Florida Information Technology Resource Security Policies and

advertisement

NIST Risk Management Framework

STEP 4 AND STEP 6

MONITOR

SELECT

CATEGORIZE

STEP

STEP

2

1

AUTHORIZE

ASSESS

IMPLEMENT

STEP

STEP

4

STEP

5

STEP

6

3

February 17, 2015

Speaker: Ed Wilson

Florida Information Technology Resource Security Policies and Standards identified in 71A-1.001-.010, F.A.C. documented a framework of NIST information security best practices for state agencies in order to safeguard the confidentiality, integrity, and availability of Florida government data and information technology resources.

It defines minimum standards to be used by state agencies to categorize information and information technology resources based on the objectives of providing appropriate levels of information security according to risk levels.

It defines minimum management, operational and technical security controls to be used by state agencies to secure information and information technology resources.

State agencies shall use these standards as the minimum security requirements for information and information technology resources.

The process to comply with Florida Information Technology Resource Security Policies and Standards

LOW

,

MODERATE

, and

HIGH

level system security is documented in the NIST Risk Management Framework (RMF) http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf

.

All business processes operate with some level of risk and one of the most effective ways to protect these business processes is through the implementation of effective internal security controls, risk evaluation, and risk management. An effective approach is to use the following NIST SP800-37 Risk Management Framework six-steps:

An important component of the RMF is

STEP 4: ASSESS.

During this step, the user assesses the planned or implemented security controls, using appropriate procedures identified in SP800-53A, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. An assessment procedure consists of a set of assessment objectives, each with an associated set of potential assessment methods and assessment objects. An assessment objective includes a set of determination statements related to the particular security control under assessment. The determination statements are linked to the content of the security control to ensure traceability of assessment results back to the fundamental control requirements. The application of an assessment procedure to a security control produces assessment findings. These findings reflect, or are subsequently used, to help determine the overall effectiveness of the security control.

STEP 6: MONITOR.

Is maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.

To help with implementation and auditing, the ISACA Tallahassee Chapter will present a Brown Bag session on February 17,

2015 that will provide an overview of Step 4 and Step 6 with a brief overview of

STEP 5: AUTHORIZE

.

Download