In 2013, the President issues Executive Order 13636, directing NIST to work with stakeholders to develop a voluntary framework to reduce cyber risks to critical infrastructure. 

“It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties”

Executive Order 13636, Feb 12, 2013

Risk Management, however is not just applicable to government and critical infrastructure. It is important to all organizations, large and small. Below is a sample proposal outlining how a RMF can benefit a fictional mid-sized company, CyberSchlub Inc. 

The CyberSchlub information systems are perhaps the most important assets to the business. These systems, and the people that operate them, are what makes the CyberSchlub business work. In the digital age, CyberSchlub is increasingly reliant on these systems to drive innovation, optimize operations, and increase shareholder value. 

Ensuring these systems are adequately protected has to become a boardroom priority, not only for CyberSchlub, but for businesses around the globe. Cyber-attacks aren’t limited banks and high profile companies anymore. Every organization is a potential target.  A cyber security incident will have a direct impact on the business.  As we have seen in the past year, cyber security breaches, like those at Equifax, Uber, OneLogin, not only have tremendous financial consequences, it also results in severe damage to consumer trust. After in the much-publicized Equifax breach, company revenues were down 27% in the quarter following the reporting of the breach[1]. That cost, however, is small compared to the cost of the upcoming lawsuits, continued costs for customer credit/identity theft monitoring, and the inflicted brand damage.

With a disciplined, risk management framework (RMF), CyberSchlub can have the assurance and business confidence needed to continue drive innovation, new business endeavors, and cost-effective operations. The allocation of security controls to the right place, in the right way, at the right time, helps to ensure that CyberSchlub can maintain adequate security of CyberSchlub business systems. This effort however, requires the full support of the executive team downward.

Risk management starts at the top of level of the organization (our executives) and cascades down to individual systems, processes, and personnel. The goal is to provide a common framework for CyberSchlub to make informed business decisions, provide visibility into the risk landscape, and consistently enforce the CyberSchlub perspective on security and risk management.  The RMF is focused on three critical areas, Confidentiality, Integrity, and Availability. These three elements, collectively referred to as the “CIA triad,” are vital to the continued business success of CyberSchlub.

This framework is designed and implemented to not be reliant on specific individuals or systems. The framework construction is a risk-based approach and methodology that can apply to broadly to CyberSchlub systems and processes yet also be tailored specific elements where needed.

The Risk Management Framework Process

Implementing a risk management framework is not a point-in-time deliverable. It is a continuous process that considers the CyberSchlub’s risk tolerance, cost-effective operations, and applicable laws, regulations, or industry requirements. The RMF process takes into consideration the information systems, staff/people, processes, and external factors (e.g. outages, natural disasters, etc.). The framework follows a six-step continuous process (Figure 1). Each step feeds into the next. The cycle is designed to account for the dynamic threat landscape, updates to systems or processes, and changes to staff/personnel.  The six steps in the framework are Categorize, Select, Implement, Assess, Authorize, and Monitor. 

Categorization is performed as the starting point in developing a RMF. Categorization is essential to the overall RFM process as a majority of subsequent RFM steps will be implemented based upon the outputs process. Categorization is the process of assessing (in categories) the potential for risk (adverse impacts) to the business represented by each business system or process in respect to compromise or loss.  The categorization is used by subsequent steps to help make business decisions (cost, benefit, risk) about appropriate controls (e.g. security and privacy) that the evaluated systems require in order to be approved for operation.

In FIPS PUBS 199[2], the National Institute of Standards and Technology (NIST) detailed categorization standards to be used by federal agencies for systems.  CyberSchlub has adopted these standards. These categorizations represent the potential business impact that these systems could present if jeopardized. The standardization of categorization helps to ensure consistent results during the categorization process. This is particularly important when the categorization is being performed organization-wide by disparate stakeholders and staff. Within the guidance, the assessment is in regard to three security objectives: Confidentiality, Integrity, and Availability. Collectively these are known as the CIA triad. All systems are categorized and framed using these three objectives[3] within the boundaries of the CyberSchlub tolerance for risk. 

• Confidentiality – ensuring access is available only to authorized users
• Integrity – ensuring that systems and information have not been improperly modified or destroyed
• Availability – Ensuring that accessibility to authorized users upon request

CyberSchlub Inc. operates a number of business systems and sub-systems. These systems may require controls to ensure they adhere to adequate levels of confidentiality, integrity, and availability. The selection process of the RFM is when these controls are selected based upon their capabilities to help CyberSchlub be in compliance with the applicable laws, regulations, industry standards, and the security guidelines framed in the CyberSchlub security plan.

The security requirements, and corresponding controls, are determined by the CyberSchlub risk categorization (the previous step in the framework).  Using the risk categorizations, baseline controls are applied to the CyberSchlub systems. Baseline controls can be widely adopted and implemented across the organization. They include a wide range of technical and procedural protections including control families such as Access Control, Media Protection, Privacy Authorization, Risk Assessment, Personal Security, and System and Information Integrity.

Baseline controls represent the starting point for protective measures and provide a range of security and privacy protections. Baseline controls address the basics to meet the adequate protections required for systems operation. CyberSchlub has defined a common set of baseline controls for its systems and subsystems based upon their security requirements. The baseline controls have been selected from controls families outlined in NIST SP 800-53 Rev. 5[4].  Table 1 shows the security and privacy controls from NIST.

As an example, the CyberSchlub payroll has twelve baseline controls that have been assigned.

Table 2 Applied Controls to CyberSchlub Payroll System

Applied Control Families

AC – Access Control

PA – Privacy Authorization

CA – Security Assessment and Authorization

PE – Physical & Environmental Protection

CP – Contingency Planning

PL – Planning

IA – Identification and Authentication

PS – Personal Security

MA – Maintenance

RA – Risk Assessment

MP – Media Protection

SI – System and Information Integrity

In addition to the baselines controls, the systems may also require supplementary system-specific policies and controls.  These system-specific protections are referenced as tailored controls because they have been modified to address specific characteristics of the system or subsystem. The tailored controls are typically not cost-effective to implement organization-wide, and are therefore applied using a risk-based implementation model. As an example, tailored controls have been applied to the CyberSchlub payroll system for Access Controls (AC), Personal Security (PS), and System and Information Security (SI).    

After the controls have been selected (step 2), implementation is the next step of the framework.  The approach is to implement the controls (baseline and tailored) that help to ensure trust and confidence in the systems. Both technical and non-technical (procedural) controls are pragmatically implemented to be in alignment with CIA categorizations. The implementation of controls must address the functional security requirements and objectives identified in the selection step of the RMF. For example, the payroll system has the following categorizations:

Confidentiality = Moderate, Integrity = High, Availability = Moderate

With the security objectives:

• Confidentiality – The sensitive payroll data must remain confidential and private
• Integrity – The system must be protected against unauthorized changes or fraud
• Availability – The system must remain operational to ensure that employees are paid

The implementation of the security controls also includes a full set of documentation of how the controls are implemented. This includes specifics for how the controls are deployed within their specific operating environment.

Assess

After the controls are implemented, it is necessary to perform a risk assessment to determine if the controls are implemented correctly and performing as required. Risk assessments are not a one-time exercise. Threats, vulnerabilities, and staff change over time. Conducting risk assessments must be part of an ongoing business process to ensure the organization is well informed of the current threat landscape and the effectiveness of corresponding controls. The assessment process is necessary to cost-effectively enable the CyberSchlub business objectives. It helps to ensure that CyberSchlub systems and operations are both cost-optimized and adequately protected against threats.

When we consider the CyberSchlub systems, it is important to perform a risk assessment against the security controls that have been selected and implemented. Security Assessment Reports (SARs) are one of the outputs of the assessment phase. Table 3 shows a high-level SAR for the CyberSchlub payroll system.

Table 3 CyberSchlub Payroll Security Assessment Report - Q1 2018

CyberSchlub Payroll System

Confidentiality = Moderate

Integrity = High

Availability = Moderate

Control Family

Assessment Activity

Compliant

Non-Compliant

Risk Level

Access Controls (AC)

• Multi-factor auth.
• Step up auth
• Least Privilege
• Pen testing for access controls, MFA, and step-up auth
• 3rd party audit of privileged accounts
• MFA
• Step up auth
• Least privilege

Low

Personal Security (PS)

• Staff training
• 3rd party audit of background checks
• 3rd party audit of training compliance
• Employee phishing susceptibility testing
• Background tests
• Phishing susceptibility

Moderate

System & Information Integrity (SI)

• Anti-malware software audit
• Monitoring systems audit (into SIEM)
• Contingency/backup system testing (CP)
• Anti-malware
• Monitoring
• Contingency planning  

Moderate

The SAR highlights the control families, assessment activities, assessment results (compliant or non-compliance), and the associated risk level.  In this example, the SAR shows that several of the payroll systems are not in compliance with the security requirements. As a follow-up the SAR, the CyberSchlub Security Control Assessor (SCA) has laid out a remediation plan of action for the non-compliant security controls. The plan includes a list of key plan of actions and milestones (POA&M). An example of the payroll POA&M is included in Table 4.

Table 4 SAR Recommended Mitigation Plan

Non-Compliant Control

Remediation Actions

Plan of Action and Milestones

AC – Least Privilege

• Deployment of IBM Privileged Identity Manager software
• June 2018 – software acquisition
• Sept 2018 – deployment
• Reassessment Nov 2018

PS – Training

• Additional mandatory employee training
• May 2018 – updates training materials
• Quarterly mandatory training
• Reassessment Aug 2018

SI – Contingency Planning

• Cold site backup
• May 2018 – Site selection
• Aug 2018 – quarterly testing of cold site begins
• Reassessment Oct 2018

The assessments, such as the SAR, are used to support business decisions and can have an organizational-wide impact[6] because they can result in changes to organizational policies, technology, and/or operations.  The investment in the remediation plan for the non-compliant controls must alignment with the organizational risk management framework (RMF).  This investment level enables CyberSchlub to continue cost-effective operations of the payroll system and stay within the boundaries of the organization’s RMF.

Regular assessments are a necessary tool to identify and highlight problems, solutions, and plans. As new threats have yet to be identified, there is always uncertainty. With uncertainty comes the potential for risk. Conducting regular risk assessments as part of the RMF helps CyberSchlub to prioritize and make risk-based business decisions on how to improve the current security controls.

The next step in the RMF process is to provide (or deny) operational approval all information systems within CyberSchlub. The approval is granted (or denied) using risk-based decisions. There are different types of security authorizations that can be issued by the CyberSchlub Authorizing Official (AO)[7]. The AO is the CyberSchlub CISO. The AO accepts the responsibility to ensure compliance with the CyberSchlub risk management policies. The AO considers each system’s operational risk after reviewing the results of extensive testing and assessments, typically contained in the Security Authorization Package[8]. The CyberSchlub security authorization package contains the security plan, the SAR (see sample in Table 3), and the plan of action and milestones (see example in Table 4). The Security Authorization Package enables the AO to make a risk-based decision to authorize the operation of a system. After consideration, the AO will issue one of the following operational decisions: 

• Authorization to Operate (ATO) 

• Denial of Authorization to Operate (DATO) 

• Interim Approval to Test (IATT)

An ATO decision is reached if the risk is determined to be acceptable within the CyberSchlub RMF. Conversely, a DATO decision is issued if the proposed operational risk is determined to be unacceptable to the business. An IATT decision can be reached if the system assessment requires live testing before an ATO or DATO decision can be reached. The OA makes the official management level decision with regards authorization to operate. All authorizations are fully documented by the AO and include the decision rationale, timeframe/expiration for authorized operation (e.g. 2 years, ongoing), specific conditions for operation, and reassessment details.

The final phase to cover in the RMF is Information Security Continuous Monitoring (ISCM)[9]. ISCM enables CyberSchlub security staff to have situational awareness of the current security state by seeing a near real-time snapshot of the effectiveness of the current security controls. All security controls within the organization are subject to ISCM. The collected data helps CyberSchlub to determine compliance with security requirements. Continuous monitoring and aggregation of security control data helps to build baselines and metrics for further evaluations – helping to make the data more meaningful and to assist with accurately detecting anomalies or cyber security incidents that may require attention.

It normally requires a combination of automated and manual processes. Automation is a critical component of monitoring as it increases the efficiency, reduces costs, and can improve reliability of the process.  Automation of ISCM helps CyberSchlub to cost-effectively monitor a greater amount of systems with increased frequency. Most CyberSchlub systems have already been integrated into the CyberSchlub Security Information and Event Management (SIEM) system. The SIEM provides aggregation of data and meaningful daily reports. Manual monitoring activities are performed with scheduled frequency and reviewed by the executive security personnel.

The output of the ISCM can be used as part of the ongoing operational authorization. When a response is required, mitigation controls can be implemented immediately or added to a POA&M. Any changes or modifications to security controls are subjected to configuration management to ensure that the changes to the controls are in compliance with the security requirements, including integration into the ISCM. This also includes the use of a change request process based upon NIST Special Publication 800-128[10].

Cyber security is a continuing process. There are no finish lines. What is secure today, can be vulnerable tomorrow. Cyber criminals go after the weakest links, whether these be systems, people, or processes. Security cannot simply be an afterthought. Reactive or inconsistent application of security leaves the CyberSchlub business at risk – one major cybersecurity incident could devastate the business.

CyberSchlub must be able to innovate and adopt new business-enabling technologies to be competitive in the market. This, however cannot be at the expense of putting the company at risk. CyberSchlub systems must be operated with trust and confidence. The application of an organizational-wide Risk Management Framework helps enable the business to move forward while systematically managing risk.

The process starts from the top and goes down to each system, staffer, and process. It helps us to identity what is important to the business and what needs to be protected. It helps to identify the potential threats and implement the corresponding the security controls. The framework is flexible and designed to acclimate to changes in the threat landscape. It is transparent and auditable, containing documented business decisions for systems operations and change management. It is cost-effective and efficient, applying security controls only when and where they are needed.

[1] Wolf Richter, Wolf Street,  (Nov 2017) Equifax's data breach will cost it for months to come http://www.businessinsider.com/equifax-data-breach-will-keep-costing-it-for-months-to-come-2017-11 

[2] National Institute of Standards and Technology. Federal Information Processing Standards Publication 199 (Feb 2004)

[3] National Institute of Standards and Technology. Federal Information Processing Standards Publication 199 (Feb 2004) p.2

[4] National Institute of Standards and Technology. Federal Information Processing Standards Draft Publication 800-53 Rev 5 (Aug 2017) Security and Privacy Controls for Information Systems and Organizations (Section 2.2)

[5] National Institute of Standards and Technology. Federal Information Processing Standards Draft Publication 800-53 Rev 5 (Aug 2017) Security and Privacy Controls for Information Systems and Organizations (Section 2.2)

[6] National Institute of Standards and Technology (NIST) Special Publication 800-30 Guide for Conducting Risk Assessments Sept 2012 (sec 2.3.1)

[7] Dept. of Homeland Security, Security Authorization Process Guide ver. 11.1 March 2015

[8] National Institute of Standards and Technology (NIST) Special Publication 800-37 Risk Management Framework for Systems and Organizations Rev 2 (sec 3.6)

[9] NIST Special Publication 800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations (Sept 2011)

[10] National Institute of Standards and Technology (NIST) Special Publication 800-128, Guide for Security-Focused Configuration Management of Information Systems  (Aug 2011)