NIST Risk Management and SDLC Notes

Risk Management Tiers (NIST SP 800-39)

  • Three tiers:
    • Organizational (Tier 1)
    • Mission/Business Process (Tier 2)
    • Information Systems (Tier 3)

Organizational Tier (Tier 1)

  • Focuses on:
    • Governance structures
    • Risk management strategy (including risk tolerance)
    • Investment strategies for information resources and security
  • Provides strategic direction.
  • Ensures organizational objectives are met while managing risk responsibly.

Enterprise Architecture Contribution (Tier 2)

  • Aligns IT investments with measurable performance improvements.
  • Ensures transparency by connecting security investments to mission/business success.
  • Simplifies understanding and protecting information systems.

SDLC and Risk Management (Tier 3)

  • Risk management integrated into every phase of the SDLC.
  • Early integration ensures cost-effective implementation of risk management strategy.
  • Helps mitigate risks throughout the development process.

Risk Framing

  • Defines context for managing risk.
  • Establishes assumptions, constraints, risk tolerances, and priorities.
  • Key inputs:
    • Laws, policies, directives, regulations
    • Contractual relationships and financial limitations
    • Trust relationships and trust models (MOUs or MOAs)

Qualitative vs. Quantitative Risk Analysis

  • Qualitative:
    • Uses descriptive terms (e.g., high, medium, low) to assess probability and impact.
    • Often uses a risk matrix.
  • Quantitative:
    • Uses numerical data and techniques (e.g., decision analysis, sensitivity analysis).
    • Provides a more objective assessment.

Risk Responses

  • Five primary responses:
    • Accept
    • Avoid
    • Mitigate
    • Share
    • Transfer
  • Tailored to organization's specific circumstances and risk tolerance.

Evaluating Risk Responses

  • Considerations:
    • Feasibility
    • Cost-effectiveness
    • Potential impact on operations
    • Alignment with overall risk management strategy
    • Resource availability
    • Compliance requirements

Risk Monitoring

  • Objectives:
    • Verify compliance with security policies.
    • Assess effectiveness of implemented risk responses.
    • Identify changes in information systems and operational environment that may impact risk.

Change Control Processes

  • Ensure modifications are evaluated for potential security impacts.
  • Prevent new vulnerabilities.
  • Ensure existing risk mitigation measures remain effective.

Security in SDLC

  • Aims to proactively build security into systems from the outset.
  • Reduces vulnerabilities and mitigates risks.
  • Ensures data confidentiality, integrity, and availability (CIA).

SDLC Initiation Phase

  • Activities:
    • Planning and developing the project
    • Establishing a financial plan
    • Defining security requirements (CIA)
    • Identifying information types
    • Conducting a Privacy Impact Assessment (PIA)
    • Obtaining management approval

Feasibility Analysis

  • Assesses the economic and organizational impact of proposed system.
  • Determines whether the project is viable and aligns with business objectives.

Logical vs. Physical Design

  • Logical design:
    • Focuses on system's functionality without specifying hardware or software.
  • Physical design:
    • Maps logical design onto specific technologies, platforms, and programming languages.

Security Assessment Report

  • Documents results of security testing and evaluation.
  • Identifies vulnerabilities.
  • Recommends mitigation strategies.

Operations and Maintenance Phase

  • The longest phase.
  • Encompasses ongoing management, monitoring, patching, updating, and support.

Configuration Control Board (CCB)

  • Manages changes to the system.
  • Ensures updates, patches, and modifications are properly assessed, authorized, and implemented.
  • Maintains system integrity and security.

Plans of Action and Milestones (POAMs)

  • Outline corrective actions for identified security vulnerabilities and risks.
  • Specify timelines and responsibilities for remediation efforts.

Disposal Phase

  • Primary security concern: securely managing and disposing of sensitive data.
  • Prevents unauthorized access or disclosure.

NIST SP 800-160 Volume 1

  • Replaced SP 800-64.
  • SP 800-64 was withdrawn in 2019 due to outdated information.
  • SP 800-160 provides current guidance on system life cycle processes and systems security engineering.