Risk Management Framework (RMF): An Overview - Varonis

The Risk Management Framework (RMF) is a set of criteria that dictate how the United States government IT systems must be architected, ... EnglishAnnouncementText LearnMore ✕ Skipnavigation Platform Products Overview DataProtection >DatAdvantageDataaudit&protection >AutomationEngineDataremediation >DataPrivilegeDataaccessgovernance >DataTransportEngineAutomatedpolicyenforcement ThreatDetection&Response >DatAlertData-centricUBA >EdgePerimeterdetectionsforDatAlert >VaronisforActiveDirectoryAnomalydetection&hardening Privacy&Compliance >DataClassificationEngineSensitivedatadiscovery >PolicyPackGDPR&CCPAdiscoverypolicies >FederalPolicyPackTopsecret&CUIdiscoverypolicies >DataClassificationLabelsSensitivedatalabeling >DatAnswersDSARs,e-Discovery,PIIsearch CloudSecurity >DatAdvantageCloudSaaS&IaaSSecurity >DataClassificationCloudSensitivedatadiscovery >VaronisforMicrosoft365Data-centricsecurityforM365 Seeallproducts   Learnmore HowItWorks Integrations Third-partyApps Pricing Solutions ByIndustry Finance Healthcare FederalGovernment Education Manufacturing State&LocalGovernment ByUseCase CloudDataProtection DataClassification DataLossPrevention DataPrivacy&DSARs InsiderRiskManagement RansomwarePrevention ZeroTrust ByTechnology >Microsoft365 >WindowsFileShares >ActiveDirectory >GoogleDrive >Salesforce >Nasuni >UNIX/Linux >Box >Slack >Okta >GitHub >NetApp Seeallintegrations WhyVaronis? CaseStudies OperationalPlan IndustryRecognition CustomerSuccess IR&ForensicsTeam MeasurableROI Company AboutVaronis Careers InvestorRelations Press CorporateResponsibility Trust&Security Brand ContactUs Partners PartnerProgram PartnerLocator PartnerPortal ServiceProviders TechnologyPartners Resources Support ResourceLibrary Blog FreeSecurityCourses ProductTraining SecurityFWD Webinars Events ContactUs Getsupport +1(877)292-8767 Contactus Getademo Getsupport +1(877)292-8767 InsideOutSecurity English French InsideOutSecurityBlog   /   Privacy&Compliance RiskManagementFramework(RMF):AnOverview JeffPetters | 6minread | LastupdatedJanuary29,2021 TheRiskManagementFramework(RMF)isasetofcriteriathatdictatehowtheUnitedStatesgovernmentITsystemsmustbearchitected,secured,andmonitored. OriginallydevelopedbytheDepartmentofDefense(DoD),theRMFwasadoptedbytherestoftheUSfederalinformationsystemsin2010.Today,theNationalInstituteofStandardsandTechnology(NIST)maintainsNISTandprovidesasolidfoundationforanydatasecuritystrategy. GettheFreeEssentialGuidetoUSDataProtectionComplianceandRegulations TheRMFbuildsonseveralpreviousriskmanagementframeworksandincludesseveralindependentprocessesandsystems.Itrequiresthatfirmsimplementsecuredatagovernancesystemsandperformthreatmodelingtoidentifycyberriskareas. Inthisguide,we’lltakeyouthrougheverythingyouneedtoknowabouttheRMF.We’llbreakdownthecomponentsoftheframeworkinseveralsections: WhatComprisestheRMF? The5RiskManagementcomponents The6RMFsteps ThebenefitsoftheRMFforbusinesses HowVaroniscanhelpyoubecomeRMFcompliant WhatComprisestheRiskManagementFramework? Thegeneralconceptof“riskmanagement”andthe“riskmanagementframework”mightappeartobequitesimilar,butitisimportanttounderstandthedistinctionbetweenthetwo.TheriskmanagementprocessisspecificallydetailedbyNISTinseveralsubsidiaryframeworks. Themostimportantistheelegantlytitled“NISTSP800-37Rev.1”,whichdefinestheRMFasa6-stepprocesstoarchitectandengineeradatasecurityprocessfornewITsystems,andsuggestsbestpracticesandprocedureseachfederalagencymustfollowwhenenablinganewsystem. InadditiontotheprimarydocumentSP800-37,theRMFusessupplementaldocumentsSP800-30,SP800-53,SP800-53A,andSP800-137: NISTSP800-30,entitledGuideforConductingRiskAssessments,providesanoverviewofhowriskmanagementfitsintothesystemdevelopmentlifecycle(SDLC)anddescribeshowtoconductriskassessmentsandhowtomitigaterisks. NISTSP800-37discussestheriskmanagementframeworkitselfandcontainsmuchoftheinformationwe’llcoverintheremainderofthisguide. Finally,NISTSP800-39,titledManagingInformationSecurityRisk,definesthemulti-tiered,organization-wideapproachtoriskmanagementcrucialforreachingcompliancewiththeRMF. The5RiskManagementComponents WhengettingstartedwiththeRMF,itcanbeusefultobreaktheriskmanagementrequirementsintodifferentcategories.Thesecategoriesprovideawayofworkingtowardaneffectiveriskmanagementsystem,fromidentifyingthemostcriticalrisksyoufacetohowyouwillmitigatethem. RiskIdentification Thefirst,andarguablythemostimportant,partoftheRMFistoperformriskidentification.NISTsays,“thetypicalriskfactorsincludethreat,vulnerability,impact,likelihood,andpredisposingcondition.”Duringthisstep,youwillbrainstormallthepossiblerisksyoucanimagineacrossallofyoursystemsandthenprioritizethemusingdifferentfactors: Threatsareeventsthatcouldpotentiallyharmtheorganizationbyintrusion,destruction,ordisclosure. VulnerabilitiesareweaknessesintheITsystems,security,procedures,andcontrolsthatcanbeexploitedbybadactors(internalorexternal). Impactisameasurementofhowseveretheharmtotheorganizationwouldbeifaparticularvulnerabilityorthreatiscompromised. Likelihoodisameasurementoftheriskfactorbasedontheprobabilityofanattackonaspecificvulnerability. Predisposingconditionsareaspecificfactorinsidetheorganizationthateitherincreasesordecreasestheimpactorlikelihoodthatavulnerabilitywillcomeintoplay. RiskMeasurementandAssessment Onceyouhaveidentifiedthethreats,vulnerabilities,impact,likelihood,andpredisposingconditions,youcancalculateandranktherisksyourorganizationneedstoaddress. RiskMitigation Organizationstakethepreviousrankedlistandstarttofigureouthowtomitigatethethreatsfromthegreatesttotheleast.Atsomepointinthelist,theorganizationcandecidethatrisksbelowthislevelarenotworthaddressing,eitherbecausethereislittlelikelihoodofthatthreatgettingexploited,oriftherearetoomanygreaterthreatstomanageimmediatelytofitthelowthreatsintotheworkplan. RiskReportingandMonitoring TheRMFrequiresthatorganizationsmaintainalistofknownrisksandmonitorknownrisksforcompliancewiththepolicies.Statisticsondatabreachesindicatethatmanycompaniesstilldonotreportallofthesuccessfulattackstheyareexposedto,whichcouldimpacttheirpeers. RiskGovernance Finally,allofthestepsaboveshouldbecodifiedintoariskgovernancesystem. The6RiskManagementFramework(RMF)Steps Atthebroadestlevel,RMFrequirescompaniestoidentifywhichsystemanddatariskstheyareexposedtoandimplementreasonablemeasurestomitigatethem.TheRMFbreaksdowntheseobjectivesintosixinterconnectedbutseparatestages. 1.CategorizeInformationSystems UseNISTstandardstocategorizeinformationandsystemssoyoucanprovideanaccurateriskassessmentofthosesystems. NISTtellsyouwhatkindsofsystemsandinformationyoushouldinclude. Andwhatlevelofsecurityyouneedtoimplementbasedonthecategorization. References:FIPSPublication199,StandardsforSecurityCategorizationofFederalInformationandInformationSystems; SpecialPublication800-60Rev.1(Volume1,Volume2),GuideforMappingTypesofInformationandInformationSystemstoSecurityCategorie 2.SelectSecurityControls SelecttheappropriatesecuritycontrolsfromtheNISTpublication800-53to“facilitateamoreconsistent,comparable,andrepeatableapproachforselectingandspecifyingsecuritycontrolsforsystems.” References:SpecialPublication800-53SecurityandPrivacyControlsforFederalInformationSystemsandOrganizationsed.notetheupdatedversionof800-53goesintoeffectonSeptember23,2021.Staytunedfordetails. 3.ImplementSecurityControls Putthecontrolsyouselectedinthepreviousstepinplaceanddocumentalltheprocessesandproceduresyouneedtomaintaintheiroperation. References:Multiplepublicationsprovidebestpracticestoimplementsecuritycontrols.Checkoutthispagetosearchforthem. 4.AssessSecurityControls Makesurethesecuritycontrolsyouimplementedareworkingthewaytheyneedtosoyoucanlimittheriskstoyouroperationanddata. 5.AuthorizeInformationSystems Arethesecuritycontrolsworkingcorrectlytoreducetherisktotheorganization?Thenthatcontrolonthatsystemisauthorized!Congrats! References:SpecialPublication800-37Rev.2RiskManagementFrameworkforInformationSystemsandOrganizations:ASystemLifeCycleApproachforSecurityandPrivacy 6.MonitorSecurityControls Continuouslymonitorandassessthesecuritycontrolsforeffectivenessandmakechangesduringoperationtoensurethosesystems’efficacy.Documentanychanges,conductregularimpactanalysis,andreportsecuritycontrols’statustoyourdesignatedofficials. References:SpecialPublication800-37Rev.2RiskManagementFrameworkforInformationSystemsandOrganizations:ASystemLifeCycleApproachforSecurityandPrivacy HowCanAnEffectiveRiskManagementFrameworkBenefitABusiness? ThoughtheRMFisarequirementforbusinessesworkingwiththeUSGovernment,implementinganeffectiveriskmanagementsystemcanbenefitanycompanies.TheultimategoalofworkingtowardRMFcomplianceisthecreationofadataandassetgovernancesystemthatwillprovidefull-spectrumprotectionagainstallthecyberrisksyouface. Morespecifically,developingapracticalriskmanagementframeworkwillprovideacompanywithseveralspecificbenefits: AssetProtection Aneffectiveriskmanagementframeworkwillprioritizeunderstandingtherisksthatyourbusinessfacestotakethenecessarystepstoprotectyourassetsandyourbusiness.Thismeansthatacomprehensiveriskmanagementframeworkwillhelpyouprotectyourdataandyourassets. ReputationManagement Reputationmanagementisanessentialpartofmodernbusinesspractices,andlimitingthedetrimentalconsequencesofcyberattacksisanintegralpartofensuringthatyourreputationisprotected.ConsumersintheUSareincreasinglyawareofdataprivacy’simportance,notjustbecauseUSprivacylawsarebecomingincreasinglystrict.Adatabreachwilldamageyourbusiness’reputation.Aneffectiveriskmanagementframeworkcanhelpcompaniesquicklyanalyzegapsinenterprise-levelcontrolsanddeveloparoadmaptoreduceoravoidreputationalrisks. IPProtection Almosteverycompanyhasintellectualpropertythatmustbeprotected,andariskmanagementframeworkappliesjustasmuchtothispropertyasyourdataandassets.Ifyousell,offer,distribute,orprovideaproductorservicethatgivesyouacompetitiveedge,youareexposedtopotentialIntellectualPropertytheft.Ariskmanagementframeworkhelpsprotectagainstpotentiallossesofcompetitiveadvantage,businessopportunities,andevenlegalrisks. CompetitorAnalysis Finally,developingariskmanagementframeworkcanhavebeneficialimpactsonthefundamentaloperationofyourbusiness.Bycatalogingtherisksyoufaceandtakingmeasurestomitigatethem,youwillalsobegatheringawealthofvaluableinformationonthemarketthatyouoperatewithin,andthis–initself–cangiveyouacompetitiveadvantageoveryourpeers. HowCanVaronisHelpYouBeCompliant? NISTregulationandtheRMF(infact,manyofthedatasecuritystandardsandcomplianceregulations)havethreeareasincommon: Identifyyoursensitiveandatriskdataandsystems(includingusers,permissions,folders,etc.); Protectthatdata,manageaccess,andminimizetherisksurface; Monitoranddetectwhat’shappeningonthatdata,who’saccessingit,andidentifywhenthereissuspiciousbehaviororunusualfileactivity. TheVaronisDataSecurityPlatformenablesfederalagenciestomanage(andautomate)manyoftherecommendationsandrequirementsintheRMF. DatAdvantageandDataClassificationEngineidentifiessensitivedataoncoredatastores,andmapsuser,group,andfolderpermissionssothatyoucanidentifywhereyoursensitivedataisandwhocanaccessit.Knowingwhohasaccesstoyourdataisakeycomponentoftheriskassessmentphase,definedinNISTSP800-53. DatasecurityanalyticshelpsmeettheNISTSP800-53requirementtoconstantlymonitoryourdata:Varonisanalyzesbillionsofeventsfromdataaccessactivity,VPN,DNS,andproxyactivity,andActiveDirectoryandautomaticallybuildsbehavioralprofilesforeachuseranddevice.Machine-learning-poweredthreatmodelsproactivelyidentifyabnormalbehaviorandpotentialthreatslikeransomware,malware,bruteforceattacks,and,insiderthreats. NISTSP800-137establishesguidelinestoprotectyourdataandrequiresthattheagencymeetaleast-privilegemodel.DatAdvantagesurfaceswhereusershaveaccessthattheymightnolongerneedbased.AutomationEnginecancleanuppermissionsandremoveglobalaccessgroupsautomatically.DataPrivilegestreamlinespermissionsandaccessmanagementbydesignatingdataownersandautomatingentitlementreviews. WhiletheRiskManagementFrameworkiscomplexonthesurface,ultimatelyit’sano-nonsenseandlogicalapproachtogooddatasecuritypractices–seehowVaroniscanhelpyoumeettheNISTSP800-37RMFguidelinestoday. AFinalWord WorkingtowardRMFcomplianceisnotjustarequirementforcompaniesworkingwiththeUSgovernment.Ifyouimplementariskassessmentandgovernancestrategyeffectively,itcanalsoprovideyouwithplentyofoperationalbenefits. TheprimaryfocusofyourRMFprocessesshouldbeondataintegritybecausethreatstodataarelikelytobethemostcriticalthatyourbusinessfaces.That’swhywe’vebuiltourVaronissoftwaresuitewithfeaturesthatallowyoutoquicklyandeffectivelyimplementariskassessmentandgovernanceprocess. JeffPetters JeffhasbeenworkingoncomputerssincehisDadbroughthomeanIBMPC8086withdualdiskdrives.Researchingandwritingaboutdatasecurityishisdreamjob. Keepreading Privacy&Compliance | May4,2018 NIST800-53:DefinitionandTipsforCompliance By JeffPetters Privacy&Compliance | March29,2020 WhatisISO27001Compliance?EssentialTipsandInsights By JeffPetters