Risk Management

Introduction

Risk management is a crucial exercise for an organization because without it, a firm cannot possibly define its objectives for the future. If a company defines objectives without taking the risks into consideration, chances are that they will lose direction once any of these risks hit home (CareersinAudit.com, 2013). CSOL 530 talks about the Risk Management Framework, process and objectives. According to the NIST risk management life cycle, six steps include categorizing, selecting, Implementing, Assessing, Authorizing, and monitoring. This white paper will focus on the first step of the NIST RMF, the security categorization standard, and how it applies to our company's payroll system based on the CIA (Confidentiality, Integrity, and Availability) of cybersecurity triad security objectives. The RMF and security objectives are based on the NIST 800-60 Vol 1, Vol 2, FIPS 199, and NIST SP 800-37 publication found on www.nist.gov. As shown in figure 1 below, the NIST RMF defines RMF as a 6-step process to architect and engineer a data security process for new IT systems and suggests best practices and procedures each federal agency must follow when enabling a new system (Varonis, 2021).

Course Work

Risk Management Framework (NIST, 2021)

1. Categorize - Essential activities to prepare the organization to manage security and privacy risks. Categorize the system and information processed, stored, and transmitted based on an impact analysis

2. Select - Select the set of NIST SP 800-53 controls to protect the system based on risk assessment(s)

3. Implement- Implement the controls and document how controls are deployed

4. Assess - Assess to determine if the controls are in place, operating as intended, and producing the desired results

5. Authorize - Senior official makes a risk-based decision to authorize the system (to operate)

6. Monitor - Continuously monitor control implementation and risks to the system

Reflection

Assessing and determining risk is not an easy process as there are many attributes and nuances to consider. The NIST risk management framework (RMF) makes it a bit easy to dissect and categorize risks in a systematic manner. A risk management framework provides guidance and allows an organization to frame, assess and categorize risk. With a risk management plan in place, the organization can confidently operate in any challenging landscape and expand the operation, allowing for growth.

References

Accountable. (2021). What is PHI? Understanding Protected Health Information. Retrieved from https://www.accountablehq.com: https://www.accountablehq.com/post/what-is-phi

CareersinAudit.com. (2013). The Importance of Risk Management In An Organisation. Retrieved from https://www.careersinaudit.com: https://www.careersinaudit.com/article/the-importance-of-risk-management-in-an-organisation/

Devon Milkovich. (2020). 15 Alarming Cyber Security Facts and Stats. Retrieved from https://www.cybintsolutions.com: https://www.cybintsolutions.com/cyber-security-facts-stats/

Ekran. (2021). Mandatory Access Control vs Discretionary Access Control: Which to Choose? Retrieved from https://www.ekransystem.com: https://www.ekransystem.com/en/blog/mac-vs-dac

fas.org. (2021). CLASSIFICATION LEVELS. Retrieved from https://fas.org/: https://fas.org/sgp/library/quist2/chap_7.html

Fruhlinger, J. (2019). Malware explained: How to prevent, detect and recover from it. Retrieved from https://www.csoonline.com/: https://www.csoonline.com/article/3295877/what-is-malware-viruses-worms-trojans-and-beyond.html

Johnson, R. (2015). Security Policies and Implementation.

META Security Group. (2000). META Security Group Information Security Policy Framework . Retrieved from http://horseproject.wiki/: http://horseproject.wiki/images/1/18/Information-Security-Policy-Framework-Research-Report.pdf

Morgan, S. (2020). Cybercrime To Cost The World $10.5 Trillion Annually By 2025. Retrieved from https://cybersecurityventures.com/: https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/#:~:text=The%20latest%20forecast%20is%20for,every%2040%20seconds%20in%202016.

Narendra Sahoo. (2021). How Does Artificial Intelligence Help in Data Protection and HIPAA Compliance? Retrieved from https://www.cpomagazine.com/: https://www.cpomagazine.com/cyber-security/how-does-artificial-intelligence-help-in-data-protection-and-hipaa-compliance/#:~:text=Data%20encryption%20%E2%80%93%20HIPAA%20requires%20healthcare%20organizations%20to,to%20encrypt%20data%20and%20secure%20acces

NIST. (2011). NIST Special Publication 800-39 . Retrieved from https://nvlpubs.nist.gov: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf

NIST. (2013). Guide to Malware Incident Prevention and Handling for Desktops and Laptops. Retrieved from https://nvlpubs.nist.gov: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-83r1.pdf

NIST. (2021). malware. Retrieved from https://csrc.nist.gov: https://csrc.nist.gov/glossary/term/malware

NIST. (2021). NIST Risk Management Framework. Retrieved from https://csrc.nist.gov/: https://csrc.nist.gov/projects/risk-management/about-rmf

Rosencrance, L. (2018). role-based access control (RBAC). Retrieved from https://searchsecurity.techtarget.com: https://searchsecurity.techtarget.com/definition/role-based-access-control-RBAC#:~:text=Role%2Dbased%20access%20control%20(RBAC)%20is%20a%20method%20of,doesn't%20pertain%20to%20them.

Sobers, R. (2021). 134 Cybersecurity Statistics and Trends for 2021. Retrieved from https://www.varonis.com/: https://www.varonis.com/blog/cybersecurity-statistics/

Varonis. (2021). Risk Management Framework (RMF): An Overview. Retrieved from https://www.varonis.com: https://www.varonis.com/blog/risk-management-framework/