Risk Management

Quick Description of Risk Management

Within the realm of cyber security, risk is what drives cybersecurity professionals to made decisions on crucial security controls within their environments every day. Risk can not be 100% eliminated in an environment, but it can be mitigated and managed to its lowest possible impact. Risk management strategies consider current infrastructure and future needs in a proactive manner. Proper application of risk management in an organization should be done through a risk management framework. One of the most popular risk management frameworks is provided by NIST. This review of risk management will describe an example risk management framework as applied to an organization, run through the NIST guidance around Risk Management, and will conclude with some reflections on the topic.

NIST 800-37, Revision 2 - Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy

This special publication was the framework used for the risk management framework we cover below. Chapter 2, Section 2 calls out the steps and structure to building a risk management framework. These steps are Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor. A brief summary of each is identified below, quoted from the Special Publication.

• Prepare to execute the RMF from an organization- and a system-level perspective by establishing a context and priorities for managing security and privacy risk.

• Categorize the system and the information processed, stored, and transmitted by the system based on an analysis of the impact of loss.

• Select an initial set of controls for the system and tailor the controls as needed to reduce risk to an acceptable level based on an assessment of risk.

• Implement the controls and describe how the controls are employed within the system and its environment of operation.

• Assess the controls to determine if the controls are implemented correctly, operating as intended, and producing the desired outcomes with respect to satisfying the security and privacy requirements.

• Authorize the system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the Nation is acceptable.

• Monitor the system and the associated controls on an ongoing basis to include assessing control effectiveness, documenting changes to the system and environment of operation, conducting risk assessments and impact analyses, and reporting the security and privacy posture of the system.

(Joint Task Force, 2018)

An Example of an Applied Risk Management Framework

The below subsections summarize the final paper I wrote for this course. In this paper, I focused on applying concepts learned from NIST Special Publication 800-37, Revision 2 to a K12 school district's student information system (SIS). For an educational institution, a student information system is a critical asset that manages all data around students within the organization.

Prepare

This section lays the framework for a successful build of the risk management framework. From the perspective of the SIS, we lay the ground rules on the need to understand the CIA Triad (confidentiality, integrity, and availability) as it applies to the SIS, as well as who is responsible for building, implementing, and monitoring the risk management framework. More details around these items come in future sections.

Categorize

Addressing the impact around confidentiality, integrity, and availability of data and systems within the District is known as Security Categorization. There are three levels of impact as identified by FIPS Publication 199 (NIST, 2004). An impact is considered low if there is a limited adverse effect on the District or individuals. An impact is considered moderate if there is a serious adverse effect on the District or individuals. Finally, an impact is considered high if there is a severe or catastrophic adverse impact on the District or individuals (NIST, 2004, p.2-3).

The SIS has three main functions within the District: store and manage student/parent personal identifiable information, store and manage student educational data, and long-term storage of student information for historical purposes. Table 1 shows information types as identified by NIST Special Publication 800-60 Volume 2 (Stine et al., 2008).

These recommendations are a starting point while the District takes into consideration State and Federal mandates. For example, the Deferred Action for Childhood Arrivals (DACA) program can use education records to help prove an individual’s continuous presence in the United States (US Department of Education, n.d.). Loss of integrity or availability for record retention could severely impact an individual if that information is to be used for DACA reasons. This is an excellent example of increasing the impact for integrity and availability for record retention data to moderate.

Select

As the District identifies and categorizes its data and systems, it is necessary to identify the security controls that will be used to ensure the confidentiality, integrity, and availability of the SIS. Security controls should be selected and tailored to fit the requirements of protecting the SIS and the data it stores. There are 20 main families of security controls as identified by NIST Special Publication 800-53 Rev. 5 (NIST, 2020).

Controls within the Access Control (AC), Audit and Accountability (AU), Assessment, Authorization, and Monitoring (CA), Physical and Environmental Protection (PE), and Identification and Authentication (IA) families are key to addressing confidentiality concerns within the SIS. To address integrity concerns of the SIS and its data, security controls within the Configuration Management (CM), Maintenance (MA), Media Protection (MP), Awareness and Training (AT), and System and Information Integrity (SI) families should be considered. Finally, security controls within the Configuration Management (CM), Maintenance (MA), Media Protection (MP), Incident Response (IR), and Contingency Planning (CP) families are essential to consider. More information on the tools and services that address these control families will be provided in the Implementation section.

Implement

Once security controls are selected, it is important to ensure that they are implemented correctly through appropriate tools and services. Many controls may already be implemented through tools that already exist within the District and may require no or minor changes to apply to the SIS. For example, the District already maintains controls within the AC and IA families for many of its other systems through Microsoft Active Directory (AD). Implementing authentication to the SIS can be done through the use of AD user accounts. Assigning rights within the SIS can be done through group memberships. Both of these options would allow for centralized management and monitoring of users and user rights. As users move within or leave the District, their information can be updated or disabled in AD, which, in turn, updates or disables their access to the SIS. Physical and Environmental Protection (PE) controls are handled through the data center’s current security and physical systems.

Security controls addressing our data’s availability may need to be adjusted given SIS data’s critical nature. For example, the current backup strategy for critical systems only requires quarterly checks of backups to ensure that data integrity is maintained. With the addition of SIS data, it is recommended that District backups be checked weekly to ensure their integrity. Also, the SIS will house health information for students requiring it to meet additional compliance standards that are not covered by the District’s current vulnerability scanning software. This data’s confidentiality and integrity are key, so additional scans will be required by appropriate tools to address these concerns.

Assessment

Once security controls are implemented, the tools and services used to implement them must be assessed regularly to ensure their effectiveness. Many manufacturers and vendors that create tools used to implement security controls also provide assessment guidance to ensure proper implementation and compliance. One such tool is the Active Directory Security On-Demand Assessment (ASDA On-Demand). This assessment scans the District’s AD environment to ensure compliance with AC and IA families’ controls.

Tracking the assessment of security controls is formally documented on the Plan of Action and Milestones (POA&M) document for the Student Information System. A sample POA&M document can be found below addressing Physical and Environmental Protection and Access Control controls.

The POA&M document provides clear guidance on the affected security controls, the issue needing to be addressed, a plan to resolve the issue, and key milestones and dates. The Control Assessor or Control Assessment Team assesses the controls. Considerations in choosing the assessor or assessment team should include both technical expertise and the level of independence the assessor or team has to complete the assessment (Joint Task Force, 2018, p.62). This allows for a more realistic assessment based on real-world usage of the system. Additional assessments by a specialized penetration testing firm may address additional security controls that are put in place specifically to prevent threat actors from accessing the SIS.

Authorize

Once controls have been implemented, assessed, and any significant risks identified, a Security Authorization Package is built and provided to the District’s Authorization Official (AO). The AO reviews this package to provide a go/no-go or temporary decision to test for system implementation. The Security Authorization Package is built from the SIS’s security plan, the Security Assessment Report, and the POA&M (University of San Diego, 2019).

The decisions made by the AO are commonly an Authorization to Operate (go) or Denial of Authorization (no-go). However, there are other options the AO has. If there are similar systems within the District with security controls that are adaptable to securing the SIS, the AO may issue a Common Control Authorization. Additionally, if the SIS were to be hosted by a third party and the district has little to no control over security control implementation, the AO may issue an Authorization to Use. Finally, if there are items called out in the POA&M that need to be addressed but their risk level is within reasonable limits, the AO may issue an Interim Authorization to Test. This IATT allows the SIS to be implemented within certain operational and timeframe limits until POA&M items are addressed. When those items are closed out, or the timeframe expires, the updated Security Authorization Package will be reviewed, and an additional authorization decision will be made.

Monitor

Once the SIS is implemented and operational, it is crucial to provide continuous monitoring to the system to ensure the security controls in place meet updated compliance requirements or adapt as environments and roles change (University of San Diego, 2016). Updates to the District’s vulnerability and patch management systems will provide data on security and operating system concerns through daily scans and reports of the Student Information System. Any issues that arise through these scans will be tracked and addressed through the POA&M. Additionally, the District CISO and compliance officials are subscribed to updates from the State and Federal Departments of Education pertaining to any changes in compliance for the SIS.

As changes are identified and addressed, the Authorization Package for the SIS will also be updated. This updated package will be reviewed quarterly by the AO or AO team to ensure the SIS is in compliance with the previously provided authorization. If there are any changes to the security controls which change the risk level, the AO or AO team has the right to reassess the provided authorization and apply a new one accordingly. In all likelihood, due to the critical nature of the SIS, if the additional risk were identified, the AO would issue an IATT that would require immediate remediation. Continuous monitoring provides the ongoing assessment of the risk management framework for the SIS to ensure its safe use while addressing the CIA triad.

Reflection

I believe that any career professional, cyber security or not, should understand the risks to their business and how to mitigate and manage them. This approach helps limit the negative impact on a business and allows for healthier growth of the business. From a cyber security perspective, understanding risk is key to ensuring you are creating a safe cyber environment for your business to use. For me, understanding the risk and risk tolerance of my customers allows me to help them build a stronger cyber security posture that adheres to their business needs. Some systems are going to have a higher tolerance to risk as the loss of confidentiality, integrity, or availability is not as impactful as others. On the other hand, some customers have money to throw at the problem to ensure the CIA triad is maintained for certain assets. Having a risk management framework, like the one described above, helps address key areas of focus and resource allocation when addressing risk within an environment.

Ethically understanding risk is crucial to ensure the CIA triad of systems as well. Careless application of security controls or not understanding what the risk is of losing certain assets can be catastrophic to certain organizations. Imagine a security engineer for our power grid not understanding the risk of a threat actor getting into the grid and shutting it down. Examples like this are trivial, but all organizations carry a level of risk with them, especially in a digitally connected world. It's important to ensure that those protecting the systems, those managing the business, and everyone in between understand the role they play in mitigating risk.

References

Fruhlinger, J. (2020, February 10). The CIA triad: Definition, components and examples. CSO Online. https://www.csoonline.com/article/3519908/the-cia-triad-definition-components-and-examples.html

Joint Task Force. (2018). Risk Management Framework for Information Systems and Organizations (2nd ed.). NIST. https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final

NIST. (2004). FIPS 199, Standards for Security Categorization of Federal Information and Information Systems. NIST. https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf

NIST. (2020). Security and Privacy Controls for Information Systems and Organizations (5th ed.). NIST. https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

Stine, K., Kissel, R., Barker, W., Lee, A., & Fahlsing, J. (2008). Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices (1st ed., Vol. 2). NIST. https://csrc.nist.gov/publications/detail/sp/800-60/vol-2-rev-1/final

University of San Diego. (2016). CSOL 530 Cyber Risk Management - Continuous Monitoring. University of San Diego. Online

University of San Diego. (2019). CSOL 530 Cyber Security Risk Management - Authorization. University of San Diego. Online

US Department of Education. (n.d.). Questions and Answers about Education Records. US Department of Education. https://www2.ed.gov/about/overview/focus/daca-education-records.pdf