Scribd
Upload
15 views7 pages

Risk Framework 2007

The NIST Risk Management Framework provides key activities for managing enterprise risk including categorizing systems, selecting security controls, conducting risk assessments, documenting controls, implementing controls, assessing control effectiveness, authorizing systems, and monitoring controls. The framework is part of the overall information security program and uses standards like FIPS 199, FIPS 200, and NIST SP 800-53.

Uploaded by

Ugur Duman
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
15 views7 pages

Risk Framework 2007

The NIST Risk Management Framework provides key activities for managing enterprise risk including categorizing systems, selecting security controls, conducting risk assessments, documenting controls, implementing controls, assessing control effectiveness, authorizing systems, and monitoring controls. The framework is part of the overall information security program and uses standards like FIPS 199, FIPS 200, and NIST SP 800-53.

Uploaded by

Ugur Duman
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

NIST Risk Management Framework

Computer Security Division


Information Technology Laboratory

National Institute of Standards and Technology


Managing Enterprise Risk
ƒ Key activities in managing enterprise-level risk—risk resulting
from the operation of an information system:
9 Categorize the information system (criticality/sensitivity)
9 Select and tailor baseline (minimum) security controls
9 Supplement the security controls based on risk assessment
9 Document security controls in system security plan
9 Implement the security controls in the information system
9 Assess the security controls for effectiveness
9 Authorize information system operation based on mission risk
9 Monitor security controls on a continuous basis

National Institute of Standards and Technology


Risk Management Framework
Starting Point
FIPS 199 / SP 800-60
SP 800-37 / SP 800-53A FIPS 200 / SP 800-53
Security
Security Control Categorization Security Control
Monitoring Define criticality /sensitivity of
Selection
Continuously track changes to the information information system according to Select baseline (minimum) security controls to
system that may affect security controls and potential impact of loss protect the information system; apply tailoring
reassess control effectiveness guidance as appropriate

SP 800-37 SP 800-53 / SP 800-30

System Security Control


Authorization Supplement
Determine risk to agency operations, agency Use risk assessment results to supplement the
assets, or individuals and, if acceptable, tailored security control baseline as needed to
authorize information system operation ensure adequate security and due diligence

SP 800-53A SP 800-18
SP 800-70
Security Control Security Control
Security Control
Assessment Documentation
Implementation
Determine security control effectiveness (i.e., Document in the security plan, the security
controls implemented correctly, operating as Implement security controls; apply requirements for the information system and
intended, meeting security requirements) security configuration settings the security controls planned or in place

National Institute of Standards and Technology


Information Security Program

Links in the Security Chain: Management, Operational, and Technical Controls


9 Risk assessment 9 Access control mechanisms
9 Security planning 9 Identification & authentication mechanisms
9 Security policies and procedures (Biometrics, tokens, passwords)
9 Contingency planning 9 Audit mechanisms
9 Incident response planning 9 Encryption mechanisms
9 Security awareness and training 9 Boundary and network protection devices
9 Security in acquisitions (Firewalls, guards, routers, gateways)
9 Physical security 9 Intrusion protection/detection systems
9 Personnel security 9 Security configuration settings
9 Security Assessments 9 Anti-viral, anti-spyware, anti-spam software
9 Certification and accreditation 9 Smart cards

Adversaries attack the weakest link…where is yours?


National Institute of Standards and Technology
The Desired End State
Security Visibility Among Business/Mission Partners

Organization One Organization Two

Information Business / Mission Information


System Information Flow System

System Security Plan System Security Plan

Security Assessment Report Security Information Security Assessment Report

Plan of Action and Milestones Plan of Action and Milestones

Determining the risk to the first Determining the risk to the second
organization’s operations and assets and organization’s operations and assets and
the acceptability of such risk the acceptability of such risk

The objective is to achieve visibility into prospective business/mission partners information


security programs BEFORE critical/sensitive communications begin…establishing levels of
security due diligence and trust.
National Institute of Standards and Technology
Key Standards and Guidelines
ƒ FIPS Publication 199 (Security Categorization)
ƒ FIPS Publication 200 (Minimum Security Requirements)
ƒ NIST Special Publication 800-18 (Security Planning)
ƒ NIST Special Publication 800-30 (Risk Management)
ƒ NIST Special Publication 800-37 (Certification & Accreditation)
ƒ NIST Special Publication 800-53 (Recommended Security Controls)
ƒ NIST Special Publication 800-53A (Security Control Assessment)
ƒ NIST Special Publication 800-59 (National Security Systems)
ƒ NIST Special Publication 800-60 (Security Category Mapping)
Many other FIPS and NIST Special Publications provide security standards
and guidance supporting the FISMA legislation…

National Institute of Standards and Technology


Contact Information
100 Bureau Drive Mailstop 8930
Gaithersburg, MD USA 20899-8930

Project Leader Administrative Support


Dr. Ron Ross Peggy Himes
(301) 975-5390 (301) 975-2489
[email protected] [email protected]

Senior Information Security Researchers and Technical Support


Marianne Swanson Dr. Stu Katzke
(301) 975-3293 (301) 975-4768
[email protected] [email protected]
Pat Toth Arnold Johnson
(301) 975-5140 (301) 975-3247
[email protected] [email protected]
Matt Scholl Information and Feedback
(301) 975-2941 Web: csrc.nist.gov/sec-cert
[email protected] Comments: [email protected]

National Institute of Standards and Technology

You might also like