Introduction to the National Institute of Standards and Technology cybersecurity framework, also known as the CSF. This program is designed to provide you an understanding of the NIST cybersecurity Framework and how to implement it. In this course, we focus on providing an overview the risk management process. The framework helps guide key decision points about risk management activities through the various levels of an organization, from senior executives, to business and process level, to implementation and operations. The executive level communicates the mission priorities, available resources and overall risk tolerance to the business or process level. The business or process level uses the information as inputs into the risk management process and then collaborates with the implementation and operations level to communicate business needs and create a profile. The implementation and operations level communicates the profile, implementation progress, to the business and process level. The business and process level uses this information to perform an impact assessment. The business and process level management reports the outcomes of that impact assessment to the executive level, to inform the organization's overall risk management process and to the implementation and operations level for awareness of business impact. Let's look at managing risk next. Each organization processes and addresses risk based upon internal specifications, external stakeholder needs and organizational requirements. This is the general starting point for risk management, it's called the risk framework. Many frameworks exist based on location, industry and methodology. Each framework provides references for evaluation of risk and how the risks are managed in the organization. To integrate a risk management process throughout the organization, a three tiered approach is employed that addresses risk at the organization level, the mission or business process level and the information system level. Tier one addresses the risk from the organizational perspective. Tier one implements the first component of risk management such as the risk framing. It provides the context for all risk management activities carried out by organizations. Tier two addresses risk from a mission or business process perspective and is informed by the risk context, risk decisions and risk activities at tier one. Tier-three addresses risk from an information system perspective and is guided by the risk context, risk decisions and risk activities at tiers one and two. Which influenced the ultimate selection and deployment of the safeguards and countermeasures such as security controls needed at the information system level. The three respective levels or tiers of cybersecurity risk management described in the cybersecurity framework and NIST special publication 839, Managing information security risks, are equivalent. The 839 levels and roles are referenced throughout the Special Publication 837 Guide for applying risk management framework to federal information systems. According to NIST special Publication 839, risk management is the process that allows IT managers to balance the operational and economic costs of proactive measures, archives and achieve gains in mission capabilities by protecting the IT systems and data that support their organization's mission. The objectives are achieving an acceptable level of information security, establish well informed decisions and justifications, and assist In the authorization decisions. 837 provides guidelines for applying the RMF or the risk management Framework and promotes the concept of near real-time risk management and ongoing system authorization through the implementation of continuous monitoring processes. It provides senior leaders the information to make risk based decisions for their systems, integrating information security into the enterprise architecture and the system development life cycle. The documents describe how to apply the RMF risk management framework to Systems through a six step process. Including the categorization of information and systems based on Phipps 199 categorization publication, the selection of controls based on a framework like 853 or 871 called also Itel etc. The implementation of controls listed in your system security plan, your SSP, the assessment of controls effectiveness, independent assessments such as your plan of action and milestone. And your security assessment reports the authorization of the system which is your ATO or IATO or PATO depending on if you're doing a diet cap or not. And ongoing monitoring of controls and security state of the system Supported by the 837 information security, continuous monitoring for federal information systems and organizations. The equivalence of the cybersecurity framework and 839 organizational levels and the alignment of 837 with 839 levels help illustrate the organizational levels across all three risk management publications, the CSF cybersecurity framework 837 and 839. Just remember, Special Publication 839 is supported by 837 and it provides the processes and roles for cybersecurity risk management. And the CSF cybersecurity framework provides a structure for organizing the cybersecurity risk management through activities like reconciling cybersecurity requirements. You should have an understanding of how these publications listed on the screen work together to carry out the risk management process. For example, in order to conduct your risk management, you need to establish your initial security baselines and controls based on the categorization of your systems. This is where you leverage the 5th 199, standards for security categorization of federal information and information systems, which helps you classify your potential systems, risks and impacts to the organization. And its ability to accomplish its mission protect its assets, fulfill its legal responsibilities and maintain day to day functions as low impact, moderate impact or high impact. A low impact system has limited adverse effects on operational operations. In other words, the mission assets, financial loss or individuals. A moderate impact system has serious adverse effects on organizational operations, missions, assets, financial loss or individuals. And a high impact system has severe or catastrophic adverse effect on organizational operations, missions, assets, financial loss or individuals loss of life or life threatening. This is used in conjunction with special publication 860 guide for mapping types of information and information systems to security categories. To identify all information types processed, stored and transmitted by their systems. If you're in the federal government, you've used Phipps 200 medium security requirements for federal information and information systems. To help establish your minimum levels of due diligence and facilitate a more consistent, compatible and repeatable approach for selecting and specifying security controls in your system. Special publication 853, security and privacy controls for federal information systems and organizations is a framework. Just like Itel Information technology Infrastructure Library which looks at change control and service management or ISIL 27,000 series which is an information security management system and standards similar to 853. The International Organization for Standardization, ISO and International Electro Technical Commission, IEC, is what we're talking about here as the 27,000 series. Console is another framework, the committee of sponsoring organizations and it's similar to ISO 27,000 but it's for financial Systems. COBIT, the Control Objectives for Information and Related Technologies was created by ISACA, the Information Systems Audit and Control Association for IT Management and governance. So that would be the framework that you would use there. And finally, special publication 853 provides a methodology to develop specialized sets of controls or overlays tailored for specific types of mission, business functions, technologies or environments of operation. Special Publication 853A which is the guide for assessing the security controls in federal information systems and organizations, provides a set of procedures for conducting the assessment of information security and privacy controls in 853. And finally 800-137 which is the information security continuous monitoring for federal information systems and organizations, supports the ongoing monitoring of security controls and the security state of systems. It provides guidance on developing an agency wide information security continuous monitoring strategy and implementing the ICING program. The ICING program helps agencies make informed risk management decisions by providing ongoing awareness of threats, vulnerabilities and security controls. The identification, assessment and prioritization of risk, followed by coordinated and economical application of resources to minimize, monitor and control the probability and/or impact of adverse events or to maximize the realization of opportunities is risk management. Considerations for risk are information, the mission or business objectives, the inventories that the organization has, such as hardware, software and those types of assets and compliance or governance requirements. For example, having to meet payment card industry data security standards. Information security is the protection of information and information systems from unauthorized access, use, disclosure disruption, modification or destruction, in order to provide confidentiality, integrity and availability. The US government's definition of risk management is the process of managing risk to organizational operations including mission, functions, image or reputation, organizational assets, individuals, other organizations. Or the nation resulting from the operation or use of an information system and includes the conduct of a risk assessment, the implementation of a risk mitigation strategy, the employment of techniques and procedures for the continuous monitoring of the security state of the information system and documenting the overall risk management program. So what is risk? Risk is the measure of the extent to which an entity is threatened by a potential circumstance or event and a function of the adverse impacts that would arise if the circumstances or events occur or the likelihood of that occurrence. Risk = Threats x Vulnerabilities x Impact x the cost of mitigation. All the things listed here on this screen could potentially lead to some sort of risk for an organization types of risk, purposeful attacks, environmental disruptions and human errors. It could be natural or man made, it could be intentional or unintentional, militias versus inadvertent such as accidental mistakes. Types of risks include program or acquisition risks, cost, schedule, performances, those types of things. Compliance and regulatory risks, financial risk, legal risk, operational risk or mission and business risk, political risk, project risk, reputational risk, safety risk, strategic planning risk and supply chain risk. So let's look at risk versus compliance. Compliance is the reporting of risks to outside entities. Also covers governance by others, like regulators in support of some regulatory requirement. For example, FISMA, the Federal Information Security Management Act, Sarbanes–Oxley, Gramm-Leach-Bliley, Hip-hop, Children's Online Privacy Protection Act or the General Data Protection Regulation, GDPR. So now let's look at cyber-impact areas. The impact on business and the accompanying risk could depend on the industry. For example, a government agency maybe a larger target than a mom and pop shop who sell only trinkets for the business. Businesses may experience cyber based intrusion, attempts for financial gain to obtain intellectual property to create a business disruption, to obtain private data or to compromise national security. The perpetrators of the intrusion could be external or internal, private or government sponsored. When we look at cyber risk impacts, we're looking at reputational risk. Such as public relations issues with customers or the public, regulatory risks, the inability to satisfy regulatory processing requirements due to an outage or violation of the regulation, such as GDPR, PCI, DSS or Sarbanes-Oxley. Reputational risk, the inability to process critical business functions, anything that affects the confidentiality, integrity and availability. Internal human resources issues issues, relating to payroll and employee privacy, and finally financial risks. The loss of physical assets, the cost to remediate identified risks or the inability to meet contractual Service Level Agreements SLAs, with third parties resulting in legal liability. Organizations with an understanding of risk tolerance can prioritize cybersecurity activities enabling them to make informed decisions about cyber security expenditures. Implementation of risk management programs, offer organizations the ability to quantify and communicate adjustments to their cybersecurity program and how they handle risks. Which could include mitigating the risk, transferring the risk, avoiding the risk, or accepting the risk depending on the potential impact to the delivery of critical services. The cybersecurity framework supports recurring risk assessments and validation of business drivers to help organizations select target states for cybersecurity activities that reflect the desired outcomes. This includes supply chain risks, which is an essential part of the risk landscape and should be included in the organizational risk management program. In summary. In this course, we have discussed supporting risk management with the framework, managing the risk through a tiered process, the risk management process, risk versus compliance and key properties of cyber risk management.
