The unique aspect for me in this reading was the detailed plan for ongoing monitoring techniques that are often ignored when IT feels they have covered their tracks as regards to implementing the appropriate system controls. The six steps of ongoing monitoring include; Plans of Action and Milestones (POA&M), Measurement and Metrics, Continuous Assessment, Configuration Management, Network Monitoring and Incident and Event Statistics.
The key point that I took from this reading is the importance of embedding risk management process in system development life cycle. Since the goal of risk management protects organization’s systems and asset and enable organization to reach its goals and mission, risk management should be treated as one of the main management functions, rather than deemed it as a security personnel’s job.
Also, considering risk management processes from the early beginning of the SDLC provides lots of conveniences. To do so, organizations can utilize security controls more effectively and efficiently because they would identify threats and vulnerabilities all the phases of SDLC and put appropriate controls in place timely. Other advantage is reducing costs because implementing security controls after completing all the phases of SDLC may be so costly due to a potential security incident or compatibility issues, also, I think, going back makes people generally always unmotivated.
Hi Zeynep, I like your idea that your took two main points about the benefits of implementing risk management process to SDLC cycle. It brings more efficiency and convenience to since the organization is able to identify all assets, vulnerabilities, and threats. Also, it definitely reduce the cost and redundancy.
Risk management comprises of three main elements which are risk assessment, risk mitigation, and evaluation and assessment. Risk management is the fundamental process which every organization should concern and conduct because it helps to support organizations goal and built a system security plan. One key point which I took is related to system characterization. It is under sub-process of the risk assessment. As we already learnt from previous course. It is the first and most important step which organization should concern and make sure that they completely identify all assets such as hardware, software, external interface, data, and people.
Hello,
As I was reading through your response regarding what you have learnt after reading through Chapter 10 of the NIST SP 800-100 Information Security Handbook, I began to realize just how important it is to be able to appropriately summarize. The primary reason for this is because it shows that you have a good understanding of the risk management process. Discussing the necessity of system characterization was also quite interesting read about from your summary, as it made me want to go back and look into that section of the chapter again a bit more.
This document introduces senior management and officials to information security components which will be required by them to be implemented in federal agencies. From this reading, I would like to highlight the importance of security metrics and performance measurement in the development as well as improvement of any information security plan.
“The typical information performance management program consists of four interdependent components: senior management support, security policies and procedures, quantifiable performance metrics, and analyses.” – NIST 800-100
Senior Management support is crucial for measurement of security metrics to ensure it does not fail due to organizational politics or budget limitations. NIST 800-55 provides guidance on measuring the adequacy and inadequacy of security controls. Security metrics is a very good way of proving compliance to regulatory bodies. They provide quantifiable information which can be used to facilitate capital planning and investment control process. Security metrics also provide an indicator to senior management about the current security status of the organization as well as the areas which need to be improved to provide reasonable assurance.
I like your point about security metrics being used as a guide to develop/improve security plans. I think that it would help organizations avoid any setbacks when conducting risk management practices throughout the SDLC, so to avoid having to repeat any processes such as having to implement a different control due to an unacceptable level of residual risk.
In this document, Chapter 10 makes a good point in emphasizing the characterization of systems. Understanding how a system operates and its purpose will help an organization understand how to go about risk and mitigation. The accuracy of the results from the system categorization stage leads to a gateway for the best perspective for the risk profile.
The NIST 800-100 document helps organizations to asses an effective risk management process, customize the security baselines, security controls, and implementation by using other security frameworks like NIST 800-53 Security controls, FIPS 199 Security categories and FIPS 200 system impact level.
There are three main processes: risk assessment, risk mitigation, risk evaluation, and assessment. The document details also how to use and implement each of these processes to meet the Federal Information Security Management (FISMA) standard.
The Chapter for Risk Management points out the most important step for how to manage risks. The most interesting part for me is the risk level matrix. According to the knowledge I learned before, i thought a threat with low impact and high likelihood and a threat with moderate impact and moderate likelihood could have the same risk level. But just by quantifying them, it is pretty clear that the threat with moderate impact and moderate likelihood has so much higher risk level, which should be prioritized. Also, the step of documenting results is also very important with methodology included so that it could be performed several times later which leads to less cost for the organization.
Hi Liu, you have an interesting point. Risk level matrix is more scientific than our subjective judgment of risk. By ranking the impact and likelihood of risk, we can get the risk level of the organization and control the risk of the data to the level that the organization considers acceptable.
Risk analysis in the IT field consists of 6 steps, system features, threat identification, vulnerability identification, risk analysis, control recommendations and results documentation.The difference from traditional risk management is system characteristics and vulnerability identification.This is a unique feature of the IT world.In controlled recommendation, the analysis of likelihood and impact levels needs to be based on vulnerability and threat.Evaluate the value of the protected assets and select appropriate controls for the merchants to reduce the impact and likelihood levels.
I think a major take away from chapter 10 is about how important it is to have a risk management process tightly bound to the SDLC. At every step of the SDLC such as adding new features or retiring the project, the risks need to be assessed in the same way with a standard process. In chapter 10 they describe the six step program that should take place, system characterization, threat identification, vulnerability characterization, risk analysis, control recommendations, and result documentation. If these six steps aren’t taking place during phases of the SDLC then you risk leaving your project exposed to high levels of risk that could severely impact the companies core functions.
Hi, Christopher James Lukens
You’re absolutely right.The SDLC requires these steps to ensure that the risks associated with new software and features are minimized.However, for some companies, it may be that when acceptable risk is reached, some steps that would significantly increase costs will be abandoned
After reading through chapter 10 of the NIST SP 800-100 Information Security Handbook, which emphasized the Risk Management Process, I learned a few more details regarding the benefits of the security control evaluation and assessment, which is performed towards the end of the risk management process. Among these details are that the security control evaluation and assessment, which is required to provide finalize the risk assessment, are critical to equipping the authorizing official with the necessary knowledge to make a “credible, risk-based decision on whether to authorize the operation of the information system”.
Hi Imran,
That’s a good point. Since, it is impossible to eliminate all risk, and residual risk will always remain, a knowledgeable authorization official’s evaluation about whether residual is at acceptable level is crucial. And, as you implied, control evaluation and assessment finalizes the risk assessment and provides credible results for the security certification and accreditation process.
Hi Imran, You’re right, According to the risk management document, the process of managing risk must start at the initial stages of project inception through the retirement of the systems and its data. From the early stage, agencies must consider the possible threats, vulnerabilities, and risk to the system so they can better prepare to operate in its intended environment, securely and effectively, and within select risk threshold approved by an agency senior official during the security certification and accreditation process
NIST SP 800-100 explains the risk management process (risk assessment, risk mitigation, risk evaluation and assessment) and suggests that risk management should not be left solely to security experts, meaning that risk management should be involved in every aspect of the SDLC and business processes and everyone involved should be mindful of these practices. What I found most interesting was the portion on evaluation and assessment- suggesting that a strong configuration management and continuous monitoring program would help ensure that the system continues to operate the way that it is intended.
Agreed,
I think its vital for all parties to think about the risk management process during the SDLC. Often times people will have varying opinions about risks or may see a risk that you would have glanced over. Including everyone in the risk management process makes your risk mitigation that much stronger.
The purpose of this chapter is to give us an understanding of how to protect the organization and its ability to perform its tasks and use the SDLC to scientifically organize the risk management process to achieve a balance between the operation and the cost of protecting the organization’s actions. The risk management process is divided into three parts, namely risk assessment and risk mitigation, and evaluation and assessment. Organizations must follow the guidelines of the Federal Information Security Management Act (FISMA) in conducting risk management.
NIST SP 800-100, Chapter 10 “Risk Management” explains in detail an organizations approach to risk management. The chapter explains how an organization first needs to understand their risk and know their vulnerabilities. The chapter not only focuses on the first phase on the Risk management process which is the risk assessment process that includes a nine step process (summarized to 6 in the text). It also focuses phase 2, risk mitigation, and phase 3 which is evaluation and assessment. The key point that I took from the reading is that it is a “good practice” to include risk assessments into the SDLC. A good risk management plan is not only required by law, but is also vital to the success of an organization.
It is true that an organization should have a good understanding of its IT risk profile and this document certainly provides guidelines in understanding the risks an organization might face. Conducting Risk Analysis also gives the opportunity to mitigate as well as accept risks. This also tends to creation of accountability of protection of information assets within the organization. And as you rightly said, a good risk management practice is crucial for the successful functioning of an organization.
One important fact to remember from this publication on risk management process is that it’s impracticable to eliminate all risk, even after the controls have been selected and implemented, some degree of residual risk will remain. So, the remaining risk must be analyzed to ensure that it is at an acceptable level, and if it’s not at an acceptable level, the risk management cycle must be repeated to identify a way of lowering the residual risk to an acceptable level.
Secondly, the process of managing risk must be embedded in the systems development life cycle (SDLC), starting with the initial stages of project inception through the retirement of the systems and its data. From the early stage, agencies must consider the possible threats, vulnerabilities, and risk to the system so they can better prepare to operate in its intended environment, securely and effectively, and within select risk threshold, as deemed acceptable by an agency senior official during the security certification and accreditation process.
Hi Ugo,
You have made a very important point about risk by stating that “the remaining risk must be analyzed to ensure that it is at an acceptable level, and if it’s not at an acceptable level, the risk management cycle must be repeated to identify a way of lowering the residual risk to an acceptable level..” In some cases after companies have deployed their security controls, they never look back to mitigate residual risk because they get a false sense of security.
The unique aspect for me in this reading was the detailed plan for ongoing monitoring techniques that are often ignored when IT feels they have covered their tracks as regards to implementing the appropriate system controls. The six steps of ongoing monitoring include; Plans of Action and Milestones (POA&M), Measurement and Metrics, Continuous Assessment, Configuration Management, Network Monitoring and Incident and Event Statistics.
The key point that I took from this reading is the importance of embedding risk management process in system development life cycle. Since the goal of risk management protects organization’s systems and asset and enable organization to reach its goals and mission, risk management should be treated as one of the main management functions, rather than deemed it as a security personnel’s job.
Also, considering risk management processes from the early beginning of the SDLC provides lots of conveniences. To do so, organizations can utilize security controls more effectively and efficiently because they would identify threats and vulnerabilities all the phases of SDLC and put appropriate controls in place timely. Other advantage is reducing costs because implementing security controls after completing all the phases of SDLC may be so costly due to a potential security incident or compatibility issues, also, I think, going back makes people generally always unmotivated.
Hi Zeynep, I like your idea that your took two main points about the benefits of implementing risk management process to SDLC cycle. It brings more efficiency and convenience to since the organization is able to identify all assets, vulnerabilities, and threats. Also, it definitely reduce the cost and redundancy.
Risk management comprises of three main elements which are risk assessment, risk mitigation, and evaluation and assessment. Risk management is the fundamental process which every organization should concern and conduct because it helps to support organizations goal and built a system security plan. One key point which I took is related to system characterization. It is under sub-process of the risk assessment. As we already learnt from previous course. It is the first and most important step which organization should concern and make sure that they completely identify all assets such as hardware, software, external interface, data, and people.
Hello,
As I was reading through your response regarding what you have learnt after reading through Chapter 10 of the NIST SP 800-100 Information Security Handbook, I began to realize just how important it is to be able to appropriately summarize. The primary reason for this is because it shows that you have a good understanding of the risk management process. Discussing the necessity of system characterization was also quite interesting read about from your summary, as it made me want to go back and look into that section of the chapter again a bit more.
This document introduces senior management and officials to information security components which will be required by them to be implemented in federal agencies. From this reading, I would like to highlight the importance of security metrics and performance measurement in the development as well as improvement of any information security plan.
“The typical information performance management program consists of four interdependent components: senior management support, security policies and procedures, quantifiable performance metrics, and analyses.” – NIST 800-100
Senior Management support is crucial for measurement of security metrics to ensure it does not fail due to organizational politics or budget limitations. NIST 800-55 provides guidance on measuring the adequacy and inadequacy of security controls. Security metrics is a very good way of proving compliance to regulatory bodies. They provide quantifiable information which can be used to facilitate capital planning and investment control process. Security metrics also provide an indicator to senior management about the current security status of the organization as well as the areas which need to be improved to provide reasonable assurance.
I like your point about security metrics being used as a guide to develop/improve security plans. I think that it would help organizations avoid any setbacks when conducting risk management practices throughout the SDLC, so to avoid having to repeat any processes such as having to implement a different control due to an unacceptable level of residual risk.
In this document, Chapter 10 makes a good point in emphasizing the characterization of systems. Understanding how a system operates and its purpose will help an organization understand how to go about risk and mitigation. The accuracy of the results from the system categorization stage leads to a gateway for the best perspective for the risk profile.
Hi Natelie,
You had got the point, The accuracy of the results makes the risk profile more helpful when categorizing the system.
The NIST 800-100 document helps organizations to asses an effective risk management process, customize the security baselines, security controls, and implementation by using other security frameworks like NIST 800-53 Security controls, FIPS 199 Security categories and FIPS 200 system impact level.
There are three main processes: risk assessment, risk mitigation, risk evaluation, and assessment. The document details also how to use and implement each of these processes to meet the Federal Information Security Management (FISMA) standard.
The Chapter for Risk Management points out the most important step for how to manage risks. The most interesting part for me is the risk level matrix. According to the knowledge I learned before, i thought a threat with low impact and high likelihood and a threat with moderate impact and moderate likelihood could have the same risk level. But just by quantifying them, it is pretty clear that the threat with moderate impact and moderate likelihood has so much higher risk level, which should be prioritized. Also, the step of documenting results is also very important with methodology included so that it could be performed several times later which leads to less cost for the organization.
Hi Liu, you have an interesting point. Risk level matrix is more scientific than our subjective judgment of risk. By ranking the impact and likelihood of risk, we can get the risk level of the organization and control the risk of the data to the level that the organization considers acceptable.
Risk analysis in the IT field consists of 6 steps, system features, threat identification, vulnerability identification, risk analysis, control recommendations and results documentation.The difference from traditional risk management is system characteristics and vulnerability identification.This is a unique feature of the IT world.In controlled recommendation, the analysis of likelihood and impact levels needs to be based on vulnerability and threat.Evaluate the value of the protected assets and select appropriate controls for the merchants to reduce the impact and likelihood levels.
Hi Junjie!
Great point that you mentioned there! The unique characteristics of IT sets itself apart, even when it comes to Risk Management.
Best,
Natalie Dorely
I think a major take away from chapter 10 is about how important it is to have a risk management process tightly bound to the SDLC. At every step of the SDLC such as adding new features or retiring the project, the risks need to be assessed in the same way with a standard process. In chapter 10 they describe the six step program that should take place, system characterization, threat identification, vulnerability characterization, risk analysis, control recommendations, and result documentation. If these six steps aren’t taking place during phases of the SDLC then you risk leaving your project exposed to high levels of risk that could severely impact the companies core functions.
Hi, Christopher James Lukens
You’re absolutely right.The SDLC requires these steps to ensure that the risks associated with new software and features are minimized.However, for some companies, it may be that when acceptable risk is reached, some steps that would significantly increase costs will be abandoned
After reading through chapter 10 of the NIST SP 800-100 Information Security Handbook, which emphasized the Risk Management Process, I learned a few more details regarding the benefits of the security control evaluation and assessment, which is performed towards the end of the risk management process. Among these details are that the security control evaluation and assessment, which is required to provide finalize the risk assessment, are critical to equipping the authorizing official with the necessary knowledge to make a “credible, risk-based decision on whether to authorize the operation of the information system”.
Hi Imran,
That’s a good point. Since, it is impossible to eliminate all risk, and residual risk will always remain, a knowledgeable authorization official’s evaluation about whether residual is at acceptable level is crucial. And, as you implied, control evaluation and assessment finalizes the risk assessment and provides credible results for the security certification and accreditation process.
Hi Imran, You’re right, According to the risk management document, the process of managing risk must start at the initial stages of project inception through the retirement of the systems and its data. From the early stage, agencies must consider the possible threats, vulnerabilities, and risk to the system so they can better prepare to operate in its intended environment, securely and effectively, and within select risk threshold approved by an agency senior official during the security certification and accreditation process
NIST SP 800-100 explains the risk management process (risk assessment, risk mitigation, risk evaluation and assessment) and suggests that risk management should not be left solely to security experts, meaning that risk management should be involved in every aspect of the SDLC and business processes and everyone involved should be mindful of these practices. What I found most interesting was the portion on evaluation and assessment- suggesting that a strong configuration management and continuous monitoring program would help ensure that the system continues to operate the way that it is intended.
Agreed,
I think its vital for all parties to think about the risk management process during the SDLC. Often times people will have varying opinions about risks or may see a risk that you would have glanced over. Including everyone in the risk management process makes your risk mitigation that much stronger.
The purpose of this chapter is to give us an understanding of how to protect the organization and its ability to perform its tasks and use the SDLC to scientifically organize the risk management process to achieve a balance between the operation and the cost of protecting the organization’s actions. The risk management process is divided into three parts, namely risk assessment and risk mitigation, and evaluation and assessment. Organizations must follow the guidelines of the Federal Information Security Management Act (FISMA) in conducting risk management.
NIST SP 800-100, Chapter 10 “Risk Management” explains in detail an organizations approach to risk management. The chapter explains how an organization first needs to understand their risk and know their vulnerabilities. The chapter not only focuses on the first phase on the Risk management process which is the risk assessment process that includes a nine step process (summarized to 6 in the text). It also focuses phase 2, risk mitigation, and phase 3 which is evaluation and assessment. The key point that I took from the reading is that it is a “good practice” to include risk assessments into the SDLC. A good risk management plan is not only required by law, but is also vital to the success of an organization.
Hello Akiyah,
It is true that an organization should have a good understanding of its IT risk profile and this document certainly provides guidelines in understanding the risks an organization might face. Conducting Risk Analysis also gives the opportunity to mitigate as well as accept risks. This also tends to creation of accountability of protection of information assets within the organization. And as you rightly said, a good risk management practice is crucial for the successful functioning of an organization.
One important fact to remember from this publication on risk management process is that it’s impracticable to eliminate all risk, even after the controls have been selected and implemented, some degree of residual risk will remain. So, the remaining risk must be analyzed to ensure that it is at an acceptable level, and if it’s not at an acceptable level, the risk management cycle must be repeated to identify a way of lowering the residual risk to an acceptable level.
Secondly, the process of managing risk must be embedded in the systems development life cycle (SDLC), starting with the initial stages of project inception through the retirement of the systems and its data. From the early stage, agencies must consider the possible threats, vulnerabilities, and risk to the system so they can better prepare to operate in its intended environment, securely and effectively, and within select risk threshold, as deemed acceptable by an agency senior official during the security certification and accreditation process.
Hi Ugo,
You have made a very important point about risk by stating that “the remaining risk must be analyzed to ensure that it is at an acceptable level, and if it’s not at an acceptable level, the risk management cycle must be repeated to identify a way of lowering the residual risk to an acceptable level..” In some cases after companies have deployed their security controls, they never look back to mitigate residual risk because they get a false sense of security.