Risk Management and Compliance concerning Cybersecurity Policy and Industry Standards

Risk Management and Compliance concerning Cybersecurity Policy and Industry Standards

Part 1

Risk Management Framework

The National Institute of Standards and Technology (NIST) is a body purposefully formed to protect confidential information for organizations or individuals from being used for malicious gains. The information technology laboratory is tasked with developing tests, test methods, proof of concept of implementation, and technical analyses in propelling productive use of information technology (IT). Many threats may face information systems in organizational settings, disrupting normal operations. Some of these disruptions include but are not limited to machine errors and purposeful attacks that are organized and adequately funded. Successful attacks on an organization’s information system are responsible for detrimental impacts on organizational operations, employees, and tangible and intangible assets (Alhawari et al., 2012). Therefore, the management team must implement measures to prevent attacks from being successful by moving with speed and managing any form of security vulnerabilities identified. This paper evaluates the NIST SP 800-37 Risk Management Framework and its utilization in organizational settings.

The Risk Management Framework (RMF) comprises seven steps that organizations should follow per the outlined order. The first step of the Risk Management Framework is the preparation that offers substantial support to the other steps within the framework. In some incidents, organizations may discover that they have executed some of the tasks of the preparation step in the risk management program. Therefore, to reduce this kind of confusion, the preparation step aids in overcoming the complexity during the implementation of the Risk Management Framework, conserving security and privacy resources, and prioritizing essential activities within the organization (Wang et al., 2010). This step is composed of regulatory standards from NIST publications and requirements set by the Office of Management and Budget or both measures (Wang et al., 2010). The second step entails categorizing information systems that foster the administration’s understanding of the systems utilized within the organization’s premises. This step sets off with the definition of the system boundary. The purpose of system boundary involves identifying all the information about the organization, such as the mission, roles, and responsibilities of employees, the system’s operating environment, and its connection with other systems.

Do you need help with your assignment? Reach out to us at eminencepapers.com.

The third step involves selecting security controls that would protect the system’s confidentiality, integrity, availability, and information. Some security controls that should be chosen include the management team, operational and technical experts, and countermeasures that can be adopted in case of system failure. The next step would entail implementing the security controls selected in the third step. Security control implementation describes how the management can be deployed within the information system and its operating environment (Lee, 2021). This calls for policies tailored to each device to align with the required security documentation. Fifthly, assessing the security controls is influential in determining the extent to which commands work correctly, operate as needed, and meet the system’s security requirements. The second last step is authorizing an information system to determine the risks linked to organizational operations and individuals, assets, and the acceptable risk threshold (Lee, 2021). Finally, the organization must monitor the security controls by seamlessly ensuring adaptability to changing threats, vulnerabilities, and business processes.

Besides the seven-stage risk management framework, there are also other essential aspects that an organization should consider to protect its confidential information from falling into the wrong hands. One of these concepts relates to information security and privacy in the Risk Management Framework. Effective Risk Management Framework implementation requires integrating information security and privacy programs. Even though these disciplines are composed of often overlapping objectives, they are often complementary. On the one hand, information security programs protect the information and the systems from unauthorized access, disclosure, modification, or even destruction (Ross, 2018). On the other hand, the privacy programs are responsible for ensuring compliance with the formulated privacy standards and managing the risks linked to creating, processing, disseminating, and disclosing personally identifiable information. Therefore, an organization should ensure that it incorporates these two programs in its implementation of RMF so that the objectives of either discipline can be attained.

When the organization’s system processes personally identifiable information, the information security and privacy programs are usually mandated to oversee the risks linked to unauthorized behavior; under this scenario, both programs are units for selecting, assessing, and monitoring security controls. Even though these two programs enhance confidentiality, integrity, and availability of personally identifiable information, securing PII cannot entirely achieve an individual’s privacy. Furthermore, organizations must also understand that privacy risks may not necessarily emanate from unauthorized activities. In other instances, privacy risk may occur from authorized activities that exceed security information measures (Ross, 2018). Whereas individuals could be assigned to utilize specific systems for collecting, using, and retaining PII, the lack of appropriate participation and transparency could make the company’s vital information go wrong.

The other aspect required for the efficient functioning of RMF is the system and its elements. Even though the execution of RMF utilizes the statutory definition of the information system, information systems must be defined in the System Development Life Cycle process. Like federal law, ISO 15288 specifies a system as a set of interacting elements organized to attain particular objectives (Lee, 2021). Some of the system elements required for efficient execution of RMF include technology elements, human resource elements, and environmental elements. While each system element fulfills specific established requirements, these elements may be implemented through the hardware, software, or firmware or people, processes, and procedures (Lee, 2021). Therefore, a combination of standard system elements serves to satisfy the outlined system requirements. The interconnectedness between the system elements permits them to work in unison to provide exemplary system performance.

The Risk Management Framework cannot work effectively to exclude authorization boundaries. The authorization boundary establishes the scope of protection for the information system in use within organizational premises. In many organizations, the authorization boundary comprises processes, people, and information technologies that support its efforts to achieve its mission and business functions (Ross, 2018). Nonetheless, the management team needs to understand that excessively expansive authorization boundaries that are overly expansive increase the complexity of the risk management process—on the other hand, maintaining minimal authorization boundaries increases the number of systems that must be managed separately, thus causing a considerable increase in operational costs. In the operations of many organizations, the authorization boundary is often developed at the preparation stage of RMF (Ross, 2018).

Moreover, organizations enjoy the autonomy that comes with constituting the authorization boundary for a system. The system utilized by the organization is defined by the set of system elements integrated within the authorization boundary. Nonetheless, there are other considerations that organizations may use in determining authorization boundaries, such as the identification of system elements that support the organization’s mission, entail similar characteristics to privacy requirements, transmit similar types of information, and reside in the same operating environment.

The final component for consideration is the Risk Management Framework with requirements and controls. It is exceedingly crucial that organizations comprehend the significance of the relationship between requirements and rules. Under federal information security, the term requirement denotes the information security and privacy obligations imposed on organizations (Alhawari et al., 2012). For instance, OMB Circular A-130 requires a series of information security and privacy standards that agencies must abide by to manage information resources. Furthermore, the term requirement can also be used in legal and policy measures that sufficiently protect stakeholders’ needs (Alhawari et al., 2012). However, organizations may adopt more granular categories of requirements similar to those adopted in SDLC. These requirements include capability, specification, and term statement of work requirements. On the other hand, controls refer to the safeguards and protection capabilities towards security and privacy objectives and protecting the needs of organizational stakeholders. Organizations should select and implement controls through technical, physical, and administrative aspects.

Part 2

Different Categories of Security Controls

There are three broad categories of security controls for use in organizational settings. These security controls include technical, administrative, and physical security controls. Technical security control is also identified as logic controls and involves utilizing technology to reduce hardware and software vulnerabilities. Technical security controls involve installing automated software tools to protect the hardware and software assets. Technical security controls include encryption, anti-virus software, security information and event management (SIEM), and intrusion detection systems (Al-Safwan et al., 2018). The two broad implementation methods for technical control are the access control lists (ACL) and the configuration rules. The access control list works by filtering network traffic entering and leaving the system. This implementation method is commonly utilized in routers or firewalls, even though they can also be configured in any device that runs the network containing hosts, network devices, and servers (Al-Safwan et al., 2018). Configuration rules are a method that entails the utilization of instructional codes in guiding the execution of the system when information is passed through it.

Administrative security control refers to policies, procedures, and guidelines that define business practices following the organization’s security goals. Newly hired employees are exposed to an onboarding program that acquaints them with the nature of the company’s operations and its historical background. The onboarding program may require the newly hired personnel to review and acknowledge the organization’s security policy by reading and accepting its contents. Examples of processes that monitor administrative controls include management and operational controls (Al-Safwan et al., 2018). Management controls provide security measures against the pilferage of the organization’s confidential information. On the other hand, operational controls are implemented and executed by the human resources personnel within the organization. Examples of administrative rules include using security policy, training users not to fall for phishing incidents, and regularly monitoring emails and websites for any available signs of phishing activities (Al-Safwan et al., 2018).

The last security control category is physical control, which prevents unauthorized access to confidential information. There are numerous examples of physical controls adopted within organizational settings. The first example is biometrics, which includes fingerprints, face, iris, voice recognition, and handwriting that recognizes individuals operating specific systems (Al-Safwan et al., 2018). Closed-circuit surveillance cameras are not another example of monitoring movements and actions within the organization’s premises. Other examples of physical controls include security guards, picture IDs, motion alarm systems, and dead-bolted steel doors.

An Everyday Example of Risk Analysis

An example of a risk analysis that I do daily entails checking roads keenly for any oncoming traffic before crossing from one side to the other. I often consider five risk assessment steps in implementing this risk analysis measure every time I decide to cross the busy roads along the streets. The first step is qualitative risk assessment based on my judgment and expertise. In this step, I often rely on my experience using the road and judging the risk levels involved in crossing the street. In some instances, I often consult my colleagues on the best practice of crossing the road without necessarily having to waste time by waiting all along. The second step that I usually follow is the quantitative risk assessment. While deciding whether to cross the road, I typically assign the risk of being hit by the car based on the speed and distance between the vehicle and me. Upon seeing that the arriving vehicle is at high speed, I often procrastinate crossing the road.

In the third step, I usually undertake the generic risk assessment by evaluating the risk arising from my decision to cross the road at any time. Generic risk assessment covers common hazards arising from negligence while on the road. This evaluation aims to ascertain that hardly any risk endangers my life while using the streets. This type of risk evaluation will consider the hazards of the various incidences of crossing multiple roads. When the kind of road I am supposed to travel is a highway, I will apply similar principles while crossing streets in various parts of my neighborhood and the country.

The second last step that I consider is the site-specific risk assessment. Specific risks are unique to particular roads or junctions in this evaluation mode. In this case, I will utilize exceptional safety measures as outlined on the road signs along these roads. This would enable me to overcome risks such as vibration and noise that may distract my attention while crossing the road and slippery surfaces that may cause me to slide accidentally. Finally, I employ dynamic risk assessment to cope with unknown risks on roads I am using for the first time. In this regard, I would be compelled to change situations based on the detrimental impact presented.

How to Design Cyber Security Policies That Support Risk Assessment

Determining information value is the first step in designing the cyber security policies that support risk assessment. The value attributed to information mainly depends on the information’s application and purpose. The information’s results and context determine the implicit information value. Since many small-to-medium businesses often do not have an extensive budget for security assessment, the firm usually limits its scope of review. Under this first step, organizations define the standards for determining the significance of prioritizing certain information, including but not limited to business importance, asset value, and legal standing. The second step involves the identification and prioritization of assets. Management and business users often put together efforts to create a comprehensive set of valuable assets (Landoll, 2021). Some investments identified within the organization’s premises include buildings, trade secrets, electronic data, and human resource personnel. However, some assets could rank higher than others because they ensure data integrity for users within the organization.

The third step in designing cyber security policies is identifying threats within the system of organizations. A threat is defined as the occurrence of action that may cause harm to business operations or exploit vulnerabilities in the organization’s strategy. Today’s most common threats facing organizations include data leaks, insider threats, and service disruption. Data leaks are a threat that entails the leakage of sensitive data such as customers’ personal information, credit card information, passwords, and personally identifiable information (PII) (Landoll, 2021). The leakage of organizational data to competitors or public domains bears excellent consequences for the organization. Organizations may experience data leakage because of weak authentication procedures or poor configuration of cloud services. Insider threats are brought about by the misuse of access to information by legalized users. The occurrence of insider threats is responsible for destroying the brand’s reputation and bringing about a loss of revenue. Finally, service disruption often emanates from the system’s delay in loading, causing customers to switch to alternative products offered by competing firms (Landoll, 2021).

The second stage involves the identification of system vulnerabilities that may bring about data breaches. The various ways that organizations can adopt the title of system vulnerabilities include vendor data, audit reports, incident response teams, and vulnerability analysis (Landoll, 2021). The final step in designing a cyber-security policy entails calculating the likelihood of various scenarios being experienced yearly.

References

Alhawari, S., Karadsheh, L., Talet, A. N., & Mansour, E. (2012). Knowledge-based risk management framework for information technology project. International Journal of Information Management, 32(1), 50-65. Retrieved on 26^th April 2022, from https://www.academia.edu/download/47492068/Knowledge-Based_Risk_Management_framewor20160724-3557-1sifg11.pdf

Al-Safwani, N., Fazea, Y., & Ibrahim, H. (2018). ISCP: In-depth model for selecting critical security controls. Computers & Security, 77, 565-577. Retrieved on 26^th April 2022, from https://www.sciencedirect.com/science/article/pii/S0167404818305534

Landoll, D. (2021). The security risk assessment handbook: A complete guide for performing security risk assessments. CRC Press.

Lee, I. (2021). Cybersecurity: Risk management framework and investment cost analysis. Business Horizons, 64(5), 659-671. Retrieved on 26^th April 2022, from https://www.sciencedirect.com/science/article/pii/S0007681321000240

Ross, R. S. (2018). Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. Retrieved on 26^th April 2022, from https://www.nist.gov/publications/risk-management-framework-information-systems-and-organizations-system-life-cycle

Wang, J., Lin, W., & Huang, Y. H. (2010). A performance-oriented risk management framework for innovative R&D projects. Technovation, 30(11-12), 601-611. Retrieved on 26^th April 2022, from http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.1072.4575&rep=rep1&type=pdf

ORDER A PLAGIARISM-FREE PAPER HERE

We’ll write everything from scratch

---

Part 1

1. In a minimum of 1,250 words, evaluate the NIST SP 800-37 Risk Management Framework.

Part 2

1. In a minimum of 400 words, discuss the different categories of security controls and give examples.
2. In a minimum of 400 words, give an everyday example of risk analysis that you do every day. For example, should you wear a seatbelt when driving a block or two?
3. In a minimum of 400 words, discuss how to design cybersecurity policies that support risk assessment.