WK 1 NIST's Risk Management Framework Flashcards
NIST
National Institute of Standards and Technology, NIST, provides many frameworks that are used by security professionals to manage risks, threats, and vulnerabilities.
7 steps in the Risk Management Framework (RMF)
Prepare
Categorise
Select
Implement
Assess
Authorise
Monitor
7 steps in RMF
Prepare
Prepare refers to activities that are necessary to manage security and privacy risks before a breach occurs.
As an entry-level analyst, you’ll likely use this step to monitor for risks and identify controls that can be used to reduce those risks.
7 steps in RMF
Categorise
which is used to develop risk management processes and tasks. Security professionals then use those processes and develop tasks by thinking about how the confidentiality, integrity, and availability of systems and information can be impacted by risk.
As an entry-level analyst, you’ll need to be able to understand how to follow the processes established by your organization to reduce risks to critical assets, such as private customer information.
7 steps in RMF
Select
Select means to choose, customize, and capture documentation of the controls that protect an organization.
An example of the select step would be keeping a playbook up-to-date or helping to manage other documentation that allows you and your team to address issues more efficiently.
7 steps in RMF
Implement
Implement security and privacy plans for the organization. Having good plans in place is essential for minimizing the impact of ongoing security risks.
For example, if you notice a pattern of employees constantly needing password resets, implementing a change to password requirements may help solve this issue.
7 steps in RMF
Assess
Assess means to determine if established controls are implemented correctly. An organization always wants to operate as efficiently as possible. So it’s essential to take the time to analyze whether the implemented protocols, procedures, and controls that are in place are meeting organizational needs. During this step, analysts identify potential weaknesses and determine whether the organization’s tools, procedures, controls, and protocols should be changed to better manage potential risks.
7 steps in RMF
Authorise
Authorise means being accountable for the security and privacy risks that may exist in an organisation.
As an analyst, the authorisation step could involve generating reports, developing plans of action, and establishing project milestones that are aligned to your organization’s security goals.
7 steps in RMF
Monitor
Monitor means to be aware of how systems are operating. Assessing and maintaining technical operations are tasks that analysts complete daily. Part of maintaining a low level of risk for an organization is knowing how the current systems support the organization’s security goals. If the systems in place don’t meet those goals, changes may be needed.
Common strategies used to manage risks include…
Acceptance: Accepting a risk to avoid disrupting business continuity
Avoidance: Creating a plan to avoid the risk altogether
Transference: Transferring risk to a third party to manage
Mitigation: Lessening the impact of a known risk
Today’s most common threats include…
Insider threat
Staff members or vendors abuse their authorized access to obtain data that may harm an organization.
Today’s most common threats include…
Advanced persistent threats (APTs)
A threat actor maintains unauthorised access to a system for an extended period of time
Basic Formula for determining Risk
A basic formula for determining the level of risk is that risk equals the likelihood of a threat.
One way to think about this is that a risk is being late to work and threats are traffic, an accident, a flat tire, etc.
External risk
Anything outside the organization that has the potential to harm organizational assets, such as threat actors attempting to gain access to private information
Internal risk
A current or former employee, vendor, or trusted partner who poses a security risk
