Enterprise Risk Management Components Overview

This blog breaks down the NIST Risk Management Framework into five (5) unique components and explains how each must work together in order to successfully limit risk across the Enterprise.

The National Institute of Standards and Technology (NIST)'s Risk Management Framework can be easily grouped into five (5) unique components. This components are depicted on the graphic below:



 

Each component noted above is attached to a set of roles that go hand-in-hand with the National Institute of Standards and Technology (NIST) guidance on both, Risk Management and Cybersecurity Frameworks. While one can state that the Information Assurance Components are mainly tied to Risk Management Framework, the Cybersecurity Components rely on that framework to function properly. The next few sections will provide an overview of each component and how they MUST work together for the frameworks to function properly.

 

Information Assurance (IA)/ Security Assessment Components

 



To understand the components that fall under Information Assurance aka Security Assessment component of the NIST Risk Management Framework (RMF), it’s essential to grasp how the associated RMF tiers falls within it. Each individual group within this component MUST flow together for the implementation to be successful. Unfortunately, we see a lot of failures impacting this component because they do not flow correctly due to failures at Tier 1 and Tier 2, which in many cases are not even considered by non-government organizations as essential- either due to lack of knowledge and/or understanding on how it is meant to function. 

Each individual group within this component has a set of key tasks that MUST be molded to each individual organization, as there is no such thing as “One Size Fits All”


Failure to establish the components noted under this area will lead to a high number of unknown risk at the organizational level. They are essential for limiting the impact of a cyber-attack across the organization and must be in place prior to incorporating the Cybersecurity Framework components. 

 

Governance/ Security Leadership

 

The first component is the most important of all components, because it will delineate the best approach for the organization to apply the Enterprise Level Risk Management process without impacting existing resources and/or going over-budget. In fact, this component is where the items noted on NIST's RMF Tier 1 take place. The decisions agreed upon by high level executives within this component will have an impact on all other components that follow. As part of this component, the following takes place:

 

·         The organizations Risk Management approach is clearly delineated.

·         The organizations mission and business objectives are clearly identified.

·         The organization's Risk Appetite and Acceptable Levels are approved and enforced.

·         The business objectives and budget restrictions are clearly identified.

·         Existing Resources are analyzed, and new resource requirements are identified.

·         Organizational Target Sectors are clearly identified along with the security standards impacting each sector.

 

Under this section, the following roles are key: 

Roles

Description

Enterprise Level Risk Assessor/Auditor

An Enterprise Level Assessor is responsible for performing the Risk Management Tier 1 & Tier 2 assessment within the organization in order to identify possible issues with an existing Security Program and/or to determine how to best implement a Security Program that abides by a well-structured Risk Management Framework.

Chief Information Officer (CIO)

Depending on the company size, the CIO functions as an advisor and in some instances takes on the CTO Role. As an advisor, the CIO will help the organization implement the Security Program in accordance with the Enterprise Level Assessment prioritization process and oversee the resources required to make it function.

 

In addition, it will provide additional aspects associated with the unique mission and business objective requirements in a manner that limits the cost associated with implementing a Risk Management Framework.   

Chief Technology Officer (CTO)

A CTO works closely with the CIO, if any, and/or the organization’s executive team to implement the technical aspects associated with the Security Program implementation process.

 

The CTO examines the unique requirements of each division and closely with the organization’s Information Technology team to ensure that the enterprise environment is secured accordingly and it addresses all essential components. 

Enterprise Privacy Officer (EPO)

The Enterprise Privacy Officer is responsible for keeping track of all types of data being processed, stored, or transmitted by the organization on its behalf or that of its consumers.

 

In addition, the Privacy Officer must be familiar with the associated laws impacting the organization based on its unique mission and business objective. This task could be done by the CIO IF it is a small midsize company.

  

Information Assurance (IA)

 

The second component can be broken into two (2) unique areas that are essential, as they target Tier 2 and Tier 3. This areas are unique and have different tasks that make the program function accordingly. The following table provides an overview of each area and how it functions based on the NIST RMF Tiers. This areas are described in the table below.

 

Area

Description

Management

The management component incorporates personnel responsible for delineating Tier 2 tasks. They are responsible for developing enterprise level policies and procedures related to the implementation of the Risk Management Framework identified as part of Tier 1assessment process and gathering details on the organization’s unique division requirements.

 

They work closely with Tier 1 personnel to ensure the policies, procedures, and methodologies identified as part of Tier 2 go hand-in-hand with the items agreed upon as part of Tier 1 and each organizations division’s management team. Items developed in this area have a major impact in Tier 3 implementation requirements, whether it is for internal and/or external systems.

 

In addition, Tier 2 MGMT coordinates with Tier 1 personnel to ensure they understand the risks introduced by any of the systems developed as part of Tier 3 under their purview and to attain approval for the systems prior to goLive in order to ensure they comply with the organization’s risk appetite and acceptable level.

 

Tier 3

 

Tier 2 Management then works closely with the Liaisons, who are responsible for Tier 3 level implementation of the requirements agreed upon by Tier 1 & Tier 2 teams. Tier 3 is required to follow and/or reach out to Tier 2 MGMT anytime they have questions about any of the policies and procedures set at the Enterprise Level by Tier 2.

 

Liaison

The Liaison component incorporates personnel responsible for ensuring that the guidance provided by Tier 1 & Tier 2 is applied correctly at Tier 3. Their main goal is to ensure that the systems under their purview comply with the requirements set by the MGMT team. They are constantly coordinating with the technical teams (i.e., Network Administrators, Developers, IT Teams) to gather the necessary information on the systems being developed in order to clearly document and develop  the security documentation required as part of the Certification process and/or to validate their input as part of a security assessment.

 

The task of a liaison will be determined by the System Development Life Cycle (SDLC) phase the system is in. Liaison’s that are part of the initial in-house developed system’s SDLC process have higher responsibilities than those who simply take over someone else’s job, because they will be engaged in the process of identifying key security functional requirements impacting the system being developed in order to ensure that they comply with the associated security standards tied to the system.  

 

Defense In-Depth

This component includes Security Auditors/Assessors responsible for either validating the content generated by the Liaison component under IA and/or for testing and developing security baselines for all software and hardware being introduced into the environment. 


They are responsible for identifying deficiencies with the systems both operational and technical and developing the final documentation to be included as part of the certification in order for the certifier to make a determination on whether or not the system should be operational and/or be held until the risk identified are mitigated before going through the certification process if they fail to meet the organization's agreed upon risk appetite/acceptance level.


Personnel at this level must be highly technical and have the necessary knowledge to understand the architecture and engineering areas of a system. Technical testing leverages a mix of tools and hands-on techniques. 


In an ideal scenario, the liaison's will do their own risk assessment and ensure defense in-depth is applied across their systems prior to an audit, but that's not always viable because 80% of those in the liaison role have limited and/or no hands-on technical experience on how to perform Quality Assurance (QA) Testing on an Information System.

 

Cybersecurity Components

 



The Cybersecurity components are activated as soon as the system has been accredited and approved to operate. These components are key to ensuring that the information system risks are kept within the organizations’ acceptable risk level.

 

The teams under this component have a number of responsibilities geared towards protecting the network from within the organization and maintaining the security level. Each team in this section works together to enforce defensive mechanisms and ensure the appropriate plans are activated.  They are summarized on the table below.

 

 

Defensive Security Team

 

Role

Description

Privilege Users aka Administrators

The team members with privilege level responsibilities for each individual layer (i.e., OS, App, DB, NetDevice, etc.) are responsible for ensuring the software, hardware, and firmware are up-to-date on patches. This must be done by following the organization's Configuration Management Process and in conjunction with the IA team. 

Security Operations Center (SOC)

The team is responsible for monitoring all systems for anomalies and unauthorized access. Once anomalies and/or unauthorized access is identified, they initiate an investigation to determine the validity of the anomaly identified. If valid, they initiate the incident response process and notified the parties for the systems impacted. For organizations without a SOC team, the tasks falls upon the Network Administrators.

Incident Response Team

This team is responsible for executing the incident response plan in conjunction with the cybersecurity identification process. They work closely with the IA and Network teams to delineate the steps required to address the incident.  

Forensic Team

This team is responsible for gathering the necessary data after a breach is deemed valid to serve as evidence in court. This includes extracting images of the system(s) for preservation and further in-depth examination. In smaller organizations, this can be performed by the incident response team.

Blue Team

This team is a group of assessors/auditors that perform ad-hoc penetration testing on internal applications to test their security posture. The ad-hoc systems are selected by upper management for a more in-depth test, with an emphasis on systems deemed mission critical.

 

The key focus is identifying internal level threats and vulnerabilities. Unlike the Defense In-depth teams, they target systems identified by MGMT with minimal notification to those responsible for the system (i.e., ISSM, ISSO, and System Owner).

 

Offensive Security

This component leverages 3rd Party Service providers to assess the organization's security posture. The teams selected have no hands-on knowledge of the systems to be tested and must not have had an involvement on the architecture or engineering process. They are meant to provide a non-bias assessment of the organization's security program and their mission critical systems. The teams under this component are noted on the table below. 


Role

Description

Red Team

This team is responsible for testing the systems clearly delineated and approved by MGMT to undergo an in-depth assessment tied to a specific vulnerability. The main focus is to determine if such vulnerability can be exploited and to document the process applied to exploit such vulnerability in order to determine the key layers that required a more in-depth security review.   

 

The tools, methods, and actions to be taken are fully documented and will serve as a "FREE OUT OF JAIL" ticket. The team also includes possible impact as part of the test and ensures the client has the appropriate mechanisms in place to restore their systems in the event testing leads to an inadvertent impact. This is why it is essential that an organization requesting a Penetration Test from a 3rd Party provider has a fully documented Security Plan delineating what can and cannot be performed in the process.

Purple Team

This team is responsible for reviewing the outcome from the Blue and Red teams and delineating a viable plan to address the issues identified internally and externally based on the organization's mission and business objectives.  Once the analysis is completed, the team helps the organization prioritize the mitigation process.   

 

Which areas are covered by CyberAdeptness?


The emphasis for the current services provided by CyberAdeptness are tied to helping organizations implement the Information Assurance components- which emphasize on the Risk Management Framework applicability- in the correct manner to limit risk to what matters and lower the cost tied the Engineering side associated with the  Defensive Security component of Cybersecurity. 


However, unlike most cybersecurity companies, we prefer to do an Enterprise Assessment first to determine the most cost effective approach for tackling the implementation, those ensuring that cost is kept to a minimum and the key essential areas are prioritized. This will ensure that the process can meet the organization's mission and business objectives and that the correct resources needed are identified correctly. 


An Enterprise Assessment will provide a clear view for management to determine the path that will lead them to meet specific business objective within the timeframe set and comply with the target sector requirements, which tend to be unique in nature.

Due to security concerns, we limit our web content to bare bones. Please note that you will receive a response within forty-eight (48) hours or less.

By Karen Baez | on Friday, February 28, 2020 10:39