| Key | Details |
|---|---|
| Practice: | 19 |
| Title: | Interim Risk Management Strategy |
| Last-Modified: | 2017-10-16 |
| Author: | Greg Elin |
| Status: | Active |
| Type: | Process |
| Created: | 11-Mar-2017 |
| Post-History: | 12-Mar-2017 |
| Confidentiality: | General public |
| Read-Time: | 7 min |
This Practice describes GovReady PBC's organizational risk management strategy. The Practice makes unambiguous statements of the organization's risk tolerance, prioritized assets, and significant threats. The Practice establishes the NIST RMF (RMF) as the approach to managing risk in GovReady PBC information technology systems and assigns organization responsibilities for executing and maintaining GovReady's tailoring and implementation of the RMF.
- Abstract
- Motivation
- Organization Risk Tolerance Statement
- Managing Information Security Risk
- Risk Management Roles and Responsibilities
- Auxilary Files
- Updates and Comments
- References
- Copyright
GovReady PBC's community of staff, customers, suppliers, and extended community need ready access to GovReady PBC's risk management policy and guidance to effectively and efficiently apply the appropriate methods, standards, and practices required to protect GovReady PBC IT. To address this challenge, GovReady PBC publishes "Practices" such as this document to its community. [1]
This document satisfies NIST RMF Control PM-9, Risk Management Strategy.
GovReady PBC risk profile embraces both risk-adverse nature of our stability-oriented government agency customers and the greater risk tolerance associated with start-ups and small businesses that allow them to explore.
We resolve these seemingly opposing values through our belief that exhilarating summits are achieved only through excelling safety.
We believe and practice that improvements in safety enable greater achievement by bringing improved protection and recovery technologies, standards and practices inheritantly adverserial and unstable situations.
We believing in aggressive and extensive modeling and testing within separate and safe environments so that we can take risks and failing quickly without doing irreversible harm to value and protected assets.
We believe continuous rehearsal and practice in carefuly constructed and real world scenarios leads to the best preparation and performance. We test extensively and restrict and prevent protected information from untested technology. We recognize breaches occur and leverage encryption and segration to limit consequences.
At GovReady PBC, Compliance is not security. We treat security and compliance as distinct activities. Security genererally is the practice of preparing, preventing, responding, and recovering from avoidable and adverserial malbehaviors. Compliance generally is the practice of scaling reliable attestation and verification of qualities, conditions, and behaivors[performance]. Security sometimes employs secrets as a means to its end; compliance is only possible through sharing.
In short, GovReady PBC actively pursues risk in constrained, reversible environments and scenarios and actively minimizes avoids risk in real world through security in depth approaches.
GovReady's PBC most important assests in rough order of priority are:
- Our freedom to respectively self-determine GovReady's PBC present and future
- Our intentional operating incentives, inrastructure and observable, measurable, repeatable behaviors that reinforce and improve our core values
- Our core community that intentionally acts to help us succeed
- The integrity and availability of the intellectual property we provide to our extended community and the public that helps them succeed
- Private/sensitive information fairly entrusted to us by our extended community
- shared credentials
- Sensitive Personally Identifiabe Information
- Information marked confidential and shared with us under agreed non-disclosure
- matrix information that could be used to falsely impersonate individuals
- Private/sensitive information and practices that are required to be kept secret in order to successfully protect our prioritized assets
- private keys and passphrases to private keys
- master passwords
- recovery keys
- matrix information that could be used to falsely impersonate executives
- Privileged physical or digital access to the locations and systems controlling access to protected assets
- The integrity of the tools and processes that provide evidence of the reality of ours and other's actions
- The reputation of the organization and our staff among to ourself and among our core associates and customers
- Having the economic means and stability to continuously improve and thrive as an organization, individuals, and extended community
- The perception of the organization, our staff, and extended community in the media and with the public who does not know us directly
- Sloppiness and carelessness
- Failing to share situational information
- Not following practices
- Lack of transparency
- Poor recovery mechanisms
- Insider and personnel threats
Because GovReady PBC develops and manages software systems used by the United States government clients, GovReady PBC uses the NIST Risk Management Framework as its primary strategy for managing information security risk.
The NIST RMF is a framework. It is a more of a guide than a checklist and assumes organizations tailor specifics to fit their needs.
GovReady PBC approach to managing information security risk tailors the RMF through the following philosophies.
Time is the first dimension of information security. Think OODA loop. Security practices should be designed and instrumented around realistic assessments of time to outcome.
Psychology matters. People are one of the most vulnerable links in information system. Therefore information security must be designed to maximize incentives effective for people and minimize or avoid known human deficiencies. People skills, and understanding of psychology and behavior economics is a critical aspect of cyber security teams.
Compliance is not security. Security is the practice of preventing, detecting, and repairing intentional and unintentional consequential malbehaivor.** Compliance is the practice of scaling attestation and verification for individual and community confidence in complex systems. Cyber security compliance is scaling attestation and verificaiton of prevention, detection, and repairing in order for individual and community confidence in complex information management systems.
Detect and correct. Prevention is nice, but ability to quickly detect and correct prior to significant compromise is essential to protecting assets.
Randomness increases costs. Incorporating randomness such as encryption, two-factor authentications, salts, and distribution significantly increase adversary costs.
GovReady PBC is a currently a small organization. As part of this practice, the following roles and responsibilities exist.
- Can be an individual or individuals recognized in law and organization by laws as the Chief Executive Officer
- Defines and maintains the organization's risk management strategy, risk tolerance, and risk management resources
- Communicates risk management strategy and risk tolerance
- Oversees implementation of this practice, directs and oversees the cybersecurity risk management of organization IT, distributes RMF information standards and sharing requirements, and regularly reviews and updates.
- Appoints practice agents and delegates to practice agents specific authority to oversee implementation of this practice
- Can be an individual or an organization
- Oversees implementation of delegated areas of a pratice within the scope of their appointment
- Continuously and honestly measures[instruments] and shares with CEO, practice agents, and teammates results of implementing the practice
- Maintains appropriate records of their activities and deliverables
- Reasonably assigns activities and deliverables to members of the GovReady PBC community to implement the practice
- Can be an individual or an organization
- Agrees to continuously and honestly abide by this practice and all pertentant related policies, guidance, methods, standards (including professional industry standards and applicable laws)
- Agrees to continuously and honestly contribute to the measuring and sharing with CEO, practice agents, and teammates implementing the practice
- Maintains appropriate records of their activities and deliverables as required by implementation of the practice
- Reasonably contributes to activities and deliverables advantageous to implementing the practice.
- Reduces risk by accurately using only IT authorized and categorized appropriate level of confidentialilty, integrity, and availability to store, process, or transit protected information under GovReady PBC custody and not increase risk by allowing protected information under GovReady PBC's custody to be used (e.g., stored, processed, transmitted) in IT not authorized or categorized to the appropriate level of confidentiality, integrity, and availability.
- Can be software, hardware, system, or system of systems (including a system composed of both persons and technology)
- Continuously and honestly implements this practice and all pertentant related policies, guidance, methods, standards (including professional industry standards and applicable laws)
- Continuously and honestly measures[instruments] and shares adherance and divergence to implementing the practice
- Is designed, architected, developed, and operated to implement this practice and all pertentant related policies, guidance, methods, standards (including professional industry standards and applicable laws)
GovReady's PBC maintains a risk register, where risks are tracked, and information relavent to the management of risk is maintained. The risk register contains the following details:
- A description of the risk
- An explaination for why it is considered a risk
- The owner of the risk
- The risk rating
- The impact of the risk
- The likelihood of an occurance
- The overall risk rating
- Implemented mitigations
- Mitigations in progress
- Date reviewed
All risks on the risk register are reviewed at least annually Any risks rated High or Critical are reviewed at least once per month
When assessing the likelihood related to the occurance of an event, the following factors are considered:
- The likelihood of discovery
- The complexity or difficulty of exploitation
- Whether exploits are widely known
- The complexity or difficulty associated with detecting explotation
When assessing the impact related to an event, the following factors are considered:
Technical Impact
- Confidentality of data
- Integrity of data
- Availability of data
<<<<<<< HEAD Business Impact
- Privacy violations
- Non-compliance implications for GovReady PBC or our clients
- Repurational damage to GovReady PBC or our clients
- Financial damage to Goverady or our clients
The overall rating is calculated by using the following matrix, comparing the likelihood on one axis, and the impact on the other.
|Risk Matrix |
|--------------|---------|-----------|---------|
|High |Medium |High |Critical |
|Medium |Low |Medium |High |
|Low |Low |Low |Medium |
| |Low |Meduim |High |
5f7f4a09d1259cc9bfb81e86499f6fb0975fca54
In adition to periodic review of the risk register, risk is also assessed upon:
- Significant change to any of GovReady PBC systems and processes
- Any time a risk is identified by a GovReady PBC team member, or by an external party
- Any time a new technology is provisioned
- Any time a new supplier is onboarded
Any time a new risk is discovered, the risk is rated according to our described methodology and tracked in our risk register.
When planning significant change to any GovReady PBC system or process, risk will be assessed by evaluating the details of the proposed change, and answering the following questions:
- What is changing?
- What new risks could possibly be created?
- What is the impact of any new risks?
- What is the likelihood of an event occuring?
- What mitigations can be implemented?
By performing this assessment at the planning stage, GovReady PBC is equipped to avoid introducing unnecessary risks to any of our systems or processes.
None.
All updates and comments are managed via the govready-pbc-practices repository at https://github.com/GovReady/govready-pbc-practices.
The best way to suggest an update is via pull request. All modifications to this practice are managed via pull requests in order to create a clean modification history.
An alternate way to suggest an update or just share a comment is to create an issue at govready-pbc-practices repository at https://github.com/GovReady/govready-pbc-practices/issues where they can be discussed and changes can subsequently be made via pull requests.
Please include the Practice ID (e.g., "p-20", "p-1") in title of issue.
- [1] "DoD RMF practitioners need ready access to RMF policy and guidance to effectively and efficiently apply the appropriate methods, standards, and practices required to protect DoD IT." DoDI 8510.01, March 12, 2014, Enclosure 7, p. 41.
Copyright 2017, GovReady PBC. All Rights Currently Reserved.