RISK FRAMEWORK AND POLICY
Risk Framework and policy Services Overview:
The NIST Risk Management Framework (RMF) provides a comprehensive, flexible, repeatable, and measurable 7-step process that any organization can use to manage information security and privacy risk for organizations and systems and links to a suite of NIST standards and guidelines to support implementation of risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA).
TandT RMF Offerings
Prepare
Carry out essential activities to help prepare all levels of the organization to manage its security and privacy risks using the RMF
Service Output
- Key risk management roles identified.
- Organizational risk management strategy established; risk tolerance determined.
- Organization-wide risk assessment.
- Organization-wide strategy for continuous monitoring developed and implemented.
- Common controls identified.
Categorize
Inform organizational risk management processes and tasks by determining the adverse impact with respect to the loss of confidentiality, integrity, and availability of systems and the information processed, stored, and transmitted by those systems.
Service Output
- System characteristics documented.
- Security categorization of the system and information completed.
- Categorization decision reviewed/approved by authorizing official.
Select
Select, tailor, and document the controls necessary to protect the system and organization commensurate with risk.
Service Output
- Control baselines selected and tailored.
- Controls designated as system-specific, hybrid, or common.
- Controls allocated to specific system components.
- System-level continuous monitoring strategy developed.
- Security and privacy plans that reflect the control selection, designation, and allocation are reviewed and approved.
Implement
Implement the controls in the security and privacy plans for the system and organization.
Service Output
- Controls specified in security and privacy plans implemented.
- Security and privacy plans updated to reflect controls as implemented.
Assess
Provide accountability by requiring a senior official to determine if the security and privacy risk based on the operation of a system or the use of common controls, is acceptable.
Service Output
- Authorization package (executive summary, system security and privacy plan, assessment report(s), plan of action and milestones)
- Risk determination rendered.
- Risk responses provided.
- Authorization for the system or common controls is approved or denied.
Authorize
Provide accountability by requiring a senior official to determine if the security and privacy risk based on the operation of a system or the use of common controls, is acceptable.
Service Output
- Authorization package (executive summary, system security and privacy plan, assessment report(s), plan of action and milestones)
- Risk determination rendered.
- Risk responses provided.
- Authorization for the system or common controls is approved or denied.
Monitor
Maintain ongoing situational awareness about the security and privacy posture of the system and organization to support risk management decisions.
Service Output
- System and environment of operation monitored in accordance with continuous monitoring strategy
- Ongoing assessments of control effectiveness conducted in accordance with continuous monitoring strategy.
- Output of continuous monitoring activities analyzed and responded to Process in place to report security and privacy posture to management.
- Ongoing authorizations conducted using results of continuous monitoring activities.