Applying a Risk Management Framework to Improve Information Security

Whether you perform risk assessments for clients or your own organization, you know how daunting it can be to define and prioritize the risks you identify. Fortunately, security frameworks exist to help us create a strategy for minimizing or eliminating risks. The NIST (National Institute of Standards and Technology) RMF (Risk Management Framework), while focused on setting security standards that federal agencies must follow, is also popular in the private sector since it contains practical guidance that organizations can use to better protect their people, operations and assets.

In this blog post, I detail the key ideas in the NIST RMF and explain how to start applying the framework in practice in your organization.

NIST RMF: A Risk-Based Process

The NIST RMF is associated with several standards, including the following:

  • NIST SP 800-37 — “Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle” Since 2004, this guide has helped organizations achieve compliance with the Federal Information Security Management Act (FISMA), a U.S. federal law that requires federal agencies to implement an information security program. The NIST SP 800-37 takes the certification and accreditation process (a traditional way to implement any formal process) and transforms it into the six-step RMF process, which is described in more detail below.
  • NIST SP 800-53/800-53a. While the NIST SP 800-37 provides the actual security framework, NIST SP 800-53/800-53a is a set of standards created to help federal agencies meet the requirements set by FISMA. Federal agencies have to follow these standards, but the private sector can — and should — as well. This NIST special publication (NIST SP) provides a comprehensive list of security controls that can be used when implementing the RMF. They include 18 control families and cover virtually every aspect of IT security, from access control to system and services acquisition.

The Key Steps in the NIST RMF Process

1. Categorize Information Systems

The first step of RMF is to determine the types of information stored and processed in your environment, such as medical or financial data, as defined by your organization and/or by law. NIST SP 800-60, “Guide for Mapping Types of Information and Information Systems to Security Categories,” can help you with the categorization process and suggests information types to use.

2. Select Security Controls

Next, you select security controls, which are the safeguards you will use to protect the confidentiality, integrity and availability of your systems and information. These will be a combination of administrative, physical and technical controls. Assessing the various controls can be a challenge, and SP 800-53 can help you select the right ones for your organization.

3. Implement Security Controls

Next, you implement the selected security controls and document how they are used in your information security program. While some organizations choose to implement controls using their own staff, it’s not uncommon to outsource controls. For example, it’s becoming popular to engage a managed security service provider (MSSP) to oversee certain controls, such as the organization’s security information and event management (SIEM) processes. Outsourcing security functions can sometimes be cheaper and easier than hiring in-house expertise.

4. Assess Security Controls

In this step, you assess your security controls to determine whether they are implemented correctly, working properly and meeting your security requirements. This is an area where bringing in outside resources will help greatly. For example, by having a third party do regular vulnerability scanning and/or penetration testing, you will have a much clearer picture of your organization’s security posture when viewed through the eyes of attackers.

5. Update Information System Controls

Based on the findings of the control assessment, create an action plan for tracking, reviewing and remediating your weaknesses based on the risk each one poses to the organization. This is another area where teaming up with outside resources can be beneficial. For example, it might make sense to have a third-party security consultancy be part of your information security committee, which would give you an ongoing objective opinion on your controls and help you determine if they are producing the desired outcomes.

6. Monitor Security Controls

The last step is to conduct continuous monitoring of your controls to ensure they satisfy your security requirements as business technologies, threats and vulnerabilities change over time. Automated tools can offer a real advantage, since they can identify potential security incidents and unexpected changes in near real time.

Tips for Getting Started

While the NIST risk management framework provides a great structure that organizations can follow to improve their security posture, it can be a bit overwhelming at first — especially if your company is small or new to information security. These tips will help you get your security program off to a good start:

  • Get assessed by someone else first. The NIST guidance is not easy to follow if you’re new to the framework. Consider engaging a third party to conduct your organization’s first risk assessment, clarify the intent of the framework and help you make a game plan for managing your risks.
  • Remember that security takes time. At the end of some assessments I’ve done, I’ve had the organization’s leaders get overly excited and proclaim, “We shall not eat or sleep until we remediate each and every one of these risks!” While that’s a lofty goal, remember that security isn’t a checklist, and there’s no way you’re going to fix your security problems in one day. Some risks appear simple on paper to remediate but actually have complex dependencies that mean addressing them can take weeks or months and require the purchase of additional technologies. Take it in stride.
  • Start small. You might be overwhelmed by the number of risks identified in your first assessment, and the large mountain of remediation work that is created as a result. Don’t panic. Work with your assessor to prioritize the list, and make sure you get a clear explanation of what the remediation steps are.
  •  Ask for help. At many of the companies I assess, just one or two people are responsible for the entirety of IT security. As you review your remediation plan, make sure you know your staff’s skill set, and then don’t be afraid to ask third-party IT and security consultancies for help when necessary. They can often fix specific issues quickly and efficiently, leaving your staff focused on their core competencies.

Conclusion

The NIST RMF is a great way to get your organization headed toward a better security posture. It provides a solid, cyclical six-step process that guides you in categorizing your data and selecting, implementing, assessing and monitoring appropriate security controls. As you work on your information security program, remember that good security takes a considerable amount of time and effort. Like life, security is a journey, not a destination.