Introduction
This course offers a comprehensive understanding of risk governance, compliance regulations, and security controls required for different cybersecurity environments and situations. Cyber-attacks are becoming increasingly sophisticated, and successful attacks can compromise the confidentiality, integrity, and availability of data. This can result in significant harm to organizational operations, reputation, and image, as well as the national and economic security of the United States. The course equips students with the necessary knowledge and skills to identify and mitigate risks, protect organizational assets and individuals, and secure information systems and data against cyber threats.
Coursework Artifacts
The Risk Management Framework (RMF)
The Risk Management Framework (RMF) is a set of guidelines developed by the National Institute of Standards and Technology (NIST) to help organizations manage the risks associated with information technology systems. The RMF is widely used by the US government and its contractors to ensure that federal information systems and data are protected from unauthorized access, use, disclosure, disruption, modification, or destruction. The framework provides a structured and repeatable process for identifying, assessing, and managing risks, and for selecting and implementing appropriate security controls to reduce these risks to an acceptable level. This introduction will explore the key components of the RMF and its importance in ensuring the security and resilience of government information systems. The coursework artifacts below provide more granular details on this framework.
See below, a comprehensive example of an applied risk management exercise, the CSOL 530 course final project demonstrates the practical application of the Risk Management Framework (RMF) covered in the course. The project required the application of RMF to a hypothetical organization, identify potential risks, and develop a risk management plan to mitigate these risks. This project served as a valuable opportunity for students to gain hands-on experience in applying the RMF to a real-world scenario and to develop critical thinking and problem-solving skills.
Reflection
A course on Governance & Risk in Cybersecurity is highly impactful as it equips individuals with the knowledge and skills required to manage risks associated with cybersecurity threats. In today's rapidly evolving technological landscape, cybersecurity threats have become increasingly sophisticated and prevalent, posing a significant risk to organizational operations, functions, and reputation. Therefore, it has become imperative for organizations to adopt a risk governance approach to cybersecurity to minimize these risks. This course provided a comprehensive understanding of risk governance, compliance regulation, and security controls necessary to implement specific cybersecurity environments and situations. It equips students with the ability to identify, analyze, and evaluate risks associated with cybersecurity threats, develop and implement effective risk management strategies, and ensure compliance with regulatory frameworks. It also emphasizes the importance of safeguarding sensitive information being processed, stored, or transmitted by information systems to prevent any compromise of confidentiality, integrity, or availability.
The artifacts selected for this course include three papers written to explore risk management framework assessments utilizing the National Institute of Standards and Technology at the U.S. Department of Commerce (NIST) framework.
Artifact One:
This paper highlights the importance of security categorization in the Risk Management Framework and discusses the specific security categorization for a payroll system based on the potential impact on the organization should an event occur. The categorization is based on the FIPS 199 publication, which establishes security categories for both data and information systems, and considers the potential impact on confidentiality, integrity, and availability. The paper also illustrates the process and tools used from NIST Special Publication 800-60 Volume 1 and provides a specific list of questions for each impact category to help security professionals conclude each various impact score. The paper explores the importance of confidentiality, integrity, and availability for a payroll system and identifies potential threats that can lead to limited, serious, or severe harm to agency operations, assets, or individuals. Ultimately, the paper emphasizes the importance of security categorization in identifying and mitigating risks to an organization's data and information systems.
Key Insights:
- Security categorization is a vital first step in the Risk Management Framework as it influences all other steps in the Framework.
- FIPS 199 establishes security categories for both data and information systems based on the potential impact on an organization should an event occur.
- The security categories are to be used in conjunction with vulnerability and threat information in assessing the risk to an organization.
- The payroll system of an organization, which includes all that is related to the payment of employees and the filing of employment taxes, is a critical system that requires a high level of security categorization.
- Confidentiality, integrity, and availability are the three stated security objectives that need to be considered during security categorization.
- Each impact category provides a specific list of questions to help security professionals conclude each various impact score for each security objective.
- The confidentiality category involves protecting sensitive information from unauthorized disclosure, which could harm an organization, its assets, or individuals.
- The integrity category involves protecting information from unauthorized modification or destruction, which could render the system useless or impact business operations.
- The availability category involves protecting information from disruption of access or use, which could harm an organization's operations, assets, or individuals.
- The appropriate security controls should be selected and tailored to reduce risk to an acceptable level based on an assessment of risk.
Artifact two:
This paper discusses the appropriate security controls to reduce the security risks associated with an organization's payroll system, which has been categorized as having moderate confidentiality and high integrity and availability. The NIST Framework's security control suggestions have been used to select appropriate controls that best fit the payroll system's specific use case. The physical and logical access control measures suggested by NIST have been implemented to maintain the confidentiality of the system. The integrity of the system has been safeguarded by implementing boundary protection and vulnerability monitoring and scanning controls. The high-risk category of availability has been mitigated by establishing an alternate processing site, which has a 99.9% availability rate and can be easily created via a cloud service provider such as AWS. These controls will help reduce security risks, ensure the confidentiality, integrity, and availability of the payroll system, and safeguard the organization from potential data breaches.
Key Insights:
- The NIST Framework provides security control suggestions that allow for flexibility and interpretation based on the organization's needs.
- The payroll system is categorized as having moderate confidentiality and high integrity and availability.
- Physical and logical access controls are critical for maintaining confidentiality of the system.
- The principle of least privilege is important for logical access control.
- Detective controls are necessary to protect the integrity of the payroll system.
- Boundary protection and vulnerability monitoring and scanning are important detective controls.
- Availability is critical for the payroll system, and an alternate processing site can be created via a cloud service provider.
- Cloud service providers offer high availability and cost-effective solutions for creating alternate processing sites.
Artifact Three:
This paper dissects a fictional organization by the name of BioHuman undergoing a Risk Management Framework assessment for their payroll system, with a focus on the CIA triad: confidentiality, integrity, and availability. The payroll system has been categorized as a critical system with a security category of {(confidentiality, MODERATE), (integrity, HIGH), (availability, HIGH)}. The team has selected security controls based on the security objectives of confidentiality, integrity, and availability. Physical and environmental protection will be used for confidentiality and integrity, while audit and accountability will be used for availability. The implementation of these controls will involve physical access control, boundary control, vulnerability monitoring, and cloud-based storage. Continuous monitoring and assessment of these controls will be necessary to ensure compliance and effectiveness.
Key Insights:
- The Risk Management Framework is an essential tool for managing security risks in an organization.
- The CIA triad (confidentiality, integrity, and availability) is a critical focus of the Risk Management Framework.
- Prescriptive frameworks are less flexible, while risk-based frameworks, such as the NIST Framework, offer more flexibility and interpretation.
- Access control, including physical and logical access control, is crucial for maintaining system security.
- Cloud-based storage can be an effective solution for ensuring system availability.
- Continuous monitoring and assessment of security controls are necessary to ensure compliance and effectiveness.
The Governance & Risk in Cybersecurity course provides an in-depth understanding of risk governance, compliance regulation, and security controls necessary to implement specific cybersecurity environments and situations. The three artifacts selected for this course focus on risk management framework assessments utilizing the NIST framework. The key insights from these papers highlight the importance of security categorization, selecting appropriate security controls based on the organization's needs, and continuous monitoring and assessment of these controls to ensure compliance and effectiveness. The course equips students with the skills and knowledge required to manage cybersecurity risks in today's rapidly evolving technological landscape, where cybersecurity threats have become increasingly sophisticated and prevalent, posing a significant risk to organizational operations, functions, and reputation. The course emphasizes the importance of safeguarding sensitive information being processed, stored, or transmitted by information systems to prevent any compromise of confidentiality, integrity, or availability.This course is highly impactful for individuals and organizations looking to adopt a risk governance approach to cybersecurity and minimize security risks associated with cybersecurity threats.