 to the Risk Management Framework. What we're going to look at in this domain is the key parts of the Risk Management Framework. Laws and regulations, understanding the NIST Special Publication 800-30 Revision 1 Risk Management Process and define roles and responsibilities. Risk Management, managing information security risk like risk management in general is not an exact science. It brings together the best collective judgments of people and groups within your organization that are responsible for strategic planning, oversight, management, and your daily operations. Providing both the necessary and sufficient risk response measures to adequately protect the missions and business functions of your organization. Now, when we think about strategic risk, that's basically considered from the perspective of risk to the overall organization. Now, your mission or business risk take direction from the strategic risk but then provide direction to risk at the tactical or information systems level. With this, it's going to encourage the use of automation to provide your senior leaders the necessary information to make cost-effective risk management decisions with regard to the organization's information systems by supporting their core missions and business functions. So, in effect, it's very much about the business. What is the business mission? What are their main functions? And the idea with the automation tools given us what we need, the information we need to make good decisions, especially these senior leaders, we do want it to be cost-effective and so on. It also integrates information security into your enterprise architecture and something called the System Development Lifecycle, SDLC. By following the risk management framework, this provides emphasis on our selection, our implementation, assessment, and monitoring of the security controls and also the authorization of the use of our information systems. This also links risk management processes at the information system level to risk management processes at the organizational level through a risk executive function and establishes responsibility and accountability for security controls deployed within our organization information systems and inherited by those systems and we call this common controls. And you will see these underlying themes throughout the chapters to come. Now, when we think about the Pillars of CIA, Confidentiality, Integrity, Availability, these concepts are all about information security, so we call it the Information Security Triad and throughout numerous security courses, throughout different vendors, you will hear the same emphasis on CIA. Now, looking at the order they're doing this, Availability. When we think about Availability, this is a part of the triangle that provides assurance that the information on the system is available to users whenever it is needed. If our systems are not up and running and we lack Availability, we do not look really good to our customer base because it looks like we really don't have our information security under control. We don't know how to deal with denial of service attacks, at least it looks like that, it looks like we're basically ill-prepared. So Availability of these resources so users and customers and such can get to what they need to get to is very important. Also, there's integrity and we think about that part of it. We want the information protected so that unauthorized changes cannot be made to the information and if they are made, we want to know that they were made. We want to know that someone who was unauthorized made a change and we would be able to confirm it and verify the integrity of the system, integrity of our files, very important. And many times, integrity is implemented through hashing algorithms such as MD5 and SHA1, SHA1. There's also confidentiality and with confidentiality, very, very important as well, the idea is to make sure that no unauthorized users are able to set their eyes on the information, to access the information, look at it, read it. We want to keep certain information private. Without this confidentiality, we could see trade secrets, we could see information that's deemed private, such as private health information and so on. So confidentiality, integrity, availability are very critical. National Strategy on Cybersecurity. For operational plans, development, the combination of your threats, vulnerabilities, and impacts must be evaluated in order to identify the important trends and decide where your effort should be applied to eliminate, if possible, or reduce threat capabilities, eliminate or reduce vulnerabilities and assess, coordinate, and de-conflict any or all cyberspace operations. I mean, our goals, it would be nice to say eliminate, but sometimes it's a matter of just being able to reduce our weaknesses, our vulnerabilities, reduce the ones that could harm us, hackers, threats, whatever it may be, to a level that we can tolerate. Leaders at all levels are accountable for ensuring readiness and security to the same degree as in any other domain. Now we look at cyber attacks. And the cyber attacks on our information system today can be very aggressive, very organized, very disciplined, well-funded, unfortunately, organized crime effectively, and, of course, in a growing number of documented cases, very sophisticated. I mean, it's not your average hacker anymore. We don't necessarily have the teenage hacker just trying to get in our systems where we're finding that the hackers are much more skilled and essentially, I guess, the mafia in the computer world having people that are very skilled and very organized and sometimes pretty complicated as well. Also, there is the NIST Special Publication 800-37 Revision 1. So with regard to the NIST Special Publication 800-37, the idea behind this is to transform your traditional certification and accreditation process into basically a six-step risk management framework. And really the second step of the RMF Risk Management Framework is to select the appropriate subset of security controls from your control catalog that's found in this Special Publication 800-53. And as we proceed through this book, you're going to see these six steps with great detail. With regard to the federal policy in 1987, the OMB, which stands for Office of Management and Budget, issued the OMB Circular A-130. And with this, it mandated that all general support systems and major applications be secure before they're put into publication or production, which is a really important idea here. You don't want to put your systems, your applications into a place where they're being used in production effectively and they're not secure. So this focused on system authorization, which includes the risk management process of assessing the risk associated with operations of the system, mitigating vulnerabilities trying to reduce, to deal with vulnerabilities which effectively reduces risk to a level that you can live with to an acceptable level. And of course, formal acceptance of this risk by some sort of authorizing official. Now, actions of executive agencies. With the OMB A-130, it states that your agencies must, they must plan for security, ensure that the appropriate officials are assigned their security responsibility, you then review the security controls that you're using in the information systems, and authorize system processing prior to operations and of course periodically thereafter, maybe reauthorizing these systems. Now, federal policies, all agencies are required to adopt a risk based, again, cost effective approach to security. So the big emphasis throughout this book is all about dealing with the risk, risk management framework. All about dealing with the risk, yet being cost effective as possible and also thinking about I think the goals of the business, but yet good security at the same time. E-Government Act of 2002. A core foundation of information security is based on this E-Government Act of 2002. And this mandated the protection of the information systems and required yearly or annual reporting by each agency head to Congress on the status of the security of information systems. Now, President George W. Bush signed this act, okay, on December 17, 2002. It's also known as Public Law 107-347, mandated a federal initiative to automate the public's access to government services. The OMB, Office of Management and Budget, facilitates the E-Government Initiative and also acts as E-Government Administrator. FSMA. FSMA stands for Federal Information Security Management Act. It's a Title III of the Public Law 107-347, which is the E-Government Act of 2002. Now, FSMA requires the development of an organization-wide security program in annual reporting on the status of the security program. Now, important points include the need for an organization-wide security program, and this recognizes the fact that information security is not just a factor for the individual systems, but is part of a much larger picture. Now, a vulnerability or weakness or insecurity in any one system could pose a security risk to other systems both within and outside of your agency. And this requires a security approach that's consistent across all systems and throughout the agency. E-Government Act of 2002. As part of the Act, all agencies must comply with the OMBE government guidance. Both your public and a private sector are encouraged to work with OMBE to find ways to use information technology to improve the delivery of the government information and services. Both independent audits and yearly annual reports are required as part of this law, and course agencies also are required to provide IT training programs for their people, for their personnel. So when we think of some of the important requirements of this E-Government Act of 2002, just realize the IT training programs for the users, for the personnel, and also the need for these independent audits. This law also required the categorization and indexing of government information be held to a standard. We have the FIPS 199 and the NIST Special Publication 800-60. In addition to this, NIST was charged with creating a process for certifying and accrediting information systems as we see with the FIPS 200, the NIST Special Publication 800-37, 800-39, 800-53, 800-18, as well as 800-30. You know, the idea behind this was to, in order to protect the information and the information systems to an adequate level, it was important to categorize the information according to the level of impact that a breach of, remember, confidentiality, integrity, availability would be of the information and what it would have. So we think about the impact. And this would drive our selection of our controls, our countermeasures that would be required to protect that information. And the core document for security categorization, again, is the FIPS 199. And then the guidance document used to support that requirement of the FIPS 199 for that is the NIST Special Publication 800-60 is discussed. And also, NIST is responsible for developing a process to certify and accredits. So that's a really big part of it as well. And that's really a big core of the course we're looking at here. Now, each agency is required to conduct a private impact assessment when developing a new information system. Now, this privacy impact assessment would identify the risk associated with the information being processed. And a key part of this information protection is accountability and governance. Each agency is required to provide oversight and adequate protection of this information technology resources. The use of the word adequate is sometimes troublesome since it's not always clear what is considered adequate or what's considered not adequate. So through the use of guidance of the Special Publication and the determination of what our risk acceptance levels are by the authorizing official of each agency, we can then determine what controls are necessary to deliver these basically an adequate level of security. So we can see that this is not an exact science and what is adequate, what's not adequate. And being left to interpretation, being left to the authorizing official to look at this and say what is an acceptable risk. So this could be a very different result based on, you know, all these factors and especially the authorizing official. There's obviously some flexibility on how agencies apply this guidance. I mean, federal agencies apply the security concepts and the principles that they see in the special publications in accordance with and in the context of their particular agency's missions, their functions as a business and their environment of operation. So again, FIPP stands for Federal Information Processing Standards and it's a legal requirement for these federal agencies and we're required to comply with this FIPP's document. And really kind of the idea is to assist our agency in meeting the requirements of FIPP's by having its documentation to assist us. Now with regard to 800-39, we're looking at the NIST special publication again, 800-39, it has a purpose. And it's to provide guidance for an integrated organizational wide program for managing your information security risk to your organizational operations such as your overall business mission, your functions, your image as a company, your reputation also as a company, organizational assets, individuals, other organizations in the nation resulting from operation and use of federal information systems. So really it comes down to giving us guidance and something really to follow. And this is essentially a core document that describes the risk management framework and it's a core part of, again, our course we're taking here. And the idea is we're going to look closer at the 800-39 and its purpose and it really guidance. It's all about giving us assistance. It is very helpful to have this guidance, to have these references, these special publications to give us something to follow essentially. So really this course is focused on the protection of information and information systems. This is a definition for an information system. And with this we think about information systems. We realize that it's very much a part of a lot of businesses. It's essentially information technology overall widely recognized as an engine that drives the U.S. economy, give an industry competitive advantage and global markets enabling federal government to provide the best services to its citizens facilitating greater productivity as a nation. And organizations in the public as well as private sectors depend on this technology intensive information. I mean, if you suddenly were to say no information systems, do your business without any information systems. That would be, we'd probably look at that and say that's impossible. The way things work now, the way the economy works to be competitive. I mean, we would want to have potentially online access. We need computers. We're not in a situation where I think information technology is optional. So then we continue to look at more about the information systems. And information systems can include components, essentially being part of a whole. Many components are part of a whole. Which includes a range of many different diverse computing platforms from your high-end supercomputers to your little personal digital assistants and even cell phones. Information systems can also include specialized systems and devices such as a telecommunication systems, industrial process control systems, testing calibration systems, weapon systems, command and control systems, environmental control systems. So when we think about information systems, I mean, there's so many little parts. I mean, there's so many pieces that make up the big picture and such a variety of types of systems as well. Then we move on to risk management. And essentially look at some definitions, get some better understanding. So we start out with the idea of what is a risk? What is risk? A measure to the extent of which an entity could be a computer system, could be a company, is threatened by a potential circumstance or event. That's typically a function of the adverse impacts that could arise if circumstances or event occurs and the likelihood of occurrence. And perhaps a translation when we look at the definition of risk that we pull from the NIST Special Publication 800-30, revision one, we see words like entity, potential impacts and likelihood. And then when we think about this a little bit deeper, you know, events could be, it could be so many things that could happen. We could have a tornado come through and destroy our building. We could have a worm, some sort of malware such as a worm spread through our systems. And then we think about all these potential, you know, issues and threats to our systems. It could be a hacker doing something that would have an adverse impact. It would have, in other words, a negative or bad impact on our system. So we look at all this and we bring that into what is our real risk to our system. And really, even if there were some potential impacts that were highly negative and quite large, then we look at the likelihood of how it actually happening and the likelihood of the occurrence could be so low that then our overall risk doesn't feel so great. Or perhaps it is quite high to have the likelihood that this type of threat would adversely impact us in some way. So when we think about the company as a whole, you know, organizationally wise, we look at that, the organization there are many types of risk. I mean, program management risk, investment risk, budgetary, what we do with our budget, legal liabilities, absolutely safety inventory, supply chain, and of course, security risk examples such as I've given you. So we think more specifically about security risk. So security risk related to operation and the use of our information system is just one of the many components of organizational risk that your senior leaders and executives have to address as part of their risk management responsibilities. We would be very narrow-minded if we only thought about the security risk side of things. There's a much bigger picture. Now obviously security risk is a primary focus that we'll see in this course as it applies to building and operating information systems but just do realize there's more than just the security risk side of things. Information security risk, it is related to the operation and use of information systems. Now risk to systems consider the processes, the procedures, and the structures such as architecture, configuration, your overall environment of your information system at all times during its life cycle. Now risk strategies can be used to influence the design and development of the information system and provide direction for the secure implementation and operation of these systems. So as we review risk management, the core documents that we will address in this review are listed here. We have the NIST Special Publication 800-30 revision one and this is your guide for conducting risk assessments. Very important. We have the NIST Special Publication 37 revision one guide for applying the risk management framework to federal information systems. There's also the NIST Special Publication 800-39 managing information security risk. Risk management, managing information security risk like risk management in general is not an exact science as we're seeing here, brings together the best collective judgments from people, from individuals, and groups within your company with your organization for the strategic planning, the oversight, management, even day-to-day operations providing both your necessary and sufficient risk response measures to adequately protect the missions and the business functions of those organizations and when you think of coming up with something that you consider to be adequate, you have to look at what level of risk you're able to tolerate or live with. In other words besides these that you may think of when you hear talking about operation or day-to-day strategic and different ones, we actually have terms for that and generally you see the strategic, the operational, and the tactical and we may have the day-to-day operations that we try to deal with and reduce the risk and these are definitely kind of our operational type things, but then we may have some midterm goals with dealing with the risk and we tend to call these tactical and then we may have longer term goals which might be strategic, kind of in the end what we're trying to accomplish when we think about strategic planning, but it still is a matter of getting our risk to a level that is acceptable for our business and we think about our business mission. So when we think about the risk management process, we look at assess, monitor, respond and of course it all works around our risk management framework, so we have information and communication flows with this, so it's really a process that's interactive and more details on this process would be described in the NIST Special Publication 800-30, Revision 1 800-37, Revision 1 800-39 so consult these special publications for even more in depth information dealing with this, if you want to go beyond what you're seeing in our book here. So we think about information security and of course this is part of a broader organizational context of achieving our mission business success. So effectively information security is just a part of a much bigger picture effectively. So information security risk management is complementary to and should be used as part of your more comprehensive enterprise risk management program known as your ERM. So information security risk is just a subset of the risk or the overall risk to your environment, to your company. So obviously a very important part but again just a sub risk to your overall risk to your enterprise. Then we think of the threats. We have threats to information and information systems and this could include purposeful attacks environmental disruptions, human machine errors and can result in great harm. So when you think about threats it's not just the hacker who tries to break into your system it could be weather related. When you think of environmental events it could be just a oops you know a mistake from one of the employees. It could be something very intentional again from one of the employees or less likely an outsider. Moving on away from threats we have the objectives of our risk management framework. First of all the objective is to ensure that our senior leaders recognize how important and the importance overall of managing information security risk and establishing appropriate governance structures for managing these risk. I mean it's very critical that they get the idea that this is such a major part of managing risk and understanding that they need to follow through with this. Also ensure that the organization's risk management process is being effectively conducted across three tiers of the organization business mission processes and information systems. So really risk is a responsibility of senior managers and requires direction for management to enforce this risk management process across all layers of the organization. This will ensure that sufficient resources are available to manage the risk and enable the organization to understand risk as a strategic capability and a business enabler. Then moving on with the objectives we also want to foster an organizational climate where information security risk is considered within the context of the design of the mission business processes, the definition of an overarching enterprise architecture and system development life cycle process which we will see a lot of. The SDLC will be discussed throughout this course. We also want to help individuals with responsibilities for information system implementation or operations to really better understand how this information security risk associated with their system translates into the organization wide risks that may ultimately affect the mission business success. So if everybody understands that they are a big part they are part of something very big and even though they may think that their part is so very small and they don't manage the risk properly, something small could potentially have a great effect, a very negative effect to our overall mission business success. So really management must make the risk management a functional or fundamental business requirement. It's got to be a core requirement and each person with some level of responsibility for information system implementation and operations has to understand their responsibility for risk. So when individuals feel that they have no part in this big picture we have to correct them and effectively let them know how critical their part really is. So with effective risk management, key elements assignment of risk management responsibilities to our senior leaders executives we have ongoing recognition and understanding by the senior leaders executives of the information security risk arising from the operations of our information systems. So essentially these are people that don't necessarily natively have this understanding but we want them to develop this understanding. Establishing organizational tolerance for risk and communicating the risk tolerance including guidance on how risk tolerance impacts our ongoing decision making activities and of course accountability by the senior leaders executives for their risk management decisions and for the implementation of the effective organizational wide risk management programs. So really the emphasis here is looking at risk management as it pertains to senior management understanding that they have a responsibility and that they make good decisions when we think about the overall organizations direction with risk management risk tolerance saying what is our level that we're willing to tolerate to live with. So that brings us to risk tolerance acceptance. So the objective established organizational risk tolerance is to state in clear and unambiguous terms a limit for risk. That is how far organizations willing to go with regard to accepting risk. I mean I wish there was a simple formula to follow but again this is a very difficult thing. I mean we wish we could click a button and say suddenly we have no more risk and we say it's not a matter of how much risk we will tolerate we're simply going to have no risk well that's just a fantasy right there so it really kind of comes down to the type of business what the organization is about and sometimes what type of financial funds they have to put in place to develop better countermeasures and to overall reduce their risk maybe even through redundancy of equipment. So really an important responsibility of senior management is to set limits of risk acceptance or risk tolerance and really what we're willing to accept risk wise a limit for these risk. So as we break this down this will be the first component of risk management so this is looking at of course risk assessment so the purpose of the risk assessment component is to identify we have to think about what are our threats to organization vulnerabilities which could be inside the organization external to the organization the harm the consequence the impact to organization that could occur given the potential for threats bad guys events and environmental factors exploiting doing something of finding locating our vulnerabilities. The likelihood that harm will occur and the end result is determination of risk the degree of harm and the likelihood of harm occurring. Now with this risk assessment to support this risk assessment organizations identify we have tools, techniques methodologies that are used to assess these risk the assumptions related to the risk assessments the constraints that could affect your risk assessments who the different roles and responsibilities how risk assessment information will be collected process and communicated throughout your organization how your risk assessments are conducted within the organization the frequency of these risk assessments how often in other words and health threat information will be obtained what are the sources what are the methods and this is considered the second component of risk management then there is the risk response and with the risk response this includes developing alternative courses of actions for responding to the risk evaluating the alternative courses of actions we could do this we could do that coming up with the risk response determining appropriate courses of actions consistent within your level of tolerance your organizational risk tolerance and implementing risk response based on selected courses of actions putting something in place and this is considered again the third component of risk management then we go on to the fourth component of risk management deal with risk monitoring and the idea is to verify that your plan risk response measures are implemented and information security requirements derived from are traceable to organizational missions, business functions federal legislations directives, regulations policies and standards in guidelines get satisfied they're basically you satisfy those requirements determine the ongoing effectiveness of your risk response measures following implementation and make sure that what you have in place is actually doing its job that it really is effective and also identifying risk impacting changes to organizational information systems and the environments in which the systems operate so we have to keep our eyes open it's not a matter of just put this in place and we have completed everything and we never look at it again now it's more of a you have changing environments you have changing regulations or maybe new laws in place new regulations that you have to follow so we're always the risk monitoring is definitely a big part of this too so here we are looking again it's a refresher at the risk management process, assess respond monitor kind of the big picture you see it's very interactive and again this is the NIST as special publication 800-30, revision 1 800-37 revision 1 and 800-39 and you can find more information in those special publications beyond what we have in the course then we have frame risk and we're looking at defining the context of risk management we ask ourselves questions we make decisions so we say to ourselves how risk decisions are made and of course this results in risk management strategy we try to define the foundation for managing risk delineate boundaries for risk decisions this also influences organizational risk tolerance risk assessment methodology assumptions constraints and your overall business mission priorities so really the first step in the risk management process is to frame the risk as we see in this slide and that is to gain an understanding of our environment in which risk decisions are made and the result of the understanding the environment is a formulation of risk management strategy as we step through the process of risk management we'll examine risk at all levels so the risk management process is carried out seamlessly across three tiers with the overall objective of continuous improvement in the organizations risk related activities and effective inter-tier and intra-tier communication among your stakeholders having a shared interest in the mission business success of the organization of course we have tier 1 this will address the risk from an organizational perspective tier 1 will implement the first component of risk management as in like risk framing providing the context of all risk management activities carried out by your organization so as you can see as a nice slide kind of showing your strategic risk looking at tier 1 organization tier 2 mission business processes in tier 3 information systems so key parts of tier 1 we have governance risk executive function risk management strategy our investment strategy which includes our mission and our risk priorities our anticipated risk response needs and these limitation on strategic investments so with this you know tier 1 addresses the risk from an organizational perspective with the development of a comprehensive governance structure and organizational wide risk management strategy which could include you know techniques and methodologies of the organization plans to employ to access the information system related security risk and other types of risk of concern for your organization also the methods and procedures the organization plans to use to evaluate the significance of the risk identified during the risk assessment as well as the types and the extent of the risk mitigation measures the organization plans to employ to the identified risk the level of the risk the organization plans to accept which is your risk tolerance how the organization plans to monitor the risk on an ongoing basis given the various changes to the organization information systems and their environments of operations and things like that it goes on and on we think about this whole idea of tier 1 but these are the key parts of tier 1 with regard to activities of tier 2 annual risk management this would include you would be defining your business mission process is needed to support the missions and business functions of your organization prioritizing the mission business process with respect to the strategic goals and the objectives of the organization defining the types of information needed to successfully execute these mission business processes and the criticality sensitivity of this information and the information flows both internal and external to your organization so effectively you think of tier 2 addressing risk from a mission and a business process perspective yet it is guided by the decisions you made at tier 1 now continuing with tier 2 activities we also have incorporating information security requirements into the mission business processes establishing and enterprise architecture with embedded information security architecture that provides cost effective we've heard that several times cost effective and efficient information technology solutions that are consistent with your strategic goals and your objectives of the organization and of course a way to measure the performance of these so the key parts of tier 2 with this and of course again and again the mission business processes risk aware always paying attention to our risk the overall enterprise architecture which we call the federal enterprise architecture FEA as well as information security architecture so when we look at IS requirements integration start with the organization risk management strategy and we can see the different layers here mission business process mission business process overall kind of going across leading to the enterprise architecture leading to the information system overall just over and over again and with this we're seeing how one layer effectively kind of informs and goes into the next layer that goes into the next layer so there's really a lot of overall integration with this model when we think about our levels here we're going through the different tiers and now we're going to go into tier 3 we'll be looking at the tier 3 activities in your risk management and the idea of your tier 3 is to integrate risk and security into your system development life cycle and where you have very resilient type systems we look at tier 3 is addressing risk from your information system perspective it is guided by your risk contacts your risk decisions your risk activities that you've done previously in tiers 1 and 2 now the tier 3 risk management activities would include categorizing organizational information systems that's the first step then that leads us into allocating your security controls to organizational information systems in the environments in which those systems would operate to be consistent with the organization's established enterprise architecture and embedded information security architecture leading to the third step here managing the selection implementing assessment authorization and ongoing monitoring of your allocated security controls as part of the discipline and structured system development life cycle process implemented across your organization so you can see this is very very organized and with this it's not something again that is put together very loosely and disorganized by no means nor is it something that we just put together and forget about there's a lot that goes into this as well as the ongoing monitoring is what I'm trying to point out here now this leads us into the idea of developing trust now we look at trust that's a belief that an entity will behave in a predictable manner in certain circumstances in specified circumstances so the determination of the trustworthiness plays a key role in establishing trust relationships among persons and your organizations so this is the key to the use of the risk management framework in assessing and authorizing these information systems so then we we start looking at the factors that affect the trustworthiness of our information system first we have security functionality we start looking at the security features the functions employed within the system and then we also have what we call the assurance security assurance the grounds for confidence that the security functionality is effective in its application I mean it's one thing for the system or the security to function properly that it does what it says it does but it's very very important to make sure that it's effective that it's doing what we need it to do we have the assurance or the confidence that it is doing what we need it to do now we see our frame risk again and the core and first step in your risk management process is to frame risk and that's why you see it in the center of course to frame risk is to understand the risk decision environment and how the risk decisions will be made and this will provide essential input to each of your other steps that we see so there's various activities that we have during the frame risk portion so a risk framing step and these do break down into these various tasks 1-1-1-4 and we start out with task 1-1 which is considered the risk assumptions and this could be looked at as looking at the threat sources, vulnerabilities consequences and impact and likelihood but also see it as identifying assumptions that affect how a risk is assessed, responded to and monitored within your organization then on to task 1-2 which is considered the risk constraints of the risk framing process we would identify constraints on the contact of the risk assessment, the risk response the risk monitoring activities within your organization there's also task 1-3 risk tolerance and with this we identify the level of risk tolerance for the organization the task 1-4 priorities and tradeoffs with this we identify priorities and tradeoffs considered by the organization managing these risks this leads us to risk assessment so with risk assessment this is the process of identifying estimating, prioritizing risk to organizational operations this would include your mission, your functions your image reputation as we've heard previously, your organizational assets, individuals and other organizations and the nation resulting from the operation of that information system so part of your risk management incorporates threat and vulnerability analysis and considers ideas, mitigation something you can do about it provided by security controls planned or maybe already in place so I guess we could also call this risk analysis so when you think about this we're looking at what can we do in response to these insecurities what about these controls with the risk assessment process this breaks into various tasks as well so with the assess risk activities task 2-1 task 2-1 is threat and vulnerability identification and with this we identify threats to and vulnerabilities and organizational information systems and the environment in which those systems operate then there is task 2-2 which we call this risk determination and with this we determine the risk to organizational operations and assets individuals other organizations and the nation if identified risk identify threats rather exploit identified vulnerabilities threat a threat is any circumstance or event with the potential to adversely impact an organization through unauthorized access destruction disclosure or modification of information or denial of service threat shifting is where adversaries change some characteristic of their intent targeting in order to avoid and or overcome safeguards or countermeasures to basically find a way to not be stopped by your countermeasures that you put in place to mitigate whatever they're trying to accomplish and when we think about an adversary an adversary is an individual group, organization or government that conducts or has the intent to conduct detrimental activities then we have a vulnerability a vulnerability is a weakness in your information system security procedures internal controls or implementation that could be taken advantage of or exploited by some threat source which could be think of a hacker taking advantage of this exploiting we could think of a weather event such as a tornado coming through and destroying our building and you know causing problems there some sort of weakness that someone can take advantage of so it's a vulnerability then there's the likelihood of the occurrence and this would be a weighted risk factor based on an analysis of how likely are the probability that a given threat is capable of exploiting a given vulnerability or set of vulnerabilities so that could be a very different situation when you kind of analyze you may have many different companies share a similar vulnerability but they may have a different likelihood based on their situation and where they're located and so on so when we look at adversarial likelihood with this the threats the assessment of the likelihood of occurrence is typically based on three factors we have to look at their intent their capability and of course targeting and this would lead us to understanding the likelihood of occurrence then there's impact the level impact from a threat event this would be the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information or unauthorized modification or changes of information or unauthorized destruction of that information or even the loss of information or the information system availability so we would measure those levels of what would happen if these things were to occur then there's aggregation now organizations can use risk aggregation to roll up several discrete and lower level risk into a more general higher level risk organizations may use risk aggregation also to efficiently manage the scope and scale of the risk assessments involving multiple information systems and multiple mission business processes with specified relationships and dependencies among those systems and processes now this risk aggregation is conducted primarily at tiers one and two and occasionally tier three and this assesses the overall risk to organizational operations assets and individuals given a set of discrete risk now we have quantitative risk now quantitative assessments typically employ a set of methods, principles or rules for assessing risk based on the use of numbers so you think quantity primarily thinking money so where the meanings and proportionality of values are maintained inside and outside of the context of assessment but many times quantitative does deal with money is very good for cost benefit type calculations now there's also qualitative risk now with qualitative assessments this typically employs a set of methods, principles or rules for assessing risk based on basically not numbers non-numerical categories or levels where you might see something like very low, low, moderate, high very high or some sort of survey level where you have a range yet it's not any true numbers, nothing to do with like money and also supports communicating the results of risk assessments to decision makers sometimes qualitative can work very well but many times it could be a combination approach too there's also semi quantitative now semi quantitative assessments these employ a set of methods, principles or rules for assessing risk that use bins, scales or representative numbers whose values and meanings are not maintained in other context now this type of assessment can provide the benefits of quantitative and qualitative assessments such as bins we may have 0 through 15 and another one that 16 through 35 and 36 through 70 and so on or obviously scales where it would be like a 1 to 10 scale risk assessment process we have numerous steps here with step 1 we prepare for the assessment and this is derived from the organizational risk frame we looked at earlier then we also have step 2 conduct the assessment which can break into identifying your threat sources and events identifying your vulnerabilities and predisposing conditions looking at the determining the likelihood of the occurrence and the magnitude of the impact and of course determining risk and then we go into step 3 communicating these results and step 4 maintaining the assessment now with this it leads us to step 1 preparing for the assessment and these divided to numerous tasks we have task 1-1 we identify the purpose of the risk assessment in terms of the information that the assessment is intended to produce and the decisions the assessment is intended to support then there's task 1-2 this identifies the scope of the risk assessment in terms of organizational applicability, time frame supported, architectural technology considerations task 1-3 we identify the specific assumptions and constraints under which the risk assessment is conducted task 1-4 identify the sources of descriptive, threat vulnerability and impact information to be used in your risk assessment task 1-5 we identify the risk model and analytic approach to be used in this risk assessment and this is all about preparing for risk assessment then we go to the next phase where we conduct the risk assessment and with this we are looking at the various task phase 2 here and we start out with task 2-1 identify and characterize your threat sources and basically what could harm you including the capability, the intentions the intent, the targeting characteristics for the adversarial threats we talked about and range of effects for the non adversarial effects or threats rather that could cause you harm there's still something that if it's a threat it can cause you harm and it's just a matter of whether it's adversarial or non adversarial now task 2-2 identify potential threat events the reverence of these events and threat sources that could start or initiate these events continuing our conducting the risk assessment with task 2-3 we identify the vulnerabilities and these predisposing conditions that could affect the likelihood that the threat event of concern could result in something bad happening some adverse impact then task 2-4 we determine the likelihood that this threat event of concern results in adverse impact considering the characteristics of the threat sources that could initiate the event the vulnerabilities of predisposing conditions identified and the organizational susceptibility regarding the safeguard countermeasures plan or implement it to impede to interfere with such events and we're hoping very much that our countermeasures will do their job our controls in place will do their job and mitigate and basically not have such an impact then there's task 2-5 determine the adverse impacts of the threat events of concern and we have to consider a couple things the characteristics of the threat sources that could initiate the events the vulnerabilities and predisposing conditions identified and the susceptibility reflecting the safeguards and countermeasures planned or implemented to impede such events now task 2-4 and 2-5 really sounded quite similar in definition do realize that 2-4 will look back at that was more about the likelihood and 2-5 was more about the impact of these threat events so likelihood versus impact now task 2-6 determine the risk of the organization from threat events of concern considering the impact that would result from the event then the likelihood of the events occurring and of course the emphasis here is risk now we look at communicating and sharing risk assessment information we start out with task 3-1 we communicate our risk assessment results essentially we communicate a risk assessment results to organization decision makers to support risk responses then task 3-2 we share the risk related information produced during the risk assessment with the appropriate organizational personnel and then now we move on to maintaining the risk assessment and we're looking at task 4-1 so with this we conduct ongoing monitoring of the risk factors that contribute to changes in the risk to the organizational operations and their assets individuals other organizations or even the nation then task 4-2 we update existing risk assessment using the results from ongoing monitoring of our risk factors here kind of the idea here is we have to maintain what we've done there can be changes in our environment it's not something that stays exactly the same the threats don't stay exactly the same so with anything our risk factors can change and we need to be able to change as well with that and adapt here's the risk management process again and of course described in this special publication 800-30 revision 1 800-37 revision 1 800-39 and looking at this we're looking at the response so moving forward we look at risk responses we could have risk acceptance sometimes called tolerance risk sharing risk transfer risk avoidance and risk mitigation we think of risk acceptance this is basically would be a good response when the identified risk is within the organizational risk tolerance a lot of times it might simply be cost effective it seems like it's risk level that we can live with now risk sharing or risk transfer would be appropriate risk response when the organization's desire and have the means to shift risk liability and responsibility to other organizations with risk avoidance this could be the appropriate response when the identified risk exceeds your organizational risk tolerance and maybe there's certain activities that your organization participates in and we simply try to doing those activities not allow those things that we consider to be unacceptable so we cease those activities and of course there's also risk mitigation which is sometimes called risk reduction this would be the appropriate risk response for the portion of risk that cannot be accepted avoided shared or transferred now on to risk response we have task 3-1 we identify alternative courses of action to respond to the risk determine during our risk assessment task 3-2 evaluate these alternative courses of action for responding to risk so we've identified them now we're evaluating them looking at them task 3-3 decide on the appropriate course of action for responding to risk after we've done this evaluation make our decision and task 3-4 implement the course of action selected to respond to the risk so with these four tasks you could basically summarize it as risk response identification the second one evaluation of alternatives the third one risk response decision and the fourth one risk response implementation so now we look at the risk response strategy so the key elements of a risk response strategy could include who's going to be responsible dependencies on other risk responses there could be dependencies on factors such as our technologies timelines plans for monitoring the effectiveness of these and interim response measures now looking to get at the risk management process now we're going on to the monitor phase now with monitoring risk now risk monitoring provides organization with a means to verify the compliance are we doing as we should determining the ongoing effectiveness of the risk response measures and identifying the risk impacting changes to organizational information systems and environments of operation now we look at the task here of risk monitoring we start out with task 4-1 develop a risk monitoring strategy for the organization that includes a purpose type and frequency of the monitoring activities with the idea of monitoring the compliance the effectiveness changes automated versus manual monitoring and of course looking at how often the frequency of this monitoring so we think of task 4-1 we could summarize and just say risk monitoring strategy now going on to task 4-2 which we could summarize as risk monitoring we monitor the organizational information systems and environments of operation on an ongoing basis to verify compliance determine the effectiveness of the risk response measures and identify changes the risk management framework and the SDLC system development life cycle now moving on to the risk management framework going to transform the traditional certification and accreditation CNA process into the 6th step risk management framework we call RMF and the revised process will emphasize many things building information security capabilities and the federal information systems through the application of state of the practice management operational and technical security controls next maintaining awareness of the security state of information systems on an ongoing basis through the enhanced monitoring processes as well as third thirdly providing essential information to senior leaders to facilitate decisions regarding acceptance of risk to organizational operations and assets individuals other organizations and the nation arising from the operation and use of information systems now concerning the risk management framework it has these characteristics the idea is to promote the concept of near real-time risk management and ongoing information system authorization through the implementation of this robust continuous monitoring process and we've seen a lot of emphasis on a continuous monitoring process we still have it here encouraging use of the automation to provide senior leaders with necessary information so they can make good decisions so they can make cost effective risk-based decisions with regard to the organizational information systems supporting their core missions and business functions integrating information security into your enterprise architecture and your system development life cycle so when we think about security it's throughout the process not necessarily an afterthought providing emphasis on the selection implementation assessment monitoring of security controls and authorization of information systems that's very important fact too links risk management processes at the information system level to risk management processes at the organizational level through a risk executive function and establishing responsibility and accountability for the security controls deployed within the organizational information systems and as well as those that were inherited by the systems we call these common controls then there is a security control assessment and this is basically testing and our evaluation of your management operation and technical security controls in an information system to determine the extent to which the controls are actually implemented correctly they're doing as they should they're operating and they're producing the desired outcomes with respect to meeting the security requirements for the system and with regard to management operational and technical controls remember management is like administrative type controls policy standards processes procedures guidelines and we may think of operational control sometimes called physical controls this could be physical security related doors locks walls fences and so on as well as technical controls also known as logical controls and this could deal with access controls identification authentication authorization confidentiality integrity availability non-repediation factors like these applying the risk management framework so the purpose of the publication is to provide guidelines for applying risk management framework to federal information systems to include conducting the activities of security categorization security control selection and the implementation and the assessment and course information system authorization and security control monitoring so we think of the purpose of these the guidelines have been developed to ensure certain things to ensure that management are managing information system related security risk is consistent within the organization's mission business objectives the overall risk strategy established by senior leadership through the risk executive function we also want to ensure information security requirements including necessary security controls are actually built in or integrated into the organization's enterprise architecture and system development life cycle process SDLC again to support consistent well-informed and ongoing security authorization decisions through continuous monitoring it doesn't stop transparency of the security and risk manager related information risk and to achieve more secure systems and information systems within the federal government through the implementation of appropriate risk mitigation strategies so here we go this is what we've looked through we've looked at the risk management framework and actually we've seen an overview or actually as we go through this book we're going to see these in much deeper detail going through our starting point of categorizing information system step one and step two select your security controls step three implementing the security controls step four assess the security controls step five authorize the information system and step six monitor the security controls so the chapters coming up basically the remainder of the book for the most part we'll go into these each and every one