collaboration between the technical function and business function is necessary for risk management as the technical function will not be able to define the risk associated with information security as they are not the data owners. Conversely, the business may not be able to define what is needed to safeguard the information from a technical aspect. Therefore two functions have to work together to develop an effective risk management program.
The business function(s) and the executive management team are who sets the strategic direction for an organization. If you look at risk management fundamentally, and not just from an IT perspective, risks should be considered by how much they impact an organization’s ability to carry out strategy. If the strategy is to grow market share for example, then alignment with IT will allow for goals and management of related risks to be on the same page. The IT function can be focused on delivering technology that will help grow market share and manage the risks related to that. Otherwise, IT might be pursuing different goals or technologies that are not in line with where the organization is heading, and the misalignment could lead IT to manage risks that are not fundamental to achieving strategy.
Collaboration between the technical function (IT) and business function is necessary in risk management because these two parts must work together to develop a well-rounded plan. The objectives of the IT function must always align with the goals of the business function. IT function can cover the technical side of the business such as cybersecurity risks, technology risk, physical facility risks. The business function in risk management works to take all functions into consideration for risk management, and focuses on doing what’s best in order to minimize risk for the organization and help it work toward its goals.
After reading Chapter 10 of NIST SP 800-100, which of the 6 steps (or 9 as outlined in SP 800-30) of the Identification and Assessment of Risk do you think would be the most challenging and why?
I believe the Vulnerability Identification would be the most challenging, as there is not a guarantee all vulnerabilities will be identified, just like as auditors, we only provide reasonable assurance versus absolute assurance. With the dynamic and evolving technical landscape it is almost impossible to identify every weakness. In addition, developing the security requirements checklist (as suggested in the guidance) to analyze and assess the vulnerabilities through the checklist is a tedious undertaking, but is critical to inform which vulnerabilities should be prioritized.
In my opinion, I would say impact analysis is the most challenging. It is the step to estimate the loss of the company if the risk happened. Failure to determine the level of risk to a system impacted the company will be extremely adversely affected.
As is evident by the 429-page FedRAMP template, System Security Plans can be long and technical. What would be the best way to conduct the review and approval process for these plans (keeping efficiency and thoroughness in mind)?
I think this would depend on the organization as there might be a few approaches to the review and approval. It could be done in sections, over a working session scheduled for the purpose of review and approval with appropriate stakeholders, or it could be given out prior to a meeting and there be a meeting held for final review and approval. Ultimately it would depend on what would work best for the organization.
I think when conducting a review and approval process of a security plan with the higher-ups it is important to have an executive summary to cover the most important aspects of the plan such as the risk analysis. Since this template is in depth and technical it would be best to include the potential loss in financial terms the organization may face if any found threat were to occur. This could be represented by assessing risk with the quantitative method and providing an annual loss expectancy.
The threat environment for an organization is constantly evolving and they need to make sure they are keeping up with the changes. How often should a risk assessment be performed on existing information system?
I think a risk assessment should be scheduled to be performed annually to address any changes in the risk environment and adjust as needed. However, when there are changes during the year to any of the information systems, a risk assessment should be performed on that system to account for any changes it might have caused to the risk environment.
Per the Information Security Handbook: A Guide for Manager, risk assessments should take place at least every three years (for federal agencies). However, it should be a good practice to re-assess whenever there is a major change/upgrade to the system, application, etc. to ensure minimum/baseline security standards are met and no vulnerabilities exist. My organization, while not a federal agency, performs IT risk assessments based on the risk ranking received at the last assessment based on the following minimum frequency:
High Risk – annually
Moderate Risk – every two years
Low Risk – every three years
I don’t believe there is a perfect cadence as every environment is different. I think it’s all based on risk (and criticality) related to the system. The higher the risk the more often an assessment should be done to make sure there aren’t unidentified or unaddressed risks. Obviously, you have to do that first risk assessment to determine the risk of the system. Regardless, any time there’s a major change to a system a risk assessment should be done (ideally prior to the major change). Changes have the chance of adding new vulnerabilities. Point being, a large enough organization might only have the resources to do an assessment for all of their information systems every three years, but they may have some systems that require assessments to be done annually.
I think a risk assessment should be performed as frequently as needed per case basis for each organization. Depending on whether the risk is low, medium, or high, more frequent risk assessments should be done based on the severity of the risk. I believe the minimum requirement for every organization should be annually, especially in today’s world and the constant advances in technology. However, if there are changes in the organizations environment that exposes it to new risks, then a risk assessment should be performed no matter how long ago the last risk assessment was. For example, with the COVID-19 pandemic many companies had to switch gears and begin WFH for their employees. This exposes the company to new risks associated with VPN, data privacy, and network security; a risk assessment should be done on their information system.
Per the Guide for Developing Security Plans for Federal Information Systems, controls are split into three security control class designations; management, operational, and technical. Which class of controls do you think is most critical to organizations?
I believe the management class of controls is the most critical, because it should be the foundation to determine what technical and operational controls should be in place. Management controls should encompass risk identification and analysis. If that is done properly, effective operational and technical controls can be put in place, and the assessment of risk will allow for prioritization and ranking of criticality. I believe the management controls require the most judgement and if there are gaps or errors in judgment it could lead to risk exposures that are considered unacceptable to an organization.
To meet the goal of the risk assessment, a 9 steps process is defined in NIST SP 800-30. But somehow in NIST SP 800-100, Chapter 10 “Risk Management”, it was reduced to 6 steps. What are those three steps that were eliminated and why?
Risk assessment includes the following steps: system characterization, threat identification, vulnerability identification, risk analysis, control recommendations, and results documentation. Previously, the nine-step version expanded risk analysis into four distinct steps: control analysis, likelihood determination, impact analysis, and risk determination. I would assume the six-step version identified these steps as smaller pieces to the larger goal, which is risk analysis.
For a small business with limited resources, would it be reasonable to skip the “System Characterization” step of risk assessment (as defined by NIST SP 800-100)? Why or why not? What impact(s) would this have on the risk management process?
I believe system characterization is both important for a small business and a large business. Characterizing an information system can provide the best view of the risk profile of the system. It is the first step in the risk assessment that identifies the information assets. Without identifying the assets, it would be hard to go to the further step in risk analysis.
I think using a template instead of creating a system security plan (SSP) from scratch has its benefits. As we saw from the template it is extremely detailed and in depth, so it can save time, the template may contain sections that would of been overlooked, and using this template ensures your SSP meets the baseline created by the Federal Risk and Authorization Management Program (FedRAMP). Lastly, since it is a template it can be customized to meet the requirements specific to the organization.
I think companies should use the template to create their system security plan because it is already so in-depth and well developed. By using the template, the organization can be sure that they are not skipping over any important details but also benefit from the fact that this would help speed up the process/save time on development, and also a cheaper alternative to developing their own template. In addition, by using the template, it is easier to spot and add details that are missing.
As outlined in the Guide for Developing Security Plans for Federal Information Systems, the Information System owner is responsible for updating the system security plan when a significant change occurs. Why should this be the responsibility of the IS Owner, and not the CIO or another role?
I believe it is the responsibility of the Information System Owner to update the plan when changes occur because they are responsible for making sure the overall state of the system is in compliance with the security plan. The other roles may be considered the information owners or data custodians.
The FedRAMP SSP template was most recently revised in 2018 and prior to that in 2017. I think an annual or bi-annual review at a minimum should be completed as well as any times there are changes to laws/regulation or other guidance that could impact the information in the template. It is important to be in compliance with regulations and also critical to ensure guidance documents and references are aligned and updated. The template should also contain the most recent and relevant information (when possible). The purpose of the template is to provide organizations with tools to complete this tedious and critical task. It will begin to lose some of its usefulness and value if it is not updated.
It is important to characterize information systems in the risk assessment process since this will determine the impact (high, moderate, low as outlined in FIPS 199) of a breach of integrity, confidentiality, and integrity. Based on this impact rating an entity will then be able to prioritize these information systems and implement safeguards that align with their risk appetite. If information systems are not appropriately classified, then it creates an opportunity for threat actors to easily compromise the information systems, as the correct safeguards may not have been implemented given the inappropriate classification.
It can help the company to assess the information risk at different levels. It also can identify existing controls and deficiencies for each objective related to the information system, then provide control recommendations.
To ensure organizations are constantly focusing on the risk management evaluation and assessment process, how often would you suggest they perform evaluations and assessments, and why?
I think evaluations should be performed, at a minimum, annually. Depending on the size of the organization, the industry etc. it may have to happen more often. This risk environment is very dynamic, so it is extremely important for your risk plan to be dynamic as well.
From my perspective multi-function responsibilities help an organization mitigate the risk that a single person may no longer be able to work and no one else in the organization may be able to perform the same functions or responsibilities. Having multi-function responsibilities distributed among the employees in a department or organization would be beneficial since another employee may have an easier and more effective transition into a new role or work responsibilities.
The Guide for Developing Security Plans for Federal Information Systems notes that management authorization should be re-assigned whenever there is a major change in processing. What kind of changes or events would constitute a “major change”? Is this typically outlined in a policy, or determined by the current management?
Lakshmi Surujnauth says
Why is the collaboration between the technical function (IT) and business function necessary in risk management?
Ashleigh Williams says
collaboration between the technical function and business function is necessary for risk management as the technical function will not be able to define the risk associated with information security as they are not the data owners. Conversely, the business may not be able to define what is needed to safeguard the information from a technical aspect. Therefore two functions have to work together to develop an effective risk management program.
Megan Hall says
The business function(s) and the executive management team are who sets the strategic direction for an organization. If you look at risk management fundamentally, and not just from an IT perspective, risks should be considered by how much they impact an organization’s ability to carry out strategy. If the strategy is to grow market share for example, then alignment with IT will allow for goals and management of related risks to be on the same page. The IT function can be focused on delivering technology that will help grow market share and manage the risks related to that. Otherwise, IT might be pursuing different goals or technologies that are not in line with where the organization is heading, and the misalignment could lead IT to manage risks that are not fundamental to achieving strategy.
Quynh Nguyen says
Collaboration between the technical function (IT) and business function is necessary in risk management because these two parts must work together to develop a well-rounded plan. The objectives of the IT function must always align with the goals of the business function. IT function can cover the technical side of the business such as cybersecurity risks, technology risk, physical facility risks. The business function in risk management works to take all functions into consideration for risk management, and focuses on doing what’s best in order to minimize risk for the organization and help it work toward its goals.
Megan Hall says
After reading Chapter 10 of NIST SP 800-100, which of the 6 steps (or 9 as outlined in SP 800-30) of the Identification and Assessment of Risk do you think would be the most challenging and why?
Christa Giordano says
I believe the Vulnerability Identification would be the most challenging, as there is not a guarantee all vulnerabilities will be identified, just like as auditors, we only provide reasonable assurance versus absolute assurance. With the dynamic and evolving technical landscape it is almost impossible to identify every weakness. In addition, developing the security requirements checklist (as suggested in the guidance) to analyze and assess the vulnerabilities through the checklist is a tedious undertaking, but is critical to inform which vulnerabilities should be prioritized.
To-Yin Cheng says
In my opinion, I would say impact analysis is the most challenging. It is the step to estimate the loss of the company if the risk happened. Failure to determine the level of risk to a system impacted the company will be extremely adversely affected.
Jonathan Mettus says
As is evident by the 429-page FedRAMP template, System Security Plans can be long and technical. What would be the best way to conduct the review and approval process for these plans (keeping efficiency and thoroughness in mind)?
Ashleigh Williams says
I think this would depend on the organization as there might be a few approaches to the review and approval. It could be done in sections, over a working session scheduled for the purpose of review and approval with appropriate stakeholders, or it could be given out prior to a meeting and there be a meeting held for final review and approval. Ultimately it would depend on what would work best for the organization.
Nicholas Fabrizio says
I think when conducting a review and approval process of a security plan with the higher-ups it is important to have an executive summary to cover the most important aspects of the plan such as the risk analysis. Since this template is in depth and technical it would be best to include the potential loss in financial terms the organization may face if any found threat were to occur. This could be represented by assessing risk with the quantitative method and providing an annual loss expectancy.
Nicholas Fabrizio says
The threat environment for an organization is constantly evolving and they need to make sure they are keeping up with the changes. How often should a risk assessment be performed on existing information system?
Ashleigh Williams says
I think a risk assessment should be scheduled to be performed annually to address any changes in the risk environment and adjust as needed. However, when there are changes during the year to any of the information systems, a risk assessment should be performed on that system to account for any changes it might have caused to the risk environment.
Christa Giordano says
Per the Information Security Handbook: A Guide for Manager, risk assessments should take place at least every three years (for federal agencies). However, it should be a good practice to re-assess whenever there is a major change/upgrade to the system, application, etc. to ensure minimum/baseline security standards are met and no vulnerabilities exist. My organization, while not a federal agency, performs IT risk assessments based on the risk ranking received at the last assessment based on the following minimum frequency:
High Risk – annually
Moderate Risk – every two years
Low Risk – every three years
Jonathan Mettus says
I don’t believe there is a perfect cadence as every environment is different. I think it’s all based on risk (and criticality) related to the system. The higher the risk the more often an assessment should be done to make sure there aren’t unidentified or unaddressed risks. Obviously, you have to do that first risk assessment to determine the risk of the system. Regardless, any time there’s a major change to a system a risk assessment should be done (ideally prior to the major change). Changes have the chance of adding new vulnerabilities. Point being, a large enough organization might only have the resources to do an assessment for all of their information systems every three years, but they may have some systems that require assessments to be done annually.
Quynh Nguyen says
I think a risk assessment should be performed as frequently as needed per case basis for each organization. Depending on whether the risk is low, medium, or high, more frequent risk assessments should be done based on the severity of the risk. I believe the minimum requirement for every organization should be annually, especially in today’s world and the constant advances in technology. However, if there are changes in the organizations environment that exposes it to new risks, then a risk assessment should be performed no matter how long ago the last risk assessment was. For example, with the COVID-19 pandemic many companies had to switch gears and begin WFH for their employees. This exposes the company to new risks associated with VPN, data privacy, and network security; a risk assessment should be done on their information system.
Christa Giordano says
Per the Guide for Developing Security Plans for Federal Information Systems, controls are split into three security control class designations; management, operational, and technical. Which class of controls do you think is most critical to organizations?
Megan Hall says
I believe the management class of controls is the most critical, because it should be the foundation to determine what technical and operational controls should be in place. Management controls should encompass risk identification and analysis. If that is done properly, effective operational and technical controls can be put in place, and the assessment of risk will allow for prioritization and ranking of criticality. I believe the management controls require the most judgement and if there are gaps or errors in judgment it could lead to risk exposures that are considered unacceptable to an organization.
Wei Liu says
To meet the goal of the risk assessment, a 9 steps process is defined in NIST SP 800-30. But somehow in NIST SP 800-100, Chapter 10 “Risk Management”, it was reduced to 6 steps. What are those three steps that were eliminated and why?
Taylor Trench says
Risk assessment includes the following steps: system characterization, threat identification, vulnerability identification, risk analysis, control recommendations, and results documentation. Previously, the nine-step version expanded risk analysis into four distinct steps: control analysis, likelihood determination, impact analysis, and risk determination. I would assume the six-step version identified these steps as smaller pieces to the larger goal, which is risk analysis.
Mitchell Dulaney says
For a small business with limited resources, would it be reasonable to skip the “System Characterization” step of risk assessment (as defined by NIST SP 800-100)? Why or why not? What impact(s) would this have on the risk management process?
To-Yin Cheng says
I believe system characterization is both important for a small business and a large business. Characterizing an information system can provide the best view of the risk profile of the system. It is the first step in the risk assessment that identifies the information assets. Without identifying the assets, it would be hard to go to the further step in risk analysis.
To-Yin Cheng says
Why companies need the template to develop their system security plan (SSP)?
Nicholas Fabrizio says
I think using a template instead of creating a system security plan (SSP) from scratch has its benefits. As we saw from the template it is extremely detailed and in depth, so it can save time, the template may contain sections that would of been overlooked, and using this template ensures your SSP meets the baseline created by the Federal Risk and Authorization Management Program (FedRAMP). Lastly, since it is a template it can be customized to meet the requirements specific to the organization.
Quynh Nguyen says
I think companies should use the template to create their system security plan because it is already so in-depth and well developed. By using the template, the organization can be sure that they are not skipping over any important details but also benefit from the fact that this would help speed up the process/save time on development, and also a cheaper alternative to developing their own template. In addition, by using the template, it is easier to spot and add details that are missing.
Charlie Corrao says
As outlined in the Guide for Developing Security Plans for Federal Information Systems, the Information System owner is responsible for updating the system security plan when a significant change occurs. Why should this be the responsibility of the IS Owner, and not the CIO or another role?
Nicholas Fabrizio says
I believe it is the responsibility of the Information System Owner to update the plan when changes occur because they are responsible for making sure the overall state of the system is in compliance with the security plan. The other roles may be considered the information owners or data custodians.
Elias Harake says
When was the most recent FedRAMP System Security Plan (SSP) template revised? How often do you think the SSP template should be revised and why?
Christa Giordano says
The FedRAMP SSP template was most recently revised in 2018 and prior to that in 2017. I think an annual or bi-annual review at a minimum should be completed as well as any times there are changes to laws/regulation or other guidance that could impact the information in the template. It is important to be in compliance with regulations and also critical to ensure guidance documents and references are aligned and updated. The template should also contain the most recent and relevant information (when possible). The purpose of the template is to provide organizations with tools to complete this tedious and critical task. It will begin to lose some of its usefulness and value if it is not updated.
Quynh Nguyen says
Why is it important to appropriately characterize information system in the risk assessment process?
Lakshmi Surujnauth says
It is important to characterize information systems in the risk assessment process since this will determine the impact (high, moderate, low as outlined in FIPS 199) of a breach of integrity, confidentiality, and integrity. Based on this impact rating an entity will then be able to prioritize these information systems and implement safeguards that align with their risk appetite. If information systems are not appropriately classified, then it creates an opportunity for threat actors to easily compromise the information systems, as the correct safeguards may not have been implemented given the inappropriate classification.
To-Yin Cheng says
It can help the company to assess the information risk at different levels. It also can identify existing controls and deficiencies for each objective related to the information system, then provide control recommendations.
Ashleigh Williams says
To ensure organizations are constantly focusing on the risk management evaluation and assessment process, how often would you suggest they perform evaluations and assessments, and why?
Charlie Corrao says
I think evaluations should be performed, at a minimum, annually. Depending on the size of the organization, the industry etc. it may have to happen more often. This risk environment is very dynamic, so it is extremely important for your risk plan to be dynamic as well.
Michael Doherty says
Why is it important from an organizational perspective to have multi function responsibiilities. for creating the system security plans?
Elias Harake says
From my perspective multi-function responsibilities help an organization mitigate the risk that a single person may no longer be able to work and no one else in the organization may be able to perform the same functions or responsibilities. Having multi-function responsibilities distributed among the employees in a department or organization would be beneficial since another employee may have an easier and more effective transition into a new role or work responsibilities.
Taylor Trench says
The Guide for Developing Security Plans for Federal Information Systems notes that management authorization should be re-assigned whenever there is a major change in processing. What kind of changes or events would constitute a “major change”? Is this typically outlined in a policy, or determined by the current management?