Joint task force transformation initiative
organization of this special publication
Download 5.8 Mb.
|
- Navigate this page:
- 2.1 multitiered risk management
1.5 organization of this special publicationThe remainder of this special publication is organized as follows:
Supporting appendices provide essential security control selection and specification-related information including: (i) general references; 25 (ii) definitions and terms; (iii) acronyms; (iv) baseline security controls for low-impact, moderate-impact, and high-impact information systems; (v) guidance on assurance and trustworthiness in information systems; (vi) a catalog of security controls;26 (vii) a catalog of information security program management controls; (viii) mappings to international information security standards; (ix) guidance for developing overlays by organizations or communities of interest; and (x) a catalog of privacy controls. chapter two the fundamentalsSECURITY CONTROL STRUCTURE, ORGANIZATION, BASELINES, AND ASSURANCE This chapter presents the fundamental concepts associated with security control selection and specification including: (i) three-tiered risk management; (ii) the structure of security controls and the organization of the controls in the control catalog; (iii) security control baselines; (iv) the identification and use of common security controls; (v) security controls in external environments; (vi) security control assurance; and (vii) future revisions to the security controls, the control catalog, and baseline controls. 2.1 multitiered risk managementThe selection and specification of security controls for an information system is accomplished as part of an organization-wide information security program for the management of risk—that is, the risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation of information systems. Risk-based approaches to security control selection and specification consider effectiveness, efficiency, and constraints due to applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines. To integrate the risk management process throughout the organization and more effectively address mission/business concerns, a three-tiered approach is employed that addresses risk at the: (i) organization level; (ii) mission/business process level; and (iii) information system level. The risk management process is carried out across the three tiers with the overall objective of continuous improvement in the organization’s risk-related activities and effective inter-tier and intra-tier communication among all stakeholders having a shared interest in the mission/business success of the organization. Figure 1 illustrates the three-tiered approach to risk management. TIER 1 organization TIER 2 mission / business processes TIER 3 information systems
tactical risk strategic risk
FIGURE 1: THREE-TIERED RISK MANAGEMENT APPROACH Tier 1 provides a prioritization of organizational missions/business functions which in turn drives investment strategies and funding decisions—promoting cost-effective, efficient information technology solutions consistent with the strategic goals and objectives of the organization and measures of performance. Tier 2 includes: (i) defining the mission/business processes needed to support the organizational missions/business functions; (ii) determining the security categories of the information systems needed to execute the mission/business processes; (iii) incorporating information security requirements into the mission/business processes; and (iv) establishing an enterprise architecture (including an embedded information security architecture) to facilitate the allocation of security controls to organizational information systems and the environments in which those systems operate. The Risk Management Framework (RMF), depicted in Figure 2, is the primary means for addressing risk at Tier 3.27 This publication focuses on Step 2 of the RMF, the security control selection process, in the context of the three tiers in the organizational risk management hierarchy. RISK MANAGEMENT FRAMEWORK Security Life Cycle Repeat as necessary Step 1 CATEGORIZE Information Systems FIPS 199 / SP 800-60 Step 6 MONITOR Security Controls SP 800-137 Step 3 IMPLEMENT Security Controls SP 800-160 Step 2 SELECT Security Controls FIPS 200 / SP 800-53 Step 5 AUTHORIZE Information Systems SP 800-37 Step 4 ASSESS Security Controls SP 800-53A Organizational Inputs
Architecture Description
Starting Point Note: CNSS Instruction 1253 provides guidance for RMF Steps 1 and 2 for National Security Systems (NSS). FIGURE 2: RISK MANAGEMENT FRAMEWORK The RMF addresses the security concerns of organizations related to the design, development, implementation, operation, and disposal of information systems and the environments in which those systems operate. The RMF consists of the following six steps: Step 1: Categorize the information system based on a FIPS Publication 199 impact assessment;28 Step 2: Select the applicable security control baseline based on the results of the security categorization and apply tailoring guidance (including the potential use of overlays); Step 3: Implement the security controls and document the design, development, and implementation details for the controls; Step 4: Assess the security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system;29 Step 5: Authorize information system operation based on a determination of risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation and use of the information system and the decision that this risk is acceptable; and Step 6: Monitor the security controls in the information system and environment of operation on an ongoing basis to determine control effectiveness, changes to the system/environment, and compliance to legislation, Executive Orders, directives, policies, regulations, and standards. Directory: publications publications -> Acm word Template for sig site publications -> Preparation of Papers for ieee transactions on medical imaging publications -> Adjih, C., Georgiadis, L., Jacquet, P., & Szpankowski, W. (2006). Multicast tree structure and the power law publications -> Swiss Federal Institute of Technology (eth) Zurich Computer Engineering and Networks Laboratory publications -> Quantitative skills publications -> Multi-core cpu and gpu implementation of Discrete Periodic Radon Transform and Its Inverse publications -> List of Publications Department of Mechanical Engineering ucek, jntu kakinada publications -> 1. 2 Authority 1 3 Planning Area 1 publications -> Sa michelson, 2011: Impact of Sea-Spray on the Atmospheric Surface Layer. Bound. Layer Meteor., 140 ( 3 ), 361-381, doi: 10. 1007/s10546-011-9617-1, issn: Jun-14, ids: 807TW, sep 2011 Bao, jw, cw fairall, sa michelson Download 5.8 Mb. Share with your friends:
|