Risk Management Framework

Developed by NIST and DoD with six step process. Intent of this common framework is to improve Information security, strengthen risk management processes and encourage reciprocity among federal agencies.

Characteristics of RMF:

·         Promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes.

·         Encourages the use of automation to provide senior leaders the necessary information to make cost effective, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions.

·         Integrates InfoSec into the enterprise architecture and system development life cycle provides emphasis on the selection, implementation, assessment, and monitoring of security controls, and the authorization of information systems.

·         Links risk management processes at the information system level to risk management processes at the organization level through a risk executive.

·         Establishes responsibility and accountability for security controls deployed within organizational information systems and inherited by those systems.

Risk Management Framework Steps:

1.       Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis

2.       Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions.

3.       Implement the security controls and describe how the controls are employed within the information system and its environment of operation.

4.       Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

5.       Authorize information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.

6.       Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security stat of the system to designated organizational officials.

Source: Management of Information Security by Michael E Whitman and Herbert J. Mattord