If you only have limited resources, you want to use them well. Throwing your resources at whatever problem you can see is a decent approach, but gaining a comprehensive view of your problems and addressing the one that presents the greatest threat is probably a better use of your time.
That is the simple rationale behind the NIST Risk Management Framework (RMF). By following these guidelines for reducing risk in your enterprise, your organization will be led to identify its assets, ascertain which elements are most likely to bring them down, and come up with a plan to stop them based on the timebombs that are at risk of blowing up first.
What Is the NIST RMF?
The NIST Risk Management Framework, or RMF, is a voluntary 7-step process used to manage information security and privacy risks. It was jointly developed by NIST and the U.S. Department of Defense (DoD) for federal agencies, but its comprehensive foundation made it popular for the private sector. It links to other NIST guidelines which can help organizations meet the risk management program guidelines of the Federal Information Security Modernization Act (FISMA).
By following the NIST RMF, organizations can successfully implement their own risk management programs, maintain compliance, and address the weaknesses that present the greatest danger to their enterprise.
But before they do, companies need to understand the basics of risk management. While somewhat self-explanatory, they are:
Frame risk
What does it mean to manage risk? It means to identify how much risk your organization can tolerate (and still survive), the constraints you have to work with (budget, lack of skills, lack of policy), and what you’re going to do within your parameters to still cut down risk as much as possible.
Assess risk
Use vulnerability management and penetration testing to assess and prioritize the areas you’re weakest in, which CVEs would make material impact if exploited, which web applications are at risk, and which holes are hemorrhaging the fastest. Red teaming can also help to ferret out weaknesses the other two can’t catch, in process and personnel.
Respond to risk
Decide how you’re going to minimize those risks. What are you going to change? When will this happen, and where are you going to start? Suggestion: start small, address one area completely, and move on.
Monitor risk
Every time a new person, technology, or system appears in your enterprise, there are new risks to assess and manage. Stay ahead of new developments (and dangers) by repeating steps 2-3 regularly and monitoring for risk.
The Seven Steps of the RMF Process
NIST’s seven steps for implementing a successful risk management program for privacy and information security are as follows:
Prepare
Identify your most important assets, processes, and systems. Assign roles and responsibilities and establish your strategy and risk tolerance.
Categorize
Determine how much impact, if any, one of those identified assets, processes, and systems got compromised. Which one would have a material impact if confidentiality, integrity, or availability were compromised? Use a matrix to categorize by severity and likelihood.
Select
Select an initial set of controls to address and protect all outlined systems, assets, and processes above. These may change, but you must start somewhere.
Implement
Put these plans into action. Remember to document the changes and be aware that feedback might change them.
Assess
How well do they work? If well, keep them. If poorly, alter them. This process may require check-in over months.
Authorize
Have your finalized plans authorized by an accountable decision-maker that understands the risk appetite of the organization. If they work, they will need to be disseminated throughout the organization and followed religiously. Your best-laid plans are moot without official support.
Monitor
Keep an eye on your creations. What worked today may show weakness when a new CRM is introduced tomorrow. Practice continuous vulnerability management and monitoring, and plan for the correct incident response once your monitoring picks something up.
These steps should be taken in order, and none can be skipped to achieve a comprehensive, flexible risk-based approach.
Misunderstand Risk at Your Own Risk
Having a robust risk management program in place does more for your organization than help it align with NIST and check a few boxes. This is one of the single most beneficial tools for understanding which assets in your organization matter most (i.e., are mission-critical to keeping you online and in the black), and which weaknesses you simply can’t tolerate.
Your SOC comes to work every day looking to do the most good for your organization. When alerts pop up or something doesn’t look right, they investigate and address them in a prioritized manner. They only have so much time in a day, and they want to use it well. Get the most out of that time by knowing that the issues they are addressing are the most important ones they could be fixing at that time. So much needs to be done in an enterprise to keep it safe; it would be a shame to waste a week (and a chunk of the budget) investing in a great solution to a low-level problem.
The NIST RMF makes sure your security team is aligned with management and on the same page when it comes to where time should be spent, what it should be spent doing, and which priorities and objectives will bring the most benefit to your security posture at any given time. With endless alerts and cyber staffing issues, using the NIST RMF to always know where your security efforts should be focused is one of the wisest ways to invest your limited resources and get the most out of your strategy.
Make Fortra Your Cybersecurity Ally
Our mission at Fortra is to help organizations increase security maturity while decreasing operational burden. Our vision is a stronger, simpler future for cybersecurity. Who’s with us?