The NIST RMF (Risk Management Framework) is a set of information security policies and standards the federal government developed by NIST (the US National Institute of Standards and Technology).
The RMF is explicitly covered in the following NIST publications:
Special Publication 800-37, “Guide for Applying the Risk Management Framework to Federal Information Systems,” describes the formal RMF certification and accreditation process.
Special Publication 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations,” describes a structured process for integrating information security and risk management activities into system development from start to finish.
An organisation will select system security controls and apply them organisation-wide via an information security programme, where organisational risk management is considered.
What is organisational risk and how can you take a risk-based approach to cyber security?
Organisational risk is a systematic, structured way of identifying, assessing, and rating the risks an organisation faces, in this case within the context of systems operations.
The NIST RMF provides an effective framework to facilitate decision-making to select appropriate security controls.
It applies a risk-based approach that considers effectiveness, efficiency and restrictions due to regulations, directives, executive orders, policies and other rules.
The RMF has identified the following activities, which can be applied to both new and legacy systems, that are implementable with an ISMS (information security management system).
The RMF approach in seven steps
- Prepare
Essential activities to prepare the organization to manage security and privacy risks. - Categorize
Categorize the system and information processed, stored, and transmitted based on an impact analysis. - Select
Select the set of NIST SP 800-53 controls to protect the system based on risk assessment(s). - Implement
Implement the controls and document how controls are deployed. - Assess
Assess to determine if the controls are in place, operating as intended, and producing the desired results. - Authorize
Senior official makes a risk-based decision to authorize the system (to operate). - Monitor
Continuously monitor control implementation and risks to the system.
As the RMF is meant to be a continual cycle, you can then start again from step one, all the way through to step seven to account for changes in the environment or to the system itself.
How we can help
To ensure the safety of personal data and maintain trust with customers, it is essential that you take adequate measures to protect your private data.
We recommend that organisations refer to ISO 27001, among other best practice standards and guidelines, within the Framework.
ISO 27001 is the international standard that helps organisations implement information security management best practice.
Achieving ISO 27001 certification is a strong indication that your company is taking the proper measures to protect consumer data and effectively manage data breach events.
ISO 27001 certification does not come easy – the process can be long and challenging, depending on your organisation’s resources.
To help you, we offer a four-day training course combining our ISO 27001 Foundation and Lead Implementer courses.
The programme provides a complete introduction to ISO 27001 and its requirements, covering all the steps involved in planning, implementing, and maintaining an ISO 27001-compliant ISMS.
The post An Introduction to the NIST Risk Management Framework appeared first on IT Governance Blog.
