Risk Management Framework

Good Essays
NIST Special Publication 800-37 Revision 1

Guide for Applying the Risk Management Framework to Federal Information Systems
A Security Life Cycle Approach

JOINT TASK FORCE TRANSFORMATION INITIATIVE

INFORMATION

SECURITY

Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930

February 2010

U.S. Department of Commerce
Gary Locke, Secretary

National Institute of Standards and Technology
Patrick D. Gallagher, Director

Special Publication 800-37

Guide for Applying the Risk Management Framework to Federal Information Systems A Security Life Cycle Approach

________________________________________________________________________________________________
…show more content…
interests from adversaries using cyberspace to their advantage and from our own efforts to employ the global nature of cyberspace to achieve objectives in military, intelligence, and business operations… “ “…For operational plans development, the combination of threats, vulnerabilities, and impacts must be evaluated in order to identify important trends and decide where effort should be applied to eliminate or reduce threat capabilities; eliminate or reduce vulnerabilities; and assess, coordinate, and deconflict all cyberspace operations…” “…Leaders at all levels are accountable for ensuring readiness and security to the same degree as in any other …show more content…
As part of the overall governance structure established by the organization, the risk management strategy is propagated to organizational officials and contractors with programmatic, planning, developmental, acquisition, operational, and oversight responsibilities, including for example: (i) authorizing officials; (ii) chief information officers; (iii) senior information security officers; (iv) enterprise/information security architects; (v) information system owners/program managers; (vi) information owners/stewards; (vii) information system security officers; (viii)

Related Documents

  • Decent Essays

    Developed enterprise-wide guidelines on how to best apply technology standards in creating business applications or best business practices. . • Served as a senior expert in the field of cyber security, direct the day to day agency implementation of a government-wide cyber security defense strategy. Provide authoritative advice and guidance to top agency management officials on integrating cyber security initiatives with key mission-critical programs. Advise IT experts throughout the agency and its subcommands on a variety of cyber security issues that involve applying or adapting new theories, concepts, or standards.…

    • 780 Words
    • 4 Pages
    Decent Essays
  • Decent Essays

    Business Continuity Management (BCM) – Key Performance Indicators (KPI's) By: Arunkumar Durairaj 14-Nov-16 1. Introduction The purpose of BCM KPI's are to monitor and measure the performance of Business Continuity Management(BCM) program based on the refernces obtained through achivement of processes or goals . These indicators are used to help organization evaluate its progress and / or performance (in terms of efficiency, effectiveness, robustness, and so on) of its BCM processes while pursuing short term, medium term and / or long-term goals / plans. A well managed KPI dashboard gives the senior management information on how BCM program is managed across the organization. The board (senior management) can then…

    • 1403 Words
    • 6 Pages
    Decent Essays
  • Decent Essays

    The whole process of business perspectives, practical business continuity and disaster recovery planning perspectives, and the IT-centric perspectives risk management needs to be comprehended to understand the concept and practical application of risk management. Creating a business continuity plan unique to your business is important to your company’s success. Every organization will handle threats and risks different with taking location, industry, organizational culture, departments, company structure, departments, work units, management approach and strategic objectives into perspective. Each step in the process of basic risk management is important. The four basic steps of risk management are threat assessment, vulnerability assessment,…

    • 940 Words
    • 4 Pages
    Decent Essays
  • Decent Essays

    The implementation of these policies takes place at the tactical level and also demonstrates the policy cohesion and congruency necessary among agencies within the strategy hierarchy for national strategies to be successfully implemented. Furthermore, the strategy hierarchy is seen in DHS efforts to protect critical infrastructure which contains a major vulnerability point in its cross-sector interdependence construct. Office of Infrastructure Protection policies formulated at the agency level are based on the DHS national strategy formulated at the top level and measures to mitigate threats to critical infrastructure are implemented at the tactical level. The strategy hierarchy is central to the formulation and implementation of national strategies…

    • 1662 Words
    • 7 Pages
    Decent Essays
  • Decent Essays

    A PMO must fully integrate a risk management process that is able to identify potential risks, with a proactive approach, in order to promptly address each issue and minimize the effects on the project and organization. Along with completing a full risk analysis for every project, common risk factors and the risk tolerances of the organization and stakeholders should be included in the risk management assessment. By considering all of these attributes within the risk management process, a PMO can effectively implement a mitigation plan that will minimize the impacts on projects and present a competitive advantage for the organization…

    • 946 Words
    • 4 Pages
    Decent Essays
  • Decent Essays

    IT Security Policy

    • 1073 Words
    • 4 Pages

    When building a cybersecurity policy one must keep in mind any potential situations and address them in the policy (Easttom, 2012). This helps build a strong and secure network that protects the information an organization has access to. Building a Successful Cybersecurity Policy To build a successful cybersecurity policy an organization must address all potential…

    • 1073 Words
    • 4 Pages
    Decent Essays
  • Decent Essays

    Question 2 The theoretical relationship between Emergency Operation Center (EOC) and Incident Command System (ICS) are to support the process of incident management. The Incident Command System is a developed concept utilized to help responders provide an organizational structure to combat any level of incident and eliminate jurisdictional boundaries (Incidents Command Systems /Unified Systems,2017). The purpose of the Emergency Operation Center is to support the physical or virtually operating systems of a unit for disaster recovery(ready.gov,2017). The EOC and the ICS have a responsibility to have constant crisis communication and management developed amongst each other. As a collective the two organizations coordinate activities and identify…

    • 1391 Words
    • 6 Pages
    Decent Essays
  • Decent Essays

    Project Governance. This activity defines the PMO structure because it is during this activity that the organization determines whether the PMO will function in a consultative role or as a centralized entity. If the former, the project manager uses the PMO as a consultative resource; if the latter, the project manager is essentially on the PMO staff and is assigned to projects as they occur. The key to establishing an effective and efficient PMO is the charter for its operation. The charter will clearly state who is in charge of the PMO, what the limits of the PMO’s authority are, and how the PMO will function relative to the rest of the organization.…

    • 718 Words
    • 3 Pages
    Decent Essays
  • Decent Essays

    The Security Policy

    • 759 Words
    • 4 Pages

    # This explains how the different types and volume of information relate to how staff are expected to handle the information. And that all staff who have access to use the information should be shared. It also states the two types of information which define a risk; Personal information, and Business sensitive information. # This states that the college recognises several information assets categories of the college which are important to the running of the business. # This section states how all information captured must be securely stored and protected.…

    • 759 Words
    • 4 Pages
    Decent Essays
  • Decent Essays

    Identifying assets for review is done by the managers of the environment under review. They will also work wit the security project manager. Asset identification and values related to it is the crucial to the business. In this part assets need to be identified especially one critical for the business operations. Assets can be physical or logical like datacenters, desktops, remote systems, network devices, systems that process, manage, and store personal information.…

    • 980 Words
    • 4 Pages
    Decent Essays