NIST SP 800-37 Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy

NIST SP 800-37

Risk Management Framework for Information Systems and Organizations

A System Life Cycle Approach for Security and Privacy

It structured into 3 level organization view, business mission and information system view.

800-37 is short for NIST SP 800-37, or NIST 800-37. 800-37 can be applied on all industry like military, airflight, etc. For IT industry it is a framework to risk management by invoking multiple NIST standards including: FIPS 199, NIST 800-53B, NIST 800-53A, etc.

ABSTRACT

Risk Management Framework (RMF) is for managing security and privacy risk, to maintain risk at an appropriate level, including:

• information security categorization
• control selection
• implementation
• assessment
• authorization
• monitoring

INTRODUCTION

1.1 BACKGROUND

Risk management by

• promoting security and privacy capabilities throughout SDLC;
• maintaining awareness of security and posture of privacy though continuous monitoring processes;
• senior leaders and executives facilitate decisions on risk;

2.1 ORGANIZATION-WIDE RISK MANAGEMENT

Managing security and privacy risk involves the entire organization.

Level One

Senior leaders’ vision, goal, objectives.

Level Two

Middle level leaders planning, managing projects on developing, implementing, operating, and maintaining  to support mission and business process.

Level Three

Information systems apply middle level leader’s project. Addressing risks, executing risk decision.

How to RMF(keywords: preparation)

Identifying business functions, processes of information systems;

Identifying key stakeholders(including external);

Identifying prioritizing assets(including information systems);

Understanding threats to information systems;

Understanding adverse effects on individuals;

Conducting risk assessments;

Identifying and prioritizing security and privacy requirements;

Determining authorization scopes;

Developing security and privacy architecture;

Tracing all risk controls during system software development lifecycle.

2.2 RISK MANAGEMENT FRAMEWORK STEPS AND STRUCTURE

Steps for implementing RMF.

1. Categorize the system by impact of loss. To learn more about please read SP 800-30 and FIPS 199.
2. Select (tailor) controls(related NIST 800-53B).
3. Implement the controls.
4. Assess (track) the controls.
5. Authorize the system or common(inherited) controls based on determination that risk is acceptable.
6. Monitor (track) the system and controls(related NIST 800-53A).

FLEXIBILITY IN RMF IMPLEMENTATION

Organization could do following adjustment: executing tasks in different order, emphasizing specific tasks, combining tasks, including Cyber Security Framework to enhancing RMF asks.

2.3 INFORMATION SECURITY AND PRIVACY IN THE RMF

The RMF require two programs to protect PII:

Security program

protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction to provide confidentiality, integrity, availability.

Privacy program

compliance with privacy requirements to protect individuals.

2.7 SECURITY AND PRIVACY POSTURE

The security and privacy posture represents:

• the status of information systems and information resources (e.g., personnel, equipment, funds, and information technology) based on information assurance resources (e.g., policies, procedures) and
• the capabilities in place to manage the defense; and
• comply with applicable privacy requirements and manage privacy risks; and
• react as the situation changes.

2.8 SUPPLY CHAIN RISK MANAGEMENT

SCRM policy(NIST 180-161) address supply chain risks.

building trust relationships and communicating with both internal and external stakeholders.

3.2 CATEGORIZE

3.3 SELECT(controls)

3.4 IMPLEMENT(controls to plans)

3.5 ASSESS( plans)

The step is optional since 3.3 SELECT, 3.4 IMPLEMENTATION has done most of jobs.

3.6 AUTHORIZATION( plans by senior management officials)

The step is optional since there are approval task in 3.1 CATEGORIZATION and 3.2 SELECT.

3.7 MONITOR

Tips

Cybersecurity Framework Profiles is another way of implementing preparing TASK P-4 in RMF.

The SDLC process is the best practice for RMF implementation.

Acronyms

SDLC, Software Development Lifecycle

SCRM, Supply Chain Risk Management

Reference

National Institute of Standards and Technology, December 2018, NIST Special Publication 800-37 Revision 2 Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy, https://doi.org/10.6028/NIST.SP.800-37r2

PNNL, November 2018, Risk Management Framework Process Map, PNNL-28347.

Veracode, 2008, Understanding NIST 800‐37 FISMA Requirements.

本栏目推荐文章
• Introducing the incident management
• 微信小程序 取列表的for循环的第一个值
• SHARPNESS-AWARE MINIMIZATION FOR EFFICIENTLY IMPROVING GENERALIZATION论文阅读笔记
• 8- for循环与range（）
• 7 - for循环while循环 1+2+...+100和
• 如何让Visual Studio Tools for Unity插件用于调试你自己的Mono嵌入应用程序
• 6- for循环
• 《RAPL: A Relation-Aware Prototype Learning Approach for Few-Shot Document-Level Relation Extraction》阅读笔记
• Android Framework权限篇
• An improved LSTM-based model for identifying high working intensity load segments of the tractor load spectrum

Organizations Information Management Framework fororganizations information management framework organizations rationality management emphasized mysql configuration information for framework robot for organizations information management information_schema unexpected_information high-efficiency neighborhood aggregation information