Risk Management
The base overview of Risk Management is the process of identifying risk factors throughout a project life-cycle then analyzing and responding to those risks accordingly and with the best interests of your company’s objectives. Any proper risk management strategy implies control of possible future events and is proactive rather than reactive. When assessing risk within your company, it is advised to follow a suitable risk management process or framework. Of those available, the Risk Management Framework (RMF) developed by The National Institute of Standards and Technology (NIST), is among the most accepted in the industry. This section I will show an excerpt from my CSOL 530 course Final as an example utilization of RMF.
Overview
As maintaining our country’s safety is a major part of our business objectives and to do so we must continue to put effort into supporting the nations cybersecurity infrastructures by assessing and mitigating risks that would see our efforts fail. In order to do this effectively we will be following the Risk Management Framework (RMF) created by the National Institute of Standards and Technology (NIST), specifically the process defined in NIST Special Publication (SP) 800-37 Rev 2. RMF is effective as by taking a risk-based approach it provides a process to integrate security and risk management into our system development life cycle.
RMF is broken down into six steps:
RMF is broken down into six steps:
- Categorize
- Select
- Implement
- Assess
- Authorize
- Monitor
Preparation and Categorization
To start the process, we set out to identify, document, and categorize our company’s information system. We utilize NIST SP 800-60 Volume I as a means to guide us through that process. The purpose of this step is to Categorize our system and the information processed, stored, and transmitted by the system based on an impact analysis similar to a Business Impact Analysis (BIA) process, but focused on security. Our security objectives are looking at the Confidentiality, Integrity, and Availability (CIA) of the information systems and assigning an impact value of Low, Moderate, or High for the pertinent information types that are associated.
In doing so we then identify our information types per information system we are preparing to categorize. These information types are vast and range from privacy, medical, proprietary, financial, investigative, contractor-sensitive, security management, and so on. Based on our company’s business, the information we are protecting, a public law, executive order, directive, policy, or regulation(s) will dictate what type of controls we identify for our categorization. An example on how the CIA triad works with a specific information type such as Public Health Information (PHI) is as follows:
- -Security Category (SC) = (Confidentiality, HIGH), (Integrity, HIGH), (Availability, Low)
Selecting Security Controls
After we have identified our information types to categorize our system(s) within our organization the next step is to select the appropriate security controls based on those categories. We utilize NIST SP 800-53 Rev 5: Security and Privacy Controls for Information Systems and Organizations to assist us in selecting an initial set of baseline security controls for the system(s) based on the security categorization. From here we also have the ability to tailor and supplement those security control baselines as needed and on our organization’s assessment of risk and local conditions. Figure 2, shows the Security and Privacy Control Families as an excerpt from SP 800-53 Rev 5.
As our company is aimed at being prepared to combat adversarial risks by deploying countermeasures such as Contingency Planning, we also will need to implement the proper controls to protect the vital IC information by ensuring its integrity. To do so we must look to implement System and Information Integrity controls. Below is an example on the categories to protect our system against malicious:
- -SI-3 Malicious Code Protection to validate system integrity via detection methods and technologies and Related Controls: AC-4, AC-19, CM-3, CM-8, IR-4, MA-3, MA-4, RA-5, SC-7, SC-26, SC-28, SC23, SC-44, SI-2, SI-4, SI-7, SI-8, SI-15.
Implementation of Controls
Now that we’ve selected our security controls the next step is fairly simple; in that we implement the controls and document how the controls are deployed within the system and environment of operation. Due to the nature of our business, we also utilize Federal Information Processing Standards (FIPS) Publication 199: Standards for Security Categorization of Federal Information and Information Systems to guide us in this process. In my continued example I will focus on one control such as protecting against malicious code:
SI-3 Malicious Code Protection, SI-4 System Monitoring
SI-3 Malicious Code Protection, SI-4 System Monitoring
- -Install and maintain antivirus software to protect systems against malware
- -Use caution with links and attachments
- -User training provided with general user accounts on common threats and proper computer security awareness
- -Pop-up blocker on web browsers to prevent potentially malicious actions
- -Use of accounts with limited permissions and practicing proper separation of duties and least privilege
- -Disable external media Auto-run and Auto-play features to prevent external media infected with malicious code from automatically running on our systems
- -Enforcement of password changes and policy enforcement
- -Software update and patch management in attempt to address system vulnerabilities
- -Utilize backup solution from our CP to restore system if compromised
- -Install and utilization of physical and software firewalls to combat malicious traffic
- -Utilize anti-spyware tools to minimize any infections if malicious code was to be introduced
- -Monitor accounts and logs for any unauthorized use of unusual activity
Assessment of Controls
After implementing our controls, we must make sure they are functioning properly as “the purpose of the assessment step is to determine if the security and privacy controls selected are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system” (NIST 800-37). What good is implementing our security controls if they don’t work? Luckily SP 800-37 also guides us by providing options to properly asses the controls mapped to our information type, categorization, and impact levels. The assessment provides the factual basis for an Authorizing Official (AO) to render a security accreditation decision and to confirm that the controls implemented are working to lower the risk of the system.
To put this into prospective, let’s take a look at the assessment we recently went through and calling out a snippet focusing on Contingency Planning:
CP-2 Contingency Plan
After review of the assessment, it was found that a subset of the controls that were implemented did not meet the requirements. When this happens an action plan, or Plan of Action and Milestones (POA&M) is generated. This will include security findings for our system and be a basis for review when completing an Annual Assessment (AA). This is a key document in the next steps as it is included in our overall security authorization package and continuous monitoring activities.
To put this into prospective, let’s take a look at the assessment we recently went through and calling out a snippet focusing on Contingency Planning:
CP-2 Contingency Plan
- (CP-2.1) Coordinate with related plans.
- Assessment: Determined that the organization coordinates contingency plan development with organizational elements responsible for related plans.
- (CP-2.2) Capacity Planning.
- Assessment: Determined the organization conducts capacity planning so that necessary capacity exists during contingency operations for CP-2.2.1 information processing, CP-2.2.2 telecommunications, and CP-2.2.3 environmental support.
- (CP-2.3) Resume Essential Missions/Business Functions
- Assessment: Determined the organization successfully (CP-2.3.1) define the time period to plan for resumption of essential missions, however there were deficiencies within the organizations (CP-2.3.2) plans for the resumption of said essential missions and business functions within the organization-defined time period.
- (CP-2.4) Resume All Missions/Business Functions
- Assessment: The organization was able to successfully demonstrate the ability to meet all but the deficiency in (CP-2.3.2).
- (CP-2.5) Continue Essential Mission/Business Functions
- Assessment: The organization was able to demonstrate the ability continue essential missions’ functions.
- (CP-2.6) Alternate Processing/Storage Site
- Assessment: It was determined the organization was able to plan for and sustain the transfer of essential missions and business functions to alternate sites with little or no loss of operational continuity.
- (CP-2.7) Coordinate with External Service Providers
- Assessment: Determined that the organization coordinates its contingency plan with the contingency plans of external service providers, however a deficiency was found in the amount of time the organization identified as appropriate was not met.
After review of the assessment, it was found that a subset of the controls that were implemented did not meet the requirements. When this happens an action plan, or Plan of Action and Milestones (POA&M) is generated. This will include security findings for our system and be a basis for review when completing an Annual Assessment (AA). This is a key document in the next steps as it is included in our overall security authorization package and continuous monitoring activities.
Authorization of the System
Authorization step’s purpose is just that, to authorize the system operation based upon a determination of the risk to organizational operations and assets, individuals, other organizations and the Nation resulting from the operation of the system and then the decision on if the risk is acceptable or not. Looking at a very small section of our assessment pertaining to the Contingency Planning controls, we can see where we are at from a risk prospective.
Followed by an example the AO provided by utilizing a modified Federal Risk and Authorization Management Program (FedRAMP) template.
You can see the assessment was completed and the AO identified several items we had to draft an action plan and path forward to remediation of those deficiencies due to the high impact of our information system and the risk they presented. As these were not acceptable risks, we were able to come to an agreement with the AO on reasonable amount of time to implement and test our remediation plan(s) and gain an Authorization to Operate (ATO).
Continuous Monitoring
As we’ve gone through this RMF life-cycle we must make sure we are maintaining our security posture and accreditation by continuously monitoring selected security control effectiveness, documenting any changes to the system or our environment of operation, conduct a security impact analyses of those changes, and then report the security state of the system to our security officials and customers AO. Once our system is in operation, we don’t stop on assessing our system and changes that are made to those controls. This isn’t something we “set and forget”, as risks can change and new risks can arise. By continuously monitoring the system we are able to adapt to any changes to the way the system is used, what vulnerabilities arise, and to be proactive in our actions in risk mitigation.
An example of monitoring our systems, specifically our desktop computers, would be to utilize Security Technical Implementation Guides (STIGs), which provide a methodology for standardized secure installation and maintenance of the Department of Defense (DoD).
An example of monitoring our systems, specifically our desktop computers, would be to utilize Security Technical Implementation Guides (STIGs), which provide a methodology for standardized secure installation and maintenance of the Department of Defense (DoD).
The following table is another snippet from our Continuous Monitoring Strategy Guide and summarizes the required frequencies needed for each continuous monitoring activity in order to ensure the secure of our information system. Ongoing continuous monitoring activities must be represented in a System Security Plan (SSP), which is the main document of a security package describing the security controls in use on the information system and their implementation.
CSOL 530 Reflections
Learning the importance of a Risk Management plan is nice, but actually going through the process from start to finish during the CSOL 530 course was an invaluable experience. While the assessment completed is against a fictious information system, the concepts in practice will assist in ensuring I am successful during future RMF assessments in my career. During this course we were partnered up with another student to assess whether or not certain physical controls were applicable or practical when comparing a brick and mortar facility vs a mobile facility (such as a Forward Operating Base out in the desert). Our objective system to protect was a personal desktop computer, running Windows 10 secure host baseline (SHB), act as a medium for users to access multiple compute and document resources for a United States Government (USG) classified system. In one of the modules for implementing security controls we looked at how the implementation of physical access controls, based on NIST SP 800-53 Physical and Environmental Protection (PE-3) security control family, varies between an established physical brick and mortar facility versus a temporary mobile site.
We also compare the estimated cost to physically protect our asset within a physical location versus a temporary one, then assess if it is worth going through the trouble of protecting our asset in either location. We found that According to NIST Risk Management Framework (RMF) before we can implement security controls, first we need to categorize the information systems and the information processed, stored, and transmitted by that system based on an impact analysis. Then, we select an initial set of baseline security controls for the information systems based on the security categorization, tailoring and supplementing a security control baseline as needed based on an organizational assessment of risk and local conditions. Most members in our course found it difficult in concept to apply physical controls tocertain devices like mobile phones or tablets.
Security controls that we implemented based on security and privacy plans, however in this case study we did not have enough information to provide a more customized recommendation. Our proposed implementation of PE-3 Physical Access Control baseline includes:
1. Access IDs, man traps, perimeter fences and guards to enforce physical access authorizations at [organization-defined entry and exit points to the facility where the system resides by
-Verifying individual access authorizations before granting access to the facility
-Controlling ingress and egress to the facility using [organization-defined physical access control systems or devices], [guards], etc.
2. Maintain physical access audit logs for [organization-defined entry/exit points] via electronic and physical logging methods. Such as logbook and centralized logging server to track each time an access point is authenticated against.
3. Clearly mark areas of the facility that are accessible publicly versus needing authorized access via signage. Provide [organization-defined security safeguards] to control access to areas within the facility designated as publicly accessible
4. Authorized personnel available to escort visitors and monitor visitor activity [organization-defined circumstances requiring visitor escorts and monitoring]
5. Lock-box to maintain and house secure keys, combinations, and other physical access devices
6. Audit’s done by authorized personnel to inventory [organization-defined physical access devices] every [organization-defined frequency]
7. Authorized personnel to perform changes to combinations and keys [organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.
We had found that both locations are similar because our Personal Desktop Computer system overall categorization impact is High regardless the location. However, it is clear that there are many challenges to implement the (PE-3) Physical Access Control baseline in non-brick and mortar temporary locations. From a temporary mobile site perspective is where we begin to lose some abilities to maintain our categorization level for mission-based Information systems. As we will not have established permanent utilities to power all of the PE-3 controls we had in our physical facility, controls like man traps and centralized badge access systems are not realistic. However, remaining controls defended in SP 800-53 for PE-3 are possible within realistic budgetary constraints. Enforcing controls 2, 3, and 5 might be challenging in non-brick and mortar temporary locations. In these scenarios the System Access control enhancement becomes even more important.
For example, if our Personal Desktop Computer system was in tent/temporary location in the desert we would need to focus even more on other security controls, beyond PE-3, so we could meet our mission-based categorization impact. Our Personal Desktop Computer system would have to include anti-tampering hardware controls, encryption, strong authentication mechanisms such as smart-cards and bio-metrics, controls against natural disasters, etc. As such, our ability to maintain a high category level of protection for our system goes beyond securing physical facilities, it must incorporate a vast majority of related security controls to further enhance PE-3’s capabilities.
We also compare the estimated cost to physically protect our asset within a physical location versus a temporary one, then assess if it is worth going through the trouble of protecting our asset in either location. We found that According to NIST Risk Management Framework (RMF) before we can implement security controls, first we need to categorize the information systems and the information processed, stored, and transmitted by that system based on an impact analysis. Then, we select an initial set of baseline security controls for the information systems based on the security categorization, tailoring and supplementing a security control baseline as needed based on an organizational assessment of risk and local conditions. Most members in our course found it difficult in concept to apply physical controls tocertain devices like mobile phones or tablets.
Security controls that we implemented based on security and privacy plans, however in this case study we did not have enough information to provide a more customized recommendation. Our proposed implementation of PE-3 Physical Access Control baseline includes:
1. Access IDs, man traps, perimeter fences and guards to enforce physical access authorizations at [organization-defined entry and exit points to the facility where the system resides by
-Verifying individual access authorizations before granting access to the facility
-Controlling ingress and egress to the facility using [organization-defined physical access control systems or devices], [guards], etc.
2. Maintain physical access audit logs for [organization-defined entry/exit points] via electronic and physical logging methods. Such as logbook and centralized logging server to track each time an access point is authenticated against.
3. Clearly mark areas of the facility that are accessible publicly versus needing authorized access via signage. Provide [organization-defined security safeguards] to control access to areas within the facility designated as publicly accessible
4. Authorized personnel available to escort visitors and monitor visitor activity [organization-defined circumstances requiring visitor escorts and monitoring]
5. Lock-box to maintain and house secure keys, combinations, and other physical access devices
6. Audit’s done by authorized personnel to inventory [organization-defined physical access devices] every [organization-defined frequency]
7. Authorized personnel to perform changes to combinations and keys [organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.
We had found that both locations are similar because our Personal Desktop Computer system overall categorization impact is High regardless the location. However, it is clear that there are many challenges to implement the (PE-3) Physical Access Control baseline in non-brick and mortar temporary locations. From a temporary mobile site perspective is where we begin to lose some abilities to maintain our categorization level for mission-based Information systems. As we will not have established permanent utilities to power all of the PE-3 controls we had in our physical facility, controls like man traps and centralized badge access systems are not realistic. However, remaining controls defended in SP 800-53 for PE-3 are possible within realistic budgetary constraints. Enforcing controls 2, 3, and 5 might be challenging in non-brick and mortar temporary locations. In these scenarios the System Access control enhancement becomes even more important.
For example, if our Personal Desktop Computer system was in tent/temporary location in the desert we would need to focus even more on other security controls, beyond PE-3, so we could meet our mission-based categorization impact. Our Personal Desktop Computer system would have to include anti-tampering hardware controls, encryption, strong authentication mechanisms such as smart-cards and bio-metrics, controls against natural disasters, etc. As such, our ability to maintain a high category level of protection for our system goes beyond securing physical facilities, it must incorporate a vast majority of related security controls to further enhance PE-3’s capabilities.
Risk Management References
FIPS PUB 199: Standards for Security Categorization of Federal Information and Information Systems
NIST SP 800-53 Revision 5: Security and Privacy Controls for Information Systems and Organizations
NIST SP 800-30 Revision 1: Guide for Conducting Risk Assessments
NIST SP 800-37 Revision 2: Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy
FIPS PUB 199: Standards for Security Categorization of Federal Information and Information Systems
NIST SP 800-53 Revision 5: Security and Privacy Controls for Information Systems and Organizations
NIST SP 800-30 Revision 1: Guide for Conducting Risk Assessments
NIST SP 800-37 Revision 2: Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy