Assess and Manage Risk with the NIST Cybersecurity Framework

NIST Cybersecurity Framework Course Outline

• Introduction to Risk Assessment and Management

  • Ensuring compliance with applicable laws, regulations, policies and directives
  • Protecting the organisation from unacceptable losses
  • Describing the NIST Risk Management Framework (RMF)
  • Applying NIST risk management processes

• Characterising System Security Requirements

  Defining the system

  • Prescribing the system security boundary
  • Pinpointing system interconnections
  • Incorporating characteristics of Industrial Control Systems (ICS) and FedRAMP-compliant cloud-based systems

  Identifying security risk components

  • Estimating the impact of compromises to confidentiality, integrity and availability
  • Adopting the appropriate model for categorising system risk
  • Specialised considerations for U.S. Government classified information

  Setting the stage for successful risk management

  • Documenting critical risk assessment and management decisions in the System Security Plan (SSP)
  • Appointing qualified individuals to risk governance roles

• Selecting Appropriate Security Controls

  Assigning a security control baseline

  • Investigating security control families
  • Determining the baseline from system security impact
  • Specialised considerations for National Security Systems (NSS)

  Tailoring the baseline to fit the system

  • Examining the structure of security controls, enhancements and parameters
  • Binding control overlays to the selected baseline
  • Gauging the need for enhanced assurance
  • Distinguishing system-specific, compensating and non-applicable controls

• Reducing Risk through Effective Control Implementation

  Specifying the implementation approach

  • Maximising security effectiveness by "building in" security
  • Reducing residual risk in legacy systems via "bolt-on" security elements

  Applying NIST controls

  • Enhancing system robustness through selection of evaluated and validated components
  • Coordinating implementation approaches to administrative, operational and technical controls
  • Providing evidence of compliance through supporting artifacts
  • Implementing CNSSI-1253 for national security systems

• Assessing Compliance Scope and Depth

  Developing an assessment plan

  • Prioritising depth of control assessment
  • Optimising validation through sequencing and consolidation
  • Verifying compliance through tests, interviews and examinations

  Formulating an authorisation recommendation

  • Evaluating overall system security risk
  • Mitigating residual risks
  • Publishing the Plan of Action and Milestones (POA&M), the risk assessment and recommendation

• Authorising System Operation

  Aligning authority and responsibility

  • Quantifying organisational risk tolerance
  • Elevating authorisation decisions in high-risk scenarios

  Forming a risk-based decision

  • Appraising system operational impact
  • Weighing residual risk against operational utility
  • Issuing Authority to Operate (ATO)

• Maintaining Continued Compliance

  • Justifying continuous reauthorisation
  • Preserving an acceptable security posture