Risk Management Framework (SS-08-041 )
SS-08-041 Risk Management Framework
Issue Date: 3/31/2008
Revision Effective Date: 3/31/2008
Review Date: 12/1/2020
Risk management is an aggregation of three processes; risk assessment, risk mitigation, controls evaluation and assessment that help agencies ensure that information security management processes are integrated with agency strategic and operational planning processes. Managing risk safeguards the mission of the organization and provides an on-going evaluation and assessment of IT-related mission risks.
This enterprise standard, consistent with the Federal Information Security Act (FISMA) of 2002, adopts the risk management framework developed by the National Institute of Standards (NIST) for assisting owners with understanding the risks associated with their decision making processes and implementing adequate and cost-effective security.
The State of Georgia shall implement a risk-based approach to information security.
A successful risk management program shall have:
- Commitment from Senior management
- Full support and participation of the IT team
- A competent risk assessment team who must have the expertise to apply the risk assessment methodology to a specific site and system, identify mission risks, and provide cost-effective safeguards that meet the needs of the organization
- The awareness and cooperation of the user community, who must follow procedures and comply with the implemented controls to safeguard the mission of their organization
- An ongoing evaluation and assessment of the IT-related mission risks.
Each Agency shall use the risk management framework developed by the National Institute of Standards (NIST) for selecting and implementing security controls for its information systems as part of an organization-wide risk management program.
The framework shall be applied to both new and legacy information systems and be integrated into the system development life cycle and the Enterprise Architecture.
The NIST Risk Management Framework shall include the following sequential and continuous steps (related NIST Standards and Guidelines are in parenthesis):
Step 1: Security Categorization
Categorize the information system and the information resident within that system based on the sensitivity and the impact of loss or compromise on the organization. (FIPS 199)
Step 2: Security Control Selection
Select an initial set of minimum security controls for the information system based on the FIPS 199 security categorization and apply tailoring guidance as appropriate, to obtain a starting point for required controls. (FIPS 200 and NIST SP 800-53 Revision 1)
Step 3: Supplement Security Controls
Supplement the initial set of tailored security controls based on an assessment of risk and local conditions including organization-specific security requirements, specific threat information, cost-benefit analyses, or special circumstances. (NIST SP 800-53)
Step 4: Document Security Controls
Document in the system security plan, the security requirements and the agreed-upon security controls planned or in place, including the organization's justification for any refinements or adjustments to the initial set of controls. (NIST SP 800-18)
Step 5: Security Controls Implementation
Implement the security controls and apply security configuration settings.
Step 6: Security Controls Assessment
Assess the effectiveness of the security controls using appropriate methods and procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. (NIST SP 800-53A)
Step 7: System Authorization
Authorize information system operation based upon a determination of the risk to organizational operations, organizational assets, or to individuals resulting from the operation of the information system and the decision that this risk is acceptable. (NIST SP 800-37)
Step 8: Controls Monitoring
Continually monitor and assess selected security controls in the information system including documenting changes to the system, conducting security impact analyses of the associated changes, and reporting the security status of the system to appropriate organizational officials on a regular basis. (NIST SP 800-37 and SP 800-53A)
RELATED ENTERPRISE POLICIES, STANDARDS, GUIDELINES
SP 800-12 Rev. 1 (Chapter 6) Introduction to Computer Security NIST Handbook https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final
SP 800-30 Rev. 1, Guide for Conducting Risk Assessments https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final
SP 800-53A Rev. 4 Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans https://csrc.nist.gov/publications/detail/sp/800-53a/rev-4/final
SP 800-18 Developing Security Plans
SP 800-37 Rev. 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
FIPS 199 Standards for Security Categorization
FIPS 200 Security Controls Standard
TERMS and DEFINITIONS
Risk – A function of the likelihood of a given threat source exploiting a potential vulnerability, and the resulting impact of that adverse event on the organization.
Risk Management - The process of identifying, controlling and mitigating information system–related risks. It includes risk assessment; cost-benefit analysis; and the selection, implementation, testing, and security evaluation of safeguards. This overall system security review considers both effectiveness and efficiency, including impact on the mission and constraints due to policy, regulations, and laws.
Risk Assessment - The process of identifying the risks to system security; determining the probability of occurrence, the resulting impact, and safeguards that would mitigate this impact.
Risk Mitigation – The process of prioritizing, evaluating and implementing appropriate risk-reducing controls to include risk assumption, risk avoidance, risk limitation, risk planning, research and acknowledgement and risk transfer.