(Created page with "'''Citation:''' NIST, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, SP 800-37, rev. 1 (Feb. 2010).[http://csrc.…") |
(Adding categories) |
||
(8 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
+ | == Citation == |
||
⚫ | |||
+ | |||
⚫ | |||
== Overview == |
== Overview == |
||
− | This publication replaces the traditional [[certification]] and [[accreditation]] process with the six-step [[risk management]] framework, including a process of [[assessment]] and [[authorization]].<ref>The [[assessment]] and [[authorization]] process replaces the process known as [[certification]] and [[accreditation]] described in the previous version of SP 800-37.</ref> According to the publication, |
+ | This publication replaces the traditional [[certification]] and [[accreditation]] process with the six-step [[risk management]] framework, including a process of [[assessment]] and [[authorization]].<ref>The [[assessment]] and [[authorization]] process replaces the process known as [[certification]] and [[accreditation]] described in the previous version of SP 800-37.</ref> According to the publication, effective risk management processes should |
+ | |||
+ | :(1) build [[information security]] capabilities into [[information system]]s through the application of management, operational, and technical [[security control]]s; |
||
+ | :(2) maintain awareness of the [[security]] state of [[information system]]s on an ongoing basis though enhanced [[monitoring]] processes; and |
||
⚫ | :(3) provide essential [[information]] to senior leaders to facilitate [[system]] [[authorization]] decisions regarding the acceptance of [[risk]] to organizational operations and [[asset]]s, individuals, other organizations, and the nation arising from the operation and use of [[information system]]s. |
||
+ | |||
+ | According to [[NIST]] guidance these [[risk management]] processes: |
||
+ | |||
+ | * promote the concept of [[near real-time]] [[risk management]] and ongoing [[information system]] [[authorization]] through the [[implementation]] of [[robust]] continuous [[monitoring]] processes; |
||
+ | * encourage the use of [[automation]] to provide senior leaders the necessary [[information]] to make cost-effective, [[risk]]-based decisions with regard to the organizational [[information system]]s supporting their core missions and business functions; |
||
+ | * [[integrate]] [[information security]] into the [[enterprise architecture]] and [[system development life cycle]]; |
||
+ | * provide emphasis on the selection, [[implementation]], assessment, and [[monitoring]] of [[security control]]s, and the [[authorization]] of [[information system]]s; |
||
+ | * link [[risk management]] processes at the [[information system]] level to [[risk management]] processes at the organization level through a [[risk]] executive (function); and |
||
+ | * establish [[responsibility]] and [[accountability]] for [[security control]]s [[deploy]]ed within organizational [[information system]]s and inherited by those systems (i.e., common controls). |
||
+ | == References == |
||
⚫ | |||
+ | <references /> |
||
[[Category:Publication]] |
[[Category:Publication]] |
||
[[Category:Security]] |
[[Category:Security]] |
||
+ | [[Category:2010]] |
Latest revision as of 03:30, 17 February 2014
Citation[]
NIST, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, (NIST Special Publication 800-37) (Rev. 1, Feb. 2010) (full-text).
Overview[]
This publication replaces the traditional certification and accreditation process with the six-step risk management framework, including a process of assessment and authorization.[1] According to the publication, effective risk management processes should
- (1) build information security capabilities into information systems through the application of management, operational, and technical security controls;
- (2) maintain awareness of the security state of information systems on an ongoing basis though enhanced monitoring processes; and
- (3) provide essential information to senior leaders to facilitate system authorization decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations, and the nation arising from the operation and use of information systems.
According to NIST guidance these risk management processes:
- promote the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes;
- encourage the use of automation to provide senior leaders the necessary information to make cost-effective, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions;
- integrate information security into the enterprise architecture and system development life cycle;
- provide emphasis on the selection, implementation, assessment, and monitoring of security controls, and the authorization of information systems;
- link risk management processes at the information system level to risk management processes at the organization level through a risk executive (function); and
- establish responsibility and accountability for security controls deployed within organizational information systems and inherited by those systems (i.e., common controls).
References[]
- ↑ The assessment and authorization process replaces the process known as certification and accreditation described in the previous version of SP 800-37.