Cyber Security Risk Management

04.

Risk management prepares the enterprise against new attack vectors and implements controls to reduce likelihood of the attack being successful.

Sample Documents

Risk MGMT Continuous Monitoring

A continuous monitoring programs keeps track of critical technical assets

Intro to Risk Management Framework (RMF)

Security triad and the 7-step risk mitigation framework

RMF Security Categorization

Setting impact levels for data in the payroll system

RMF Control Implementation

Implementation of controls in the payroll system

Topic Examples

An introduction to risk management

Understanding the basics of RMF

Documents on applying the RMF to the payroll system

Every day we hear cybersecurity professionals sound the alarm for the risks enterprises face before the close of the decade. Often the echo in the online articles sounds like this “it’s not a question of if an attack will occur, but when”. It is the job of IT security using a risk management approach to prepare organizations for these worst-case scenarios. Risk management prepares the enterprise against evolving attack vectors and implements controls to reduce likelihood of the attack being successful.

CSO Online provides 5 fundamental steps to get your organization prepared for Risk Management:

Risk Identification: Attack patterns and traffic trends to identify imminent risks
Get Top Management On Board: Cyber risk management should be at the core of the governance process
CSO Board Communication: Up to the chief security officer to be informed of potential risks and defenses
Update Incident Response: Prioritize the people, processes, and technology issues to mobilize
Preach the Gospel: Active and smart program to promote a cyberaware culture
(Cooper, 2017)

Ethical and privacy considerations are starting to become a more prominent role in the RMF. Recently, NIST added privacy related controls into the RMF in Draft NIST Special Publication (SP) 800-37 Revision 2. NIST states the following revision:

“Integrating security and privacy into systems development. Building security and privacy into information systems at the initial design stage is a major concern....Supporting security and privacy safeguards. The RMF update will provide organizations with a disciplined and structured process to select controls from the newly developed consolidated security and privacy control catalog in NIST’s SP 800-53, Revision 5” (NIST, 2018).

As systems fail to support user privacy, the cyber world can expect more regulation regarding user privacy (as we see in Europe with GDPR) and more controls placed into the RM framework.


References
Cooper, C. (2017, November 16). 5 Fundamentals in Cyber Risk Management. Retrieved from https://www.csoonline.com/article/3235511/data-breach/5-fundamentals-in-cyber-risk-management.html

NIST. (2017, August). Draft NIST Special Publication 800-53 Revision 5: Security and Privacy Controls for Information Systems and Organizations. Retrieve from https://csrc.nist.gov/CSRC/media/Publications/sp/800-53/rev-5/draft/documents/sp800-53r5-draft.pdf

NIST. (2018, May 9). NIST Updates Risk Management Framework to Incorporate Privacy Considerations. Retrieved from https://www.nist.gov/news-events/news/2018/05/nist-updates-risk-management-framework-incorporate-privacy-considerations

 

Government Utilized Risk Management Framework (RMF)

The RMF used by Government organizations fits organizations for all sizes, sectors, and maturities. While original framework was designed for critical infrastructure, it is flexible for businesses to reduce risk in a structured manner that is comprehensive.

How to use the RMF in an organization?
 

  • Understand how cybersecurity risk is determined and discussed

rmfdetermined_orig.png

(NIST, 2018b)

  • Utilize the RMF tiers to determine levels of risk

tierdefs_orig.png

(NIST, 2018b)

  • Create risk profiles to understand current practices in the business environment

profile_orig.png

(NIST, 2018a)

  • Prioritize and budget for cybersecurity improvement 

budget.png

(NIST, 2018a)

 
 

RMF Applied to Payroll Activities

The following documents are exampled of the government utilized RMF approach to the payroll system:

RMF Continuous Monitoring Program
A framework to watch critical infrastructure and apps of an organization

See document here

Intro to RMF
Security triad and the 7-step risk mitigation framework

See document here

 

RMF Security Categorization

Setting impact levels for data in the payroll system
See document here


 

RMF Control Implementation
Implementation of controls in the payroll system

See document here

References
NIST. (2018a, February 6). An Introduction to the Components of the Framework. Retrieved August 23, 2018 from https://www.nist.gov/cyberframework/online-learning/components-framework

NIST. (2018b, February 6). Uses and Benefits of the Framework. Retrieved from https://www.nist.gov/cyberframework/online-learning/uses-and-benefits-framework

NIST. (2018c, May). Draft NIST Special Publication 800-37 Revision 2: Risk Management Framework for Information Systems and Organizations. Retrieved from https://csrc.nist.gov/CSRC/media/Publications/sp/800-37/rev-2/draft/documents/sp800-37r2-draft-ipd.pdf