20150824151230fyt_task_1_rmf_to_do_list_ctnsrpf
Introduction:
The National Institute of Standards and Technology (NIST) replaced the former NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems with NIST Special Publication 800-37 Revision 1,Guide for Applying Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. The NIST document changed from a certification and accreditation framework to a risk management framework because information security management systems should be regularly reviewed, updated, and maintained. It makes more sense to follow a security life cycle approach (continuous monitoring) versus a single one-time static certification/accreditation approach.
For this task, you will be using NIST Special Publication 800-37 Revision 1, Guide for Applying Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach and the attached “Healthy Body Wellness Center Risk Assessment” case study.
You have been hired to apply the NIST’s risk management framework to the Healthy Body Wellness Center’s information systems. You know that the organization has recently had a risk assessment completed that includes recommendations for implementing security controls and mitigating risks. In your new role, a team of people will be assigned to help you with the task. The first job you are tasked with is creating a to-do list for the specific tasks outlined in each of the six steps in the risk management framework (RMF).
Task:
A. Discuss key elements that need to be addressed as part of the risk management framework by completing the attached “RMF To-Do List.”
B. Create a white paper that compares the ISO 27002, COBIT, NIST, and ITIL frameworks by doing the following:
1. Discuss how each framework is most commonly used.
2. Analyze the purpose of each framework design.
3. Evaluate the strengths of each framework.
4. Evaluate the weaknesses of each framework.
5. Discuss the certification and accreditation process for the frameworks.
6. Discuss when you would choose to use each framework (e.g., ISO 27002 versus COBIT, NIST, or ITIL).
C. When you use sources, include all in-text citations and references in APA format.
RMF To-Do List
RMF Tasks Status
(done/not
done)
Discuss how you determined the
status of each task. Consider the
following: If done, is it complete?
Where is it located?
If not done, what are the
recommendations for completing?
Where should the results be
saved?
External
documents
needed for
task
RMF Step 1: Categorize Information Systems
1.1
Security
Categorization
Using either FIPS
199 or CNSS
1253, categorize
the information
system. The
completed
categorization
should be included
in the security
plan.
Not done As highlighted in the risk
assessment, there is no security
plan done (p.18). Add the
security categorization
information to the security plan.
The security categorization that
was completed in the risk
assessment can be included in
the security plan. The full
categorization can be found on
pp. 14-16. The categorization
done in the risk analysis is based
on FIPS 199.
FIPS 199 for
nonnational
security
systems,
CNSS 1253
for national
security
systems
1.2
Information
System
Description
Is a description of
the information
system included in
the security plan?
1.3
Information
System
Registration
Identify offices
that the
information
system should be
registered with.
These can be
organizational or
management
offices.
RMF Step 2: Select Security Controls
2.1
Common Control
Identification
Describe common
security controls in
place in the
organization. Are
the controls
included in the
security plan?
2.2
Security Control
Selection
Are selected
security controls
for the information
system
documented in the
security plan?
2.3
Monitoring
Strategy
What security
control monitoring
strategies should
be used to protect
the information
system and its
environment of
operation?
2.4
Security Plan
Approval
Has the security
plan been
reviewed and
approved?
RMF Step 3: Implement Security Controls
3.1
Security Control
Implementation
Have the security
controls specified
in the security
plan been
implemented?
3.2
Security Control
Documentation
Has the security
control
implementation
been documented?
RMF Step 4: Assess Security Controls
4.1
Assessment
Preparation
Has a plan to
assess the security
controls been
developed?
4.2
Security Control
Assessment
Have the security
controls defined in
the security
assessment plan
been assessed?
4.3
Security
Assessment
Report
Has the security
assessment report
from the security
control
assessment been
completed?
4.4
Remediation
Actions
What remediation
actions on security
controls need to
be taken based on
the findings and
recommendations
of the security
assessment
report?
RMF Step 5: Authorize Information System
5.1
Plan of Action
and Milestones
Is there a
completed plan of
action and
milestones based
on the findings
and
recommendations
of the security
assessment report
excluding any
remediation
actions taken?
5.2
Security
Authorization
Package
Has the security
package been
authorized and
submitted to the
authorizing
official?
5.3
Risk
Determination
What is the risk to
organizational
operations,
organizational
assets, individuals,
and other
organizations?
5.4
Risk Acceptance
Is the risk to
organizational
operations,
organizational
assets, individuals,
and other
organizations
acceptable?
RMF Step 6: Monitor Security Controls
6.1
Information
System and
Environment
Changes
What is the
security impact of
changes to the
information
system and its
environment of
operation?
6.2
Ongoing
Security Control
Assessments
Which security
controls from the
subset of the
technical,
management, and
operational
security controls
should be
assessed?
6.3
Ongoing
Remediation
Actions
What remediation
actions need to be
taken based on
results of
monitoring
activities?
6.4
Key Updates
Has the security
plan, assessment
report, and plan of
action been
updated based on
the continuous
monitoring
process?
6.5
Security Status
Reporting
Has a security
status report been
given to the
authorizing
officials?