Strategic Implementation of the NIST Risk Management Framework (RMF) by Samantha Ramos

[Music] hi everyone and good morning thank you for coming to uh the GRC track I'm excited you're all interested and learn about risk um before we get started I wanted to say thank you to bides for having me and a very big thank you to my dad who flew all the way from Jersey just to see me talk he's been he's a vice president of Technology at credential and he's been there for over 30 years now so he's my biggest supporter I'm super excited um so today we're going to be talking about Miss risk management framework um and I'm going to be talking about how to tailor the framework so that you can implement the controls into your own

organization so a little bit about me again I am a cyber security manager and I focus on governance risk and compliance um I've been in the industry for about 5 years now I did start criminology and criminal justice background I went to the University of Tampa and then I recently got my master's degree in information technology management and I have experienced developing Risk Management Programs within a variety of Industries including Healthcare um that's my main my main focus and then I've also been again in government I've been in finance and um gas and oil as well um and course I have to mention I'm the founder and CEO of Tampa Bay teches we are a

501c3 um nonprofit organization we have a table outside if you want to go talk to us and our mission is to close the opportunity Gap in the Tampa Bay technology industry So today we're going to be talking about some of the objectives of implementing a risk management framework um a little introduction on risk management Frameworks as a whole um as well as an organization wide risk management approach and then we're going to walk in some of the steps and talk about the inputs the outputs and some of the tasks that are associated with each step have some question don't cut off give me a little more breathing room so for this presentation you guys I'm going to be

talking about developing a RIS Management program based on the this risk management framework and also tailoring and implementing the risk management framework steps with within an organization environment so to start off um a little scenario so my boss called me up it's my boss I don't know if he's that happy but um and he says hey Sam I'm building out a c program but I don't know where to start I don't know where to put my resources I don't know you know how exactly to implement certain controls um we're a mediumsized stas based Healthcare Management platform company based out of Florida so you know when you hear Healthcare the first thing I think is Phi um and again he is asking

me how to prioritize security efforts and to build Out Security risk management program and when I hear that when I hear about risk management program the first thing that comes to my mind mind is building out a risk management program by a framework and this will later be incorporated into the overall risk management program plan so from there I pick which risk management framework I just always go with n because um n was created for a federal environment and so it's a lot easier to tailor those controls since they are very robust um and again RIS management Frameworks are guidelines and principles which an organization ad to effectively manag risk and it provides leadership with visibility and

transparency the cyle of risk management within the organization and we know in security that you know risks and information systems are easier to manage when there's more transparency and visibility so some key features of all risk management Frameworks we have risk identification assessment mitigation monitoring and Reporting and also risk governance and these are some popular rmfs and we be talking about M 837 but there's also ISO K and there's a lot of different organizations that have their own risk management framewor so specifically with the N RF um it for the new version the new n RMF promotes security and privacy capabilities into Information Systems the sglc so what we see in this new risk management framework version of M is

that it's promoting um the risk management framework to be implemented early onc preferably in the development stage this RF very dnam and as I mentioned earlier and it provides um it provides a repeatable process to assess and mitigate risks and again allows organizations to maintain Awareness on the security posture of the organization as well as establish accountability and responsibility as we'll see the M RMF has a lot of focus on roles and responsib um and again integrates the security PR requirements within different processes in the organization so the this RF it um introduces a concept of organization wide risk management and what this says is that risk management is really an organization wide effort um there really

has to be um communication between level one and we'll see the level two and level three as well so the top level is organization level and this is um Senior Management this is why Senior Management wants to bring in a risk and a cyber security team what is the mission what is the business objectives and what are the goals for bringing in Risk Management why is RMF being implemented is it for you know for reputation purposes is it to make sure that cost effectiveness of controls are being implemented properly um there there has it has to come from the directives of these of moving on to level two is the mission and business process level so that's

where I sit um this is really connecting level one and level three which we'll see as Information Systems the mission and business process is really where um the risk management framework and risk management program is built out and this applies to the people that are managing the risk management program um the people that are building out the people that are developing it and executing it and then level three is the information system level so this is where we get into the handson control implementation um we'll see this is where the system owners also sit and where they have a high responsibility as well so again communication and Reporting has to be by bidirectional um in this entire process within the

organization and from this we get risk management across all levels now something to remember here is that level one and level two planning are essential to executing the entire risk management framework decisions at the level three and control implementations at the level three um uh excuse me level just AR can't be done in isolation um you can't Implement a control without having you know guidance from the directives above number two is that risk management is an organization wide effort so again we really have to figure out and know what our goals are before we implement the controls and risk management efforts affect every aspect of the organization so risk management eff really have to be

communicated to all levels of the organization so the M RMS steps here we're going to start getting into the little nres and details of all the steps so the first one is prepare and this is the initiation space um then we go to categorize select Implement assess authorize and monitor so some things to keep in mind here is that the steps can be carried down in any order and what you'll see in the middle is that prepare has an arrow going to every step and that's because every step does incorporate some form of preparation right you can't um Implement controls you can't assess the controls or authorize the controls without having some type of preparation whether it's

like a month or two months or it's a year operation period um but they can be carried out any order they usually start in sequential order meaning they start in New preparation stage and go to categorize and go clockwise but steps can be Revisited because of how flexible and dynamic the framework is um additionally um they start organizations start in sequential order but after they go around they usually will go back and revisit some of the steps later um each step consists of multiple tasks that we'll get to in a moment um and some of the key areas that you'll see in every single step and every single task that is absolutely critical to prepare is is

the stakeholder identification so who's involved in each task and who um is responsible for what um the task inputs and outputs so what documentation what interviews what reports are we taking into to consider this in this task or this step and what's going to come out is it going to be a plan or a policy or a procedure or is it going to be some other type of maybe risk register or control assessment um and then of course the criteria for measuring pass or step success why are we implementing this and how are we going to measure that it's being the control is being implemented effectively so first step prepare I am going to warn you guys this is the

longest step um it's it's uh pretty it's pretty robust so I'll try to try to keep it a little high level here so it's actually split up into two levels it's split into the organization level and it's also split into the system level and this is the only step that split up like this and the reason for that is just so the roles and responsibilities can be assigned properly and just for EAS and use um so in this step this is where the essential activities of all levels of the organization prepare so again this is my main area um when I'm brought into an organization this is the step that I focus on the most because it

has to do with the planning and preparation of executing um the risk management framework so um in this step we establish a communication between senior leaders and system owners and operators and this that also promotes common controls and develops control baselines it reduces the complexity of the it infrastructure by introducing those common controls and baselines and it also helps prioritize and allocate resources so starting at the organization level um these steps are carried out by again management and the RIS team the first thing that we have to do is identify the roles and responsibilities so here's where we bring like Matrix so you know who's responsible and accountable and etc for each Tas that has to do with the r or

with the risk management program so for instance who is responsible for conducting the risk assessment who's responsible for updating the risk register who's who responsible for creating and reporting to Senior Management um from there then we develop a r tolerance strategy um this RK tolerance strategy is also and is a part of the risk management plan um and risk tolerance is degree of risk or uncertainty that's acceptable to the organization and this has a direct impact on decision making at the Strategic level and it helps inform risk risk based decisions and then this is where we conduct the organization wide assessment I could do a whole another presentation on organization wide risk assessment but this is basically where you can review

the um or or previous risk assessments whether they were performed externally or internally and then you can perform your own so when I got into an organization I have my own risk management um framework that I created based off of other other um Frameworks as well and this involves interviewing key stakeholders reviewing policies and procedures um reviewing processes that aren't documented so informal policies and procedures and also just get a good feel of what's going on in the bus who's responsible for what systems and so on and then we introduce organizationally tailored control baselines um and this is where the N 853 controls come in um so these control baselines are the predefined set of controls that can be

tailored by the organization to be applicable to the organization and then the common controls which are controls have to be inherited by one or more information system and again they have to be communicated to um information system owners because they're going to be the ones that are implementing the actual um the actual eony controls a good example of eony control is identity access management controls um so you know if you bring in a new information system and it has and it's of like high sensitivity you have the common controls that that information system can inherit and then um continuous monitoring including reporting requirements so organization wide right that's what we're focused on here is organization level what is our

continuous monitoring strategy as far as um updating the risk assessments updating the risk policies and procedures updating the risk management plan um and updating the risk acceptance and risk tolerance of the organization now moving on to the system level um this is performed by System owners and it gets a little bit more technical here because again we're focused on the system not just the not the organization as a whole um so the first thing that we have to do is identify the mission or business focus of the system so what is that system meant to do and where does it sit what is the what is it intended for does it hold you know Phi does it transmit Phi

or does it score Phi at all um identifying the system stakeholders so who's in charge of maintaining operating even disposing of the system um and then identifying the assets that need to be protected um we have tangible and non-tangible assets right and this could be um this this could be from Senior Management as far as cost um it could be because of the different data that the system holds um and it's based on stakeholder concerns and also again the context of which the information system is used and then we have to establish authorization boundaries so this is the scope of protection that the organization agrees to protect and this establishes accountability especially when you're working with external

stakeholders where there's contracts and ingredients in place you really have to set your stone what they're responsible for and what you're responsible for as far as security updates to controls um and this could all be this could all be drawn out in like an SLA or MSA blah and then we also have to take into account information types again is they Phi is they pii sensitive data and also the life cycle of these information what is the system doing to this data if any of it and this is where we can take in data flow diagrams as well so really see where the data travels from start to finish within the system um continuing on with the system

we have to do a system level risk assessment now so the assets are PRI prioritized based on the adverse impact or consequence of asset loss so a lot of times with the system level r assessments this is where you'll see a quantitative risk assessment com in since we're dealing with a lot more members um and then from there we come up with the requirements definition and the requirements definition is an outline of what's required for the security and privacy of the information system especially when it comes with um sensitive information and we have laws and we have regulations for example speaking of a healthcare um information system we have to abide to Hipp right so

um we have to make those requirements and make sure they align with those laws and regulations as well as the mission and the business objective of the organization and this is also where we see that balance of security and operations right this is where we kind of have to St take a step back and say okay am I putting too much focus on controls that may hinder the op hinder the operations of what this information system is um intended for um so with the requirements definition we can also look at the Enterprise architecture and this again provides visibility and transparency this is where we see the placement of the system within the Enterprise architecture of the

organization um we can see what it's connected to again where the data flows and we also can um start looking at where we will allocate those requirements that we created before um where these controls will be implemented and also this will help control the resources and reduce the redundancy of um control implementations and then we have to register the system with the organization meaning we tell senior leadership we have a system we we have a new process for implementing systems and we just T the plan so going back to my boss um he wants to know like the progress of implementing this RM for building out a risk management program and I prepared at the organization level I've talked to

the key stakeholders I've Creed the RAC chart I created the risk tolerance strategy in my risk management plan and I completed the organization wide risk assessment and this is the entire package that I'm going to be handing to my boss at this point in the RMF implementation so this includes the risk register again the interviews with key stakeholders um the review of organizational policies and procedures andar ation with business assets and processes so that would be a part of a reporting package that I would get and then I also would give eony controls and control baselines this would be in the form of like a controls catalog so um with the controls catalog what I do is

take like the this 853 controls or whatever control catalog you're using and then have another section for how we're going to be implementing it in our environment and also how it has been tailored to fit our environment and why um and then also the continuous monitor monitoring and Reporting strategy of theis the risk management program so how often will we be doing the reassessments how often will be doing um external audits um how often I will be completing an internal risk assessment and ET and then for the system level what I have created already um so we know that the Healthcare Management platform is a crown rule here right so that's the system we're really going to focus on

protecting so I've already identified the key system stakeholders so the people that um that operate the system right the people that make decisions for the system the people that don't touch the system directly but maybe work with another system that that system um touches I know the data flow the DAT life cycle the requirements we've set the boundaries and we also know where the controls are going to be implemented and this is where I also start to bring on the GRC tools so tools that will help with implementing the controls based on the framework that you built out or based on other Frameworks like M RMF or the or ISO 3100 and this can also help

with your other GRC activities um such as if you're going through an audit or if you're um you know doing a internal if you're doing internal audit too so like external and internal assessments moving on to the next step is categorize so this these um activities are performed by System owners and management and the the purpose of this step is to inform the organizational risk management processes and tasks by determining the adverse impact to the organization um so the first thing that we do here is we draw a system description so we know that this system exists and we know that it's important and we know that it has some type of right so now we need to get into the

details of the system so like who is the vendor of the system who like what other parts are on the system um where does the system sit is it on is it in the cloud is it on and then we have to develop security categorization impact levels so we're talking about low medium high impact levels so since it's our Crown Jewel you know this has a high impact level if that if that thing goes down like our our whole business is faed down so um with this this will help us assign controls and also develop common controls and control Baseline for any future systems that may come in with a high credity level as well and again to

develop these impact levels we use the results of the system level risk assessment again helps with the selection of security controls and then the cator categorization that we created is reviewed and approved by Senor management next step is Select so we're going to be now selecting the controls from this 8503 and again be a to select tailor and document the controls that's a super important stuff that everyone misses is documenting the controls um we have to remember that when we're implementing the controls to document the steps that we take because that's going to be the same way that the next person is going to be implementing them and that's how you create a standard and like

procedures for for the organization so of course the first step is control selection so this is a well defined set of security and privacy requirements um using a life cycle based systems engineering process and this guides the selection of controls so we have two types of controls we have the Baseline we have Baseline controls and we have organization generated controls um the Baseline controls are like from this 8503 from um other other catalogs like that they are the already predefined set controls that you can tailor to your organization now the organization generated controls are a different approach at the bottom of approach and why would you use that you would use that for like highly Specialized or um

systems that have our controls that have a or speaking systems that have a limited scope where the controls may not be inherited by other systems and then we do the control tailoring so um this is where we develop the common controls and basine and then we have to consider the scope for the rest of the controls and the rest controls that are being tailored and then we can also develop some compensating controls and the rationale for tailoring there are times where you think you're going to implement some controls I'll get to this a little bit but you think you're going to implement some controls or that you know a system might inherit um certain controls and

you get there and it's like you know this doesn't really meet the privacy and security requirements that this this um information system requires you have to supplement them with some some additional controls um a lot of times they're um technical controls and you can also bring in some compensating controls instead as well and then we have to allocate the controls right so there's three different types of controls that um M RMF kind of points out there's the system specific controls there's the hybrid controls and then there's the common controls common controls we know can be inherited by different um systems then we have the system specific controls so those would be like the ones that are organizationally created um the

ones that are like bottom up so the ones that are only specific to the system and then hybrid controls so these are like partially inherited by some some systems in the organization and then we have to document the plan control implementations and this is done in the security and privacy plan and this is where we really write out the intended application of the controls and this way we have it documented again for future use and it just helps with consistency of implementing these controls um again we have to take into account the inputs and outputs um as well as the common controls and the different dependencies that the information system has and this also helps with the

tracability of decisions right so documenting the control and really having document Change Control seeing who has modified the documents um can really show also too who has modified the information system itself um and then we have the continuous monitoring strategy at the system level it has to be consistent with the organization level strategy if you remember we developed a organization level um organization wise us a strategy for continuous monitoring and now we have to develop one for the system level as well and based on the impact level and the priority level the criticality level of this information system it can bu on the continuous monitoring strategy for instance the frequency of preassessments um the frequency

of uh you know reporting and also changing the control implementations and Etc and then review and approval so going back to the scenario um I've categorized the and I documented the system description so I have all the details of my information system right I have a system uh security plan and a system privacy plan as well um it has all the technical specs as as well of the information and a lot of that has has to come from like vendor specific technical specs and um some come from the the system owners as well and then I've also selected the controls right I've control to select it I've selected theol in the security and privacy plan

and I selected the continuous monitoring and Reporting strategy and now time to implement the controls so the implementation is done by the system owner and implement the controls in the security and privacy plan and document the specific details of the control implementation um and this is where we can start building out a configuration management plan for this specific system if there's not one um so the first step here of course is the control implementation and this is consistent with the organization's um Enterprise architecture um so this would be to use like the risk to um perform like a cost benefit analysis and really see where the the implementation of the control should be because um we're going to be bringing in

some compensating and supplemental controls you want to really make sure that the control implementation is is is sitting on the right spot in Enterprise architecture and the initial control assessments can be completed in parallel with thec so what I mean by that is that going back to said before about we think sometimes controls can be inherited by certain information systems but sometimes we get to implementation and it's not you know it doesn't meet the requirements in the splc and especially with like um agile and like the different iterations you can do the um initial control assessments before actually carrying out that that phase in thec it's it's very it's much more cost effective to implement those um

compensating controls early on early on in thec um and then updating the control implementation information in the system uh system and privacy points and then they assess the implemented control so here really assessing for um to make sure the controls have been implemented correctly that they're operating as intended and that they're producing the desired outcomes meeting the privacy and security requirements um and this is by the control assessor the authorizing official and Senior Management so the first thing we do is select a assessor anyone gone audit okay that's fun right um so exactly so first thing is pick an assessor right so we select who's going to be assessing the control implementations and we want to pick

someone that's impartial so someone that has not um had any say or input on the section controls um and then we draw the assessment plan so how is the assessment going to be conducted and this is something that maybe the external assessor has um but internally I'm going to add that into my system and private syst security and privacy plan so that my senior leadership knows this is how the control assessments are going to be carried out um the pl are developed reviewed and approved to assess the implemented controls and this helps level of effort and also expectations for the assessment um so it helps establish the timeline for the assessment also the roles and

responsibilities um also like the inputs and outputs and what to expect from the assessment um the control assessments then are carried out in accordance with the assessment procedures and then assessment reports are generated so that fund report that you get to read with the executive summary um with you know the findings and observations and then you get to put your initial remediation actions right sometimes there's a really basic a really basic control that you didn't know you might you might have needed for this assessment or this audit and or you might have not thought about it before and it's come up for the first time um so those are the initial remediation actions ones that can be

taken care of in like a couple of weeks um and then there's a plan of action to Milestone so these are based off of the findings and recommendations of the assessment report and these are the actions that you will um take to correct the deficiencies that were found um and during the continuous monitoring uh process and then also this includes the risk assessment um it'll be taken into account so that we can we can prioritize the risk and the mitigation process um we can help we can tiar the controls and also the we can prioritize the risk that will be remediated that we will address and then authorized this is just the senior official authorizing um the the assessment and

the selection everything of the RMF that we have created already um it's an authorization package that we create that's used by Senior Management to make risk-based decisions so it includes the security and privacy plan it includes the assessment report the plan of action and Milestones as well as the executive summary and then the risk analysis and determination so this is where the senior the Senior Management um authorizing official says yes I understand the risks of this information system um the implementation of these controls and I understand everything that you guys have done here and like let's continue let's continue implementing the RMF within the organization and then we um we move on to the risk response so this is the

course of action in response to the risk determin so if you respond to a risk with um mitigation we analyzed the authorization package and we determined that we're going to try to mitigate this risk um after the mitigate the controls are implemented we reassess the controls and then update the security and privacy lines now if the risk response is accepted the deficiencies found during the assessment remain documented and and the reports are monitored and changed to the risk factors as we see there's a lot of changes that happen within environments especially you know like Tech in the tech industry there's changes all the time new implementations new migrations um so we have to keep updating these risk management uh

policies and procedures as well as risk management plan and program overall to make sure we take all these changes into account and then the authorization decision this is the determination of the common control inheritance um so the authorizing official saying yes this information system can inherit this control as well as the limitations of the system operation once the controls are implemented and then we have the reporting of the authorization decisions so going back to the scenario um I've implemented the controls and then I've also assessed the controls right so we have the assessment plan the control assessment the control assessment report the remediation and the plan of action and Milestones and then we also have the authorization

package that's being presented to the authoriz authorizing officials um and then we monitor it so this is performed by almost everyone that's been involved so far and this is to maintain an ongoing situational awareness about the security and privacy posture of the organization overall and of course to help the risk based decisions um so we monitor for system and environment changes so new systems being brought on or if a system is being disposed of or if there's a merch or if there's an acquisition or if you know we're migrating to the cloud or if we're implementing AI that's a big one right now too um we have to make sure that we have a uh streamline and a formal change

management and configuration management process and we also complete ongoing assessments so these are assessments to the implemented controls and the controls Ed and we perform the ongoing risk response so again the mitigation activities the acceptance criteria um responding to risk based on what we um created before and then we update the authorization packages or package so with the plans we update it with the the modifications to controls um the control assessment reports are the additional control activities that are carried out to import to determine the control Effectiveness um so sometimes the measuring criteria for implementing controls might be a little fuzzy at first until you start to realize what baselines are really looking for and the

deviations from those baselines and then we have the PO the plan of actions in Milestones which are based off of the progress of the outstanding activities so this is just you know the timeline the check mark of yes we did we did this we can continue um implementing the brainword and continue with assments um and then the security and privacy reporting and ongoing authorization and determining whether the risk remains acceptable and then of course we have the system disposal but that's also a whole another presentation about um disposal strategies and information disposal as well so in conclusion the documentation developed um during the RMF steps become a part of the overall risk management program and plan and learn the seven

steps of the N RMF framework and how to tailor them to your organization as well as the key tasks of the N RMF and how to implement them in different environments yeah that's it we'll do some questions now this is my contact info that's my LinkedIn and then I have um some upcoming sessions and we have some upcoming events if anyone's interested again we have a table with all the vendors so feel free to come talk to me

yes it depends on the size of the company and also the type of data that they hold so again if it's like Phi or if it's like government then typically it'll be much longer it'll be like a year or so um but sometimes it can be it's like very small like sayare company can be Carri out a month or months yes could you talk a little about risk Toler and what risks framework allows yeah so risk tolerance again is like the degree of what's acceptable to organization and so the Frameworks don't really am it's more how it to your own organization so that's something that is created by organization um you establish risk tolerance you do like uh you know the

high medium low of risk and you look at like which risk or which like Risk would we still be would we still um be okay with having in environment um so like I said there's no like risk that would be acceptable per se but it's more so just based en prior

yeah so I would look at like GRC tools overall I I really like long trust that's my favorite one because it has a lot of integration capabilities and also we can really keep track of a lot of activities there also like management um you do like your um your own internal like Audits and as well

questions uh talking to people so um I always say too that to really you know secure a business you really have to know everything that's going on there so the first thing that I do whenever I brought to an organization is just talk to people you know I I go in there I set up meetings with every single department and I ask them what are your key tools like what do you use and who's responsible for it and I even ask for like little demo if they can show me like where things sit and um you know what what kind of information in there who touches what um so really getting to know every every like in and out of the

processes um the tools that that are in your environment I think is the is the key there yes any challenges as far Asun

your process yes so we have to and um that's where it's really important to get that Focus from the sea level so again as I organization wide approach and the security you know initiatives really have to come from the top level when it comes to communication issues yes I have had issues where I tried to implement something but it didn't work because no one knew about it and that's because no one from the top was really talking about you know the cyber security team is building out this program um so with stuff like that what I really like to do is tell you know my director or my manager and say I'm having this issue can we you know make

this a make make this more formal um so what I've done in in my previous was I've taken it to like Senior Management and g a presentation on this is what we're establishing this is how you guys are going to be involved and this is how it's going to affect you and this is like what I need from you to make it easy um so that's why that planning that planning stage is also very important preparation stagey

AC absolutely

all right well thank you very much really appreciate you guys [Music]

[Music]