Organization Wide Risk Management Flashcards
NIST 800-37 vs NIST 800-39
NIST 800-37 - applying the RMF
NIST 800-39 - Managing Risk
Holistic Approach to risk management
Look at it as a whole - management of risk at both enterprise level and system level
Areas of focus
- Goals/mission of organization
- Relationships between the mission and business processes
- Information system supporting the business processes/mission
What are security controls?
processes and techniques put in place to mitigate risks
Security controls must account for
- Business impacts
- Risks
- AO acceptance
- Allocating security resources
- consideration of risk types - different types of risk need different types of protection
Organizational Risks - 1
established by the enterprise, information security requirements - considered as important and critical as other functional requirements
balance must be obtained when managing organizational risks from all sources
Organizational Risks - 2
operation and use of information systems - must have adequate resources to minimize risk (financial and human)
Benefits of Organizational Risk Management
- prioritize requirements and allocation of resources
- Develop continuous and cost effective solutions to problems
- Consolidate and reform solutions to simplify mgmt and enhance interoperability and communication
- Ensure concerns are integrated into architecture, acquisition process, and SDLC (save time and money)
Managing Risk - objective and goal
objective - Risk mgmt program adopts atmosphere where risk from systems are considered within structure of enterprise architecture and all phases of the SDLC
goal - enable organization to conduct its day to day operations and achieve its missions within secure environment alongside with risks
What is Security Risk Management?
Process - manage risk to operation resulting from use of information
Recognizing Responsibility
All hands approach - everyone has a role in managing risk
Risk Management for Organization
accomplish exceptional security position given organization’s mission/goals
Risk Mgmt for Information Systems
Protect information system from cyber attacks
FEA
Federal Enterprise Architecture - facilitate efforts ensuring federal govt mission and business processes are market based and help improve citizen services
Why have Assessor Independence
unbiased of assessment, AO receives most objective info