NIST SP 800-37
Risk Management Framework for Information Systems and Organizations
A System Life Cycle Approach for Security and Privacy
It structured into 3 level organization view, business mission and information system view.
800-37 is short for NIST SP 800-37, or NIST 800-37. 800-37 can be applied on all industry like military, airflight, etc. For IT industry it is a framework to risk management by invoking multiple NIST standards including: FIPS 199, NIST 800-53B, NIST 800-53A, etc.
ABSTRACT
Risk Management Framework (RMF) is for managing security and privacy risk, to maintain risk at an appropriate level, including:
- information security categorization
- control selection
- implementation
- assessment
- authorization
- monitoring
INTRODUCTION
1.1 BACKGROUND
Risk management by
- promoting security and privacy capabilities throughout SDLC;
- maintaining awareness of security and posture of privacy though continuous monitoring processes;
- senior leaders and executives facilitate decisions on risk;
2.1 ORGANIZATION-WIDE RISK MANAGEMENT
Managing security and privacy risk involves the entire organization.
Level One
Senior leaders’ vision, goal, objectives.
Level Two
Middle level leaders planning, managing projects on developing, implementing, operating, and maintaining to support mission and business process.
Level Three
Information systems apply middle level leader’s project. Addressing risks, executing risk decision.
How to RMF(keywords: preparation)
Identifying business functions, processes of information systems;
Identifying key stakeholders(including external);
Identifying prioritizing assets(including information systems);
Understanding threats to information systems;
Understanding adverse effects on individuals;
Conducting risk assessments;
Identifying and prioritizing security and privacy requirements;
Determining authorization scopes;
Developing security and privacy architecture;
Tracing all risk controls during system software development lifecycle.
2.2 RISK MANAGEMENT FRAMEWORK STEPS AND STRUCTURE
Steps for implementing RMF.
- Categorize the system by impact of loss. To learn more about please read SP 800-30 and FIPS 199.
- Select (tailor) controls(related NIST 800-53B).
- Implement the controls.
- Assess (track) the controls.
- Authorize the system or common(inherited) controls based on determination that risk is acceptable.
- Monitor (track) the system and controls(related NIST 800-53A).
FLEXIBILITY IN RMF IMPLEMENTATION
Organization could do following adjustment: executing tasks in different order, emphasizing specific tasks, combining tasks, including Cyber Security Framework to enhancing RMF asks.
2.3 INFORMATION SECURITY AND PRIVACY IN THE RMF
The RMF require two programs to protect PII:
Security program
protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction to provide confidentiality, integrity, availability.
Privacy program
compliance with privacy requirements to protect individuals.
2.7 SECURITY AND PRIVACY POSTURE
The security and privacy posture represents:
- the status of information systems and information resources (e.g., personnel, equipment, funds, and information technology) based on information assurance resources (e.g., policies, procedures) and
- the capabilities in place to manage the defense; and
- comply with applicable privacy requirements and manage privacy risks; and
- react as the situation changes.
2.8 SUPPLY CHAIN RISK MANAGEMENT
SCRM policy(NIST 180-161) address supply chain risks.
building trust relationships and communicating with both internal and external stakeholders.
3.2 CATEGORIZE
Tasks |
Outcomes |
TASK C-1 SYSTEM DESCRPTION |
Create an assets list group by system with parameters: system version or release number; manufacturer and supplier information; network topology, etc. |
TASK C-2 SECURITY CATEGORIZATION |
Impact level of systems (see FIPS 199) |
TASK C-3 APPROVAL |
Approval of TASK C-1 and TASK C-2 by senior management team. |
3.3 SELECT(controls)
Tasks |
Outcomes |
TASK S-1 to S-4 CONTROL SELECTION AND TAILORING |
Selecting and tailoring controls by NIST SP 800-53B. You may create customized controls on tailoring procedure. |
TASK S-5 CONTINOUS MONITORING STRATEGY |
Control assessment by NIST SP 800-53A. You may create customized assessment for tailored controls on TASK S1-S4. |
TASK S-6 PLAN REVIEW AND APPROVAL |
Approval by senior management team. |
3.4 IMPLEMENT(controls to plans)
Tasks |
Outcomes |
TASK I-1, I-2 |
Put controls into SDLC design phase, privacy plan to make sure controls are practicable. Adjusting controls if needs. |
3.5 ASSESS( plans)
The step is optional since 3.3 SELECT, 3.4 IMPLEMENTATION has done most of jobs.
3.6 AUTHORIZATION( plans by senior management officials)
The step is optional since there are approval task in 3.1 CATEGORIZATION and 3.2 SELECT.
3.7 MONITOR
Tasks |
Outcomes |
TASK M-1 SYSTEM AND ENVIROMENT CHANGES |
Updating security and privacy plan when operational environment changes such as configuration changes. Updating controls may needed. |
TASK M-2, M-3, M-4, M-5 |
updated security and privacy assessment reports |
TASK M-6 |
Review the security and privacy posture of the system on an ongoing basis to determine whether the risk remains acceptable. |
TASK M-7 |
Disposal controls after system removed. |
Tips
Cybersecurity Framework Profiles is another way of implementing preparing TASK P-4 in RMF.
The SDLC process is the best practice for RMF implementation.
Acronyms
SDLC, Software Development Lifecycle
SCRM, Supply Chain Risk Management
Reference
National Institute of Standards and Technology, December 2018, NIST Special Publication 800-37 Revision 2 Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy, https://doi.org/10.6028/NIST.SP.800-37r2
PNNL, November 2018, Risk Management Framework Process Map, PNNL-28347.
Veracode, 2008, Understanding NIST 800‐37 FISMA Requirements.
标签:Information,Life,TASK,Privacy,privacy,controls,information,800,NIST From: https://www.cnblogs.com/azizos/p/17434141.html