Week 02 - National Institute of Standards and Technology Risk Management Framework

TL:DR - The goal is not to bring risk to zero, but to an acceptable level of risk the organization is willing to tolerate.

Introduction

The United States Congress passed Public Law 107 - 347 Titled E-Government Act of 2002. Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA) requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other sources.

SEC. 303. National Institute of Standards and Technology (NIST) is charged with the institute mission of developing standards, guidelines, and associated methods and techniques for information systems based on an integrated Risk Management Framework (RMF).

Publications in NIST’s Special Publication (SP) 800 series present information of interest for computer security and privacy needs. The publications cover virtually every aspect of computer security. These documents recommend procedures and criteria for assessing and documenting threats, vulnerabilities, and implementing security measures to minimize the risk.

The foundation is based on the NIST SP 800-37, Risk Management Framework For Information Systems and Organizations. The NIST RMF “emphasizes risk management by promoting the development of security capabilities throughout the system development life cycle (SDLC); maintaining situational awareness of the security posture of those systems on an ongoing basis by means of continuous monitoring processes. Furthermore, providing information to senior leaders and executives to facilitate decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations from the use and operation of their systems.”

However, it is SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View, that provides a structured approach for managing risk through assessing, responding to, and monitoring. The document includes the components of risk management; life cycle-based process; and additional information such as process tasks, governance models, strategies, etc. This approach is to be applied throughout the entire organization: organization level, mission/business process level, and system level.

The risk management cycle is an iterative and continuous process, constantly informed by the changing risk landscape, organizational priorities, and functional changes. It is carried out as a holistic activity from the strategic to the tactical level. The risk management cycle provides four elements that structure an organization’s approach to risk management, as represented in Figure 1:

Figure 1: Risk Management Framework Lifecycle

Frame

The first component of risk management addresses how organizations frame risk by describing the environment in which risk-based decisions are made. The risk frame delineates the boundaries for risk-based decisions within organizations. These boundaries are based on:

• Assumptions (e.g., threats, vulnerabilities, consequences/impact, and likelihood of occurrence)
• Constraints (e.g., imposed by legislation, regulation, resource constraints (time, money, and people) and other factors identified by the organization)
• Tolerance (e.g., levels of risk, types of risk, and degree of risk uncertainty that are acceptable)
• Priorities and trade-offs (e.g., the relative importance of missions/business functions, trade-offs among different types of risk that organizations face, time frames in which organizations must address risk, and any factors of uncertainty that organizations consider in risk responses)

which that affect how risk is assessed, responded to, and monitored.

Assess

The second component of risk management addresses how organizations assess risk within the context of the organizational risk frame. Assessment is the process of identifying, estimating, and prioritizing risks. Assessing risk requires the careful analysis of threat and vulnerability information to determine the extent to which circumstances or events could adversely impact an organization and the likelihood that such circumstances or events will occur. It should identify:

• Threats
• Vulnerabilities
• Consequences (Impact) 
• Likelihood

The assessment approach is usually quantitative, qualitative, or semi-qualitative; however, this document utilized the qualitative method. In qualitative risk assessment, the focus is on perceptions about the probability of a risk occurring and its impact on relevant organizational aspects which represented in scales such as “low, medium, or high”

Respond

The third component of risk management is about addressing how organizations respond to risk once that risk is determined based on the results of risk assessments (controls). “The purpose of the risk response component is to provide a consistent, organization-wide, response to risk in accordance with the organizational risk frame by: developing alternative courses of action for responding to risk; evaluating the alternative courses of action; determining appropriate courses of action consistent with organizational risk tolerance; and implementing risk responses based on selected courses of action.” There are five basic strategies:

• Defense: Applying safeguards that eliminate or reduce the remaining uncontrolled risk. 
• Transferal: Shifting risks to other areas or outside. 
• Mitigation: Reducing the impact to information assets should an attacker successfully export a vulnerability. 
• Acceptance: Understanding the consequences of choosing to leave a risk uncontrolled and then properly acknowledging the risk that remains without an attempt at control. 
• Termination: Removing or discontinuing the information asset from the organization. 


Acceptance is the decision to do nothing to protect the asset from the risk and accept the outcome from any resulting exploitation. This strategy assumes that it can be a prudent business decision to examine the alternatives and conclude that the cost of protecting an asset does not justify the expenditure. This strategy is recognized valid only when:

• Determined the level of risk,
• Assessed the probability of attack and likelihood of exploitation,
• Estimated the potential damage,
• Evaluated the feasibility of potential controls,
• Performed a cost-benefit analysis, and
• Determined that the costs to control do not justify the costs to implement and 
maintain.

Monitor

The fourth and last component is to provide organizations with the means to verify compliance, evaluate effectiveness of response controls, and identify changes as an iterative feedback loop for continuous improvement in the risk-related activities of organizations. This is truly the test and audit phase of output to increase risk awareness in developing understanding of the ongoing risk. This is accomplished through tools, techniques, policy and procedure, and organizational programs.

• Assessment program that evaluates the gathering information about different aspects of the environment and practice as observed to determine the adequacy of response controls for managing identified risks.
• Conduct risk assessments based on this framework document at a defined frequency and or certain criteria defined in a procedure require it. 
• Develop metrics that are quantifiable to gauge performance or progress about how processes are functioning and provide bases for suggestion of improvements.
• Defense and mitigating responses have a reporting function either manual or automated to include change management.
• Institute security testing; however, this activity should be used with extreme caution.

Implementation at System Level

Execution of the framework within an environment is visually depicted and described below.

Core NIST Documents:

Note: Federal Information Processing Standards Publication (FIPS) Publication (PUB)

• FIPS-199, Standards for Security Categorization of Federal Information and Information Systems
• FIPS-200, Minimum Security Requirements for Federal Information and Information Systems
• NIST SP 800-18, Guide for Developing Security Plans for Systems
• NIST SP 800-30, Guide for Conducting Risk Assessments
• NIST SP 800-53, Security and Privacy Controls for Systems and Organizations
• NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories

Figure 2: System Certification & Accreditation

• Categorize: Categorize the system and the information processed, stored, and transmitted by that system based on an impact analysis.
• Select: Selecting an initial set of baseline security controls based on the categorization as well as tailoring and supplementing the security control baseline as needed.
• Implement: Implementing security controls and describing how the controls are employed within the system and its environment of operation.
• Assess: Assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
• Authorize: Management authorizes a system to operate or continue to operate based on the results of a complete and thorough security control assessment.
• Monitor: Continuously monitor the security controls to ensure that they are effective over time as changes occur in the system and the environment in which the system operates.

Conclusion

Systems are subject to threats that can have adverse effects on an organization’s operation, assets, individuals, and other entities through the exploitation of vulnerabilities that compromise confidentiality, integrity, and availability. Every decision is based on risk. The goal is not to bring risk to zero, but to an acceptable level of risk the organization is willing to tolerate. The statement is made because an organization doesn’t have unlimited resources and a perfectly secure systems is one that has no data with the power cord removed from the wall, thus non-functional.