Moving to a Risk-Based Organization – NIST 800-37 Rev 1

1 2 Page 2
Page 2 of 2

•           Links risk management processes at the information system level to risk management processes at the organization-level through a risk executive function.

Let us take a look at these characteristics a bit more closely.

1.             Promoting the concept of near real-time risk management through the implementation of ‘robust’ continuous monitoring processes is definitely a concept. Even though many IT and security vendors indicate that their software and agents can monitor anything on a device, this is far from accurate.  Continuous monitoring requires very strong configuration management of all devices harnessing the power and process of change and release management coupled with no one having write access to production systems at any time unless authorized by policy and procedure.  Once the IT processes have matured to this point, then software needs to be deployed to prevent configuration changes without proper change authorization and with comparison and rollback features. After this has been put in place, then monitoring agents can be deployed to track configuration changes along with all other risk and performance indicators as defined by the organization.  The integration of ITIL v3 into the fabric of IT is required in order for this to be successful.

2.             Encourages the use of automation and automated support tools to provide senior leaders the necessary information to take credible, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions.  This is another great concept that requires a great deal of analysis, integration and labor.  GRC solutions may be able to provide such a dashboard but the connectors and XML interfaces require significant work to integrate between system, monitoring agent, GRC interface and actual actionable intelligence that are in business terms and views.  There may be other solutions in the marketplace that claim to provide this type of dashboard but in many cases, these dashboards are focused toward IT staff and not the business.

3.             Integrates information security more closely into the enterprise architecture and system development life cycle. This is a matter of will and effort that most CISOs and security leaders understand is required.  CISOs have been working to get security built into every essence of the systems development lifecycle for years.  It is long overdue and with the proper assistance and expertise, it can become a reality.

4.             Provides equal emphasis on the selection, implementation, assessment, and monitoring of security controls, and the authorization of information systems. The implementation of security and risk into the SDLC will ensure this step is given its due. Each of these functions should be blended into the process as the norm and not a nuisance add-in.

5.             Establishes responsibility and accountability for security controls deployed within organizational information systems and inherited by those systems - for instance, common controls. Controls of various types, flavors and impacts must be defined, used and reused as part of standard reference architectures based upon risk and system classification. Defining control roles and responsibilities and deploying controls that can in fact be monitored is a key risk indicator to the success of continuous monitoring.  If a control cannot be monitored then it should not be used.  If control monitoring cannot be automated as defined under the concepts within 800-37 Rev 1, then do not deploy it until you can automate it.  This is not to say to forget the control but to develop a plan to create automation to support the control.  The last word of advice is to only use the controls necessary to remediate risk and provide visibility, as required by the system classification.


Links risk management processes at the information system level to risk management processes at the organization-level through a risk executive function. This ensures proper enterprise risk management.  What you may find is that the organization has no other risk executive functions that cover other areas of the organization such as supply chain risk or operational risk. Establishing an enterprise risk management function where all organizational risk is reviewed, compared and decided upon is a key activity for any entity.  In many cases it exists but is not clearly defined or organized. Regardless, having information security and information technology represent as a risk executive function is long overdue. The execution of this concept will bring security to table.  It will also start the process of establishing information governance.  Information governance is not necessarily the responsibility of the CISO but the CISO and her/his team do have significant impact over the success of such a program.

Throughout the assessment process related to the SDLC, various types of controls based upon system risk will need to be selected.  This is not new but they should follow that approach that you do not use a sledgehammer to push in a tack.  By this I mean only use the degree and level of control necessary to remediate the risk at hand. Anything else and you may run into cost issues and/or usability problems for the customer.

So what are some of the benefits for using a RMF:

·         Align risk appetite and strategy with organizational drivers

·         Minimize operational surprises and losses

·         Enhance risk response decisions

·         Prioritized business use of resources

·         Identify and manage cross-enterprise risks

·         Link growth, risk and return

·         Rationalization of capital expenditures

·         Seize opportunities based upon business drivers

·         Centralize sources of risk, standards, frameworks, regulations, statutes, process mappings – integrated/cohesive/enterprise-wide

Copyright © 2010 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful cybersecurity companies