Select
The select step involves developing and selecting the appropriate controls for protecting
the system and overall business. The controls are defined within NIST Special Publication 800-
53 Revision 5 (Joint Task Force, 2020). The selected controls are based on the categorization of
assets and system constraints. The process includes the definition of controls through approval.
The essential tasks and definitions of the select step according to NIST are (Joint Task Force,
2018):
● Control Selection: Control baselines are selected and established to monitor changes in
risk. Common business controls are applied according to standards, and supplemental
● Control Tailoring: The controls are altered or tailored to meet the specific requirements
within the system according to capability and relevant factors discovered during
categorization.
5
process is defined and referenced against the overall system monitoring policy. Any
● Plan Review and Approval: The final control list is created and submitted for review by
Implement
The implementation step outlines the tasks necessary for deploying each control
determined in the select step. The common controls are implemented according to the specified
parameters, and documenting any deviation is part of the process. Configuration and deployment
of system-specific controls are tested and verified according to the risk management strategy and
reviewed for necessary changes before live environment deployment. The essential tasks and
definitions of the implement step according to NIST are (Joint Task Force, 2018):
Assess
The assess step is to review and analyze the implementation of the controls selected to
determine if they are implemented correctly and provide the security intended. The assessment
6
developed. Assessments can be internal or external and are defined before engagement. The
results are gathered and presented to executive leadership and the security team to determine if
risks or vulnerabilities are found. Remediation actions are developed, and a Plan Of Action and
Milestones (POA&M) report is utilized to track individual items through to completion and
saved for historical reference. The essential tasks and definitions of the assess step according to
● Assessment Plan: The plan outlines the rules of engagement and resources necessary for
proper assessment. The plan is reviewed and approved by the security and executive
leadership team.
● Control Assessments: Each control will have a specific assessment to validate the correct
● Assessment Reports: The finalized reports are produced to outline findings and highlight
remediation actions outlined within the POA&M and tracked until complete.
address risks found within each control. The document will be maintained and updated
Authorize
Authorization is needed from executive leadership to proceed with the usage of any new
system or previous system with newly found risks or vulnerabilities. The Authorization Official
(AO) is the final decision maker. An authorization package is created and submitted to the AO
for approval. The essential tasks and definitions of the authorize step according to NIST are
final approval. The package contains all relevant information and findings, from risk
assessments to controls.
● Risk Analysis and Determination: The final risk analysis is compared against the risk
● Risk Response: If risks are determined, a response plan is created for remediation and
Monitor
Technology and vulnerabilities are constantly changing, and BioHuman must monitor
these changes to determine risk and mitigation techniques. Monitoring the system is the final
step of the RMF and consists of routine analysis of the system controls and risks to BioHuman.
The intervals of auditing and verification of system controls are determined by the overall
importance and potential risk of the system, changes to the environment, or personnel changes.
8
The essential tasks and definitions of the monitor step according to NIST are (Joint Task Force,
2018):
to the environment occurs, a risk analysis is conducted to analyze the potential impact.
determined by the executive and security team. The frequency is determined by the
implementing response and mitigation techniques. Once risks are found, they must be
addressed, and subsequent changes are to be monitored for effectiveness and intended
result.
monitoring are included in the Authorization Package and tracked in the POA&M.
Approved methods for addressing discovered risks are included in all relevant
documentation.
● Security and Privacy Reporting: The final reporting is sent to executive leadership and
inadequacies found through monitoring must be processed again through the RMF for
final approval.
● System Disposal: Systems that are no longer in use or able to be appropriately secured
Maintaining the highest level of security is paramount to BioHuman’s success. The NIST
RMF is a structured framework that methodically steps through each system development and
security aspect. Changes to personnel, environment, laws, and infrastructure are ongoing,
“Trend analyses from existing monitoring; organizational risk tolerance information; information
on new laws, regulations, reporting requirements; current threat and vulnerability information;
Force, 2018)” Threats never stop, and being proactive is the only option. BioHuman leverages
automation through scheduled vulnerability scans and reporting tools. The capabilities of our
SIEM and firewall to actively mitigate and report findings are routinely reviewed for emerging
threats. Changes in personnel through the onboarding and offboarding process trigger automated
firmware changes are vetted before installation for known vulnerabilities or bugs, and each
change results in the assessment process. All IT and security staff are trained and understand the
References
Fruhlinger, J. (2022, January 10). What is PII? Examples, laws, and standards. CSO Online.
https://www.csoonline.com/article/3645648/what-is-pii-examples-laws-and-
standards.html
Joint Task Force. (2018, December 2). Risk Management Framework for Information Systems
and Organizations: A System Life Cycle Approach for Security and Privacy. NIST
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
Joint Task Force. (2020, September 5). Security and Privacy Controls for Information Systems
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf
NIST. (2022, July 14). NIST Risk Management Framework (RMF). NIST Computer Security
U.S. Department of Commerce. (2004, February). FIPS 199, Standards for Security
Publications. https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf
11
4. Authorizing Official:
● Name: Leonardo Messer
● Title: System Authorizing Official
● Agency: BioHuman
● Address: 300 Hidden Figures Way SW Washington
D.C.
● Email Address: MesserOfTwoEvils@biohumaninc.com
● Phone Number: (555)638-3655
X Major General
Applicati Support
on System
9. General System Description/Purpose
● The function of the payroll system is to facilitate the payment of employee
salaries and calculate their total compensation. This includes tracking and
calculation of longevity, incentives, and bonuses earned yearly. The system holds
user banking account information and budget information for BioHuman. The
system ties into a standalone database within the BioHuman infrastructure that
contains user information relevant to compensation calculations. Direct Deposit
payments to employees are facilitated from within the system.
traffic between the payroll system and the database and allows on the
necessary ports and applications.
System Organizatio Type Agreeme Date FIPS C&A Auth.
Name n nt 199 Status Official
(ISA/ Categor
MOU/ y
MOA)
Local BioHuman Support 1/1/20 Low ATO and Leo Messer
Microsof Inc for 22 monitoring
t SQL payroll
Server
Payroll Payroll Major 1/1/20 Moderate ATO and Leo Messer
System Online Yes/Yes/Y 22 < 2 weeks monitoring
es High > 2
weeks
Related Laws/Regulations/Policies
● The system contains PII.
• The Federal Trade Commission Act (FTC Act)
protects PII
• OMB M-10-23 protection when utilizing third-party
websites
● FISMA
● Corporate policies for risk assessments and auditing
● Corporate RMF
organizational role
• Reviewed during monthly account auditing
• Common control set by IT staff
• AC-12 SESSION TERMINATION
• User can logout manually from system
• System timed logout is set to 15 mins
• Common Control
• Manually set within payroll system by IT staff
• AT-1 POLICY AND PROCEDURES
• Update annually and when changes or updates occur
• IT Security staff will develop with business Office
• Common Control
• AT-3 ROLE-BASED TRAINING
• Personnel Trained on access level read/write access
• Business department trains new hires and annual review
training on updated features
• Common Control for business systems
• AU-1 POLICY AND PROCEDURES
• Update annually and when changes or updates occur
• IT Security staff will develop with business Office
• Common Control
• AU-2 EVENT LOGGING
• All activity within system is logged and reports auto
generated and emailed to management staff
• IT staff will configure event logging within payroll system
• IT staff and business management will work to ensure
appropriate information is included in report.
• Common Control
• IA-1 POLICY AND PROCEDURES
• Update annually and when changes or updates occur
• IT Security staff will develop with business Office
• Common Control
• IA-2 IDENTIFICATION AND AUTHENTICATION
(ORGANIZATIONAL USERS)
• IT staff will enforce MFA for privileged and non-privileged
accounts
• Privileged accounts will leverage company provided
cellphones
• Non-privileged accounts will leverage company managed
devices or hardware keys for MFA functionality
15