Risk Management Framework (RMF)

-

Abstract

The Risk Management Framework provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle. The risk-based approach to control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations (NIST Risk Management Framework | CSRC. 2016, November 30). With several risk management frameworks to select from, it may be difficult or complicated for an organization to pick the one that is right for them to use and alter to fit their needs.  Risk management frameworks that will be discussed in this blogs are, “Operationally Critical Threat Asset and Vulnerability Evaluation” (OCTAVE), “Factor Analysis of Information Risk” (FAIR), “Facilitated Risk Analysis Process” (FRAP), and the “Risk Management Framework” (RMF).


Introduction of Risk Management Frameworks


OCTAVE Allegro

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Allegro is a qualitative methodology used in risk analysis (Software Engineering Institute, 2007).  Because it is a qualitative method, it uses simple rating scales (e.g., low, medium, or high) to relatively rate assets against one another.  There are other versions of this methodology, such as OCTAVE and OCTAVE-S, that each have different specifications. For example, OCTAVE is meant for large organizations with more than 300 people employed. On the other hand, OCTAVE-S is designed for smaller organizations of around 100 people or less and is also more structured than OCTAVE.  The analysis team also must have extensive knowledge of the organization when using OCTAVE-S. 

As for OCTAVE Allegro, the differentiating factor is that this approach focuses solely on information assets regarding how and where they are used, as well as how they are subsequently exposed to threats, vulnerabilities, and disruptions. Additionally, it may be used in risk analysis where those involved lack expert knowledge or skillsets within the organization that would not prevent them from carrying out the objectives.  That makes this a great option to use when getting started in risk analysis.

OCTAVE Allegro consists of eight steps organized into four phases (Software Engineering Institute, 2007). For the first phase, the business develops criteria for risk measurement that align with organizational drivers. Next, the assets which receive measurements of “critical” are profiled.  During profiling, boundaries for the asset are calculated, security requirements are defined; and all locations where the asset is stored, transported, or processed are identified.  Phase three involves identifying threats to the information asset in regards to the locations identified from the profiling process.  Lastly, risks to the information assets are identified and analyzed with mitigation efforts underway.

FAIR

Factor Analysis of Information Risk (FAIR) is an international standard quantitative model for information security and operational risk (FAIR Institute, 2020). The most significant difference that sets it apart from other frameworks is that it is a quantitative method of risk analysis.  Due to the quantitative nature, it focuses on numerical data to calculate risk rather than the qualitative methods of using simple rating scales to relatively compare assets against each other.

FAIR is made up of four stages consisting of ten steps total (Jones, n.d.). The first stage is the identification of scenario components.  The steps in this phase include identifying an asset at risk and the threats that may impact that asset.  Stage two is the evaluation of Loss Event Frequency (LEF). This is the most involved step as there are other variables that end up calculating LEF.  These include Threat Capability (TCap), Control Strength (CS), and Derive Vulnerability (Vuln).  Essentially, it is calculating the likelihood that a threat will cause harm to an asset within a given timeframe. Stage three is the evaluation of Probable Loss Magnitude (PLM).  Worst-case loss and probable loss are both calculated.  Finally, the last stage derives and articulates risk through frequency and magnitude of future loss.

FRAP

            The facilitated Risk Analysis Process (FRAP) was created by Thomas Peltier and is another type of qualitative risk analysis method (Peltier, 2000). This method is used as a risk assessment methodology if an organization is under short time constraints. Previously, risk analysis processes were usually viewed as long and expensive.  FRAP aims to be cost-effective using the knowledge of experts employed in the organization. 

The assessment is conducted within 4 to 8 hours with recommendations produced a few days later. Due to how fast this occurs, this method relies on the skillsets and knowledge of the people employed within the organization.  However, data from outside resources like observed trends may still be used to influence the decision-making process.

            Prior to this long meeting discussing risk analysis, it is advised that a pre-meeting occur to agree on five objectives.  A scope statement must be drafted to put the initiative into perspective.  Next, visual diagrams must be gathered from resources to aid in the risk analysis process.  The leaders of this meeting must also select team members for the lengthy meeting that will take place.  The location and time of the meeting must also be determined.  Most importantly, terms must be defined so that all participants have an understanding of them; due to the common mistake of these terms being used interchangeably.  These terms include confidentiality, integrity, availability, accountability, risk, threat, vulnerability, impact, and control.

NIST RMF

The National Institute of Standards and Technology is affiliated with the United States government Department of Commerce.  The Risk Management Framework was created by NIST as a way to provide guidelines for managing security and privacy risk.  It is mandatory for Federal government use, but may also be applied to any type of nonfederal organization.  State, local, and tribal governments, as well as private sector organizations are encouraged to use the guidelines if needed.  This framework includes information security categorization, control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring (NIST, 2018).

There are 7 steps out there to implement RMF along with a short summary, please see them below:

  1. Prepare: In the first step, we execute the RMF on a system level in our organization by creating priorities for managing security and privacy risk.
  2. Categorize: In step two, we categorized our system based on information processed, stored and what’s transmitted from/to those systems based on the impact of loss.
  3. Select: In step three, we select a set of controls for our systems by controls as needed to reduce risk to an acceptable level based on our risk assessment.
  4. Implement: In step four, we describe and implement controls within the system as planned.
  5. Assess: In step five, we make sure access was implemented correctly, operating as intended and things are working properly as desired with respect to satisfying the security and privacy requirements.
  6. Authorize: In step six, we authorize access to those individuals who require access based on the level of acceptable risk including other organizations.
  7. Monitor: In step seven, we start to monitor control effectiveness ongoing basis while reviewing any documentation changes to the system or any operation of changes. 

 










References:

NIST Risk Management Framework | CSRC. (2016, November 30). NIST. https://csrc.nist.gov/projects/risk-management/about-rmf

Violino, B. (2010, May 3). IT risk assessment frameworks: real-world experience. CSO Online. https://www.csoonline.com/article/2125140/it-risk-assessment-frameworks-real-world-experience.html

FAIR Institute. (n.d.). The Importance and Effectiveness of Cyber Risk Quantification. Retrieved March 24, 2021, from https://www.fairinstitute.org/what-is-fair

NIST. (2018, December). NIST Special Publication 800-37, Revision 2. Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf

Peltier, T. R. (2000). Facilitated Risk Analysis Process (FRAP). Retrieved from http://ittoday.info/AIMS/DSM/85-01-21.pdf

Caralli, S. R. A. (2007). Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process. | National Technical Reports Library - NTIS. NTRL. https://ntrl.ntis.gov/NTRL/dashboard/searchResults/titleDetail/ADA470450.xhtml

Comments

Post a Comment

Popular posts from this blog

Embedded Hardware Authentication

-
Image
As per IFF (Incognito Forensic Foundation), there are top 5 latest cybersecurity technologies or trends out there, that I think would make great sense if I go with one of those for this blog, so I decided to go with Embedded Hardware Authentication (A. 2019, November 8). What is Embedded Hardware Authentication? As the term states, it’s a hardware-based authentication that’s embedded into the hardware itself to add an extra layer of security. Normally, users log in to a machine using their PIN and/or Password, which can easily be compromised, but in embedded authentication, it verifies the user’s identity before it’ll let them access the device. Most of us are aware of two-factor authentication but in this latest trend, an organization can implement two, three, or even four different methods of authentication in a row to enhance security. Under Embedded Hardware Authentication, things are slightly different than we’re used to.   For example, users don’t necessarily receive a PIN ...
Read more