GRC Series: Getting familiar with the NIST Risk Management Framework
The Risk Management Framework provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle. The risk-based approach to control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations.
Managing organizational risk is paramount to effective information security and privacy programs; the RMF approach can be applied to new and legacy systems, any type of system or technology (e.g., IOT, control systems), and within any type of organization regardless of size or sector.
The Overview……
The NIST RMF has 6 steps:
- Categorize Information System: This step involves looking at the kind of data in the system . The three categories used in this framework for determining the level of controls are low, moderate and high. The number and sophistication of controls to be implemented will vary depending on the category given.
- High level controls are the most robust and expensive. Moderate controls are somewhere between the high and low controls in terms of scope ,and funding. I must say that the difference between Moderate and high is a lot(in terms of scope and funding), this is why most organizations that utilize the NIST RMF will use moderate category because they want to save money. The reality is that people will want their data to be as secure as possible, but when they see the cost of controls, they start to feel differently.
This is probably the shortest step when implementing the NIST RMF.
2. Select Controls : Once the systems have been categorized, the next step is to select the appropriate security controls to mitigate the risks identified in the categorization process.
This is typically done using the NIST Special Publication (SP) 800–53, which provides a catalog of security controls. We do this by applying the filter to moderate and the sheet will pick out moderate controls for you.
Step two is does not take much time and is very easy to do.
3. Implement Controls : The third step is to implement the security controls selected in step two. This involves installing software, configuring hardware, and developing policies and procedures to ensure the controls are effective.
This step is a lot of work and you will spend the bulk of your time here.
4. Assess Controls : Assess to determine if the controls are in place, operating as intended, and producing the desired results.
- This step is basically an audit of your controls.
- This step is typically done by an external or independent auditor. This is because we don’t want the people in charge favorably auditing their controls.
- The time frame for this step depends on the size of the system and could vary from as little as a couple of weeks to months.
- This can be also be done using various techniques such as vulnerability scans, penetration tests, and risk assessments.
5. Authorize Controls : An authorized Senior official makes a risk-based decision to authorize the system based on the report submitted from the audit. The scenario would be an ideal one, where the official would consider the controls and say “we could accept the risk associated with not having this control” or “we have to implement this control because of the risk associated with it.”
It might sound simple, but in practice the official probably won’t read your long report and may just authorize it or dismiss it without taking out enough time to make an informed decision.
6. Monitor Controls : The final step in implementing the NIST RMF is to monitor the effectiveness of the security controls on an ongoing basis. This involves regularly reviewing logs, conducting vulnerability scans, and performing penetration tests to ensure that the controls remain effective and any new risks are identified and mitigated. There should be periodic audits.
In Conclusion……
The NIST RMF provides a structured approach to managing information security risks that can help organizations comply with federal regulations and protect their valuable data. By following the six steps outlined in this article, organizations can implement the NIST RMF and ensure that their information systems remain secure over time. It is important to note that the NIST RMF is an ongoing process that requires continuous monitoring and improvement to remain effective.
NB: The next article will take a deep dive into how to implement the NIST RMF, with a demo of course.
I hope you have found value in today’s article, consider subscribing and following me on my socials.
- LinkedIn: https://www.linkedin.com/in/m49d4ch3lly
- Twitter: https://twitter.com/m49D4ch3lly
- Facebook: https://www.facebook.com/m49d4ch3ly
