Security Policy essay



RMFTo-Do List

RMF Tasks

Status (done/not done)

How the status are determined

External documents needed for task

RMF Step 1: Categorize Information Systems


Security Categorization

Not done

As highlighted in the risk assessment, there is no security plan done (p.18). Add the security categorization information to the security plan.

The security categorization that was completed in the risk assessment can be included in the security plan. The full categorization can be found on pp. 14-16. The categorization done in the risk analysis is based on FIPS 199.

FIPS 199 for conational security systems, CNSS 1253 for national security systems


Information System Description


In P.9, the system boundary has been described as ste&shy&shyp 1in the risk assessment

No external document will be needed.


Information System Registration

Not done

As presented on page 19.24 of the findings, there is no information registration with copyright or patent office.

The management system certification needs to certify the system

IMS number and registry probate court for system developer

RMF Step 2: Select Security Controls


Common Control Identification


In page 9, there is a risk assessment approach: the first step defines the system boundary

FIPS Publication, 200, 199 CNSS instructions 123 and special publication


Security Control Selection

Not done

There is no security control selection.

The management system certification needs to certify the selection

FIPS publications 199,

CNSS Instruction 1253


Monitoring Strategy

Not done

As presented in the findings, no control strategy has been submitted for effectiveness of security controls

NIST publication 800-30, 800-39 CNSS Instruction 1253


Security Plan Approval

Not Done

A system security plan has not been developed

Develop an SSP that addresses the training personnel, rules of the system, rules of the system and technical security. CNSS Instruction 1253

RMF Step 3: Implement Security Controls


Security Control Implementation


Security control has been done. Additional security controls will be added to protect the integrity inherent in the application

Does not require documentation since it has already been done


Security Control Documentation


Adequate security documentation has been considered by reviewing the relevant INFOSEC documents

Does not require documentation since it has already been done

RMF Step 4: Assess Security Controls


Assessment Preparation


Risk assessment has been prepared by determining the relative value of SHGTS based on sensitivity and criticality of the data, determining risks and developing countermeasures

Does not require documentation since it has already been done


Security Control Assessment

Not done

Security control assessment has not been developed, approved and reviewed to provide the objectives of control assessment

NIST publication 800-53-A


Security Assessment Report


The risk assessment report has been reviewed to identify vulnerabilities and threats applicable to SHGT, probability that vulnerability will be exploited and impacts

Does not require documentation since it has already been done


Remediation Action

Not done

The initial remediation actions based on security controls have not been done to provide the visibility into specific weaknesses during development of the system

NIST special publication 800-30 and 800-53A

RMF Step 5: Authorize Information System


Plan of Action and Milestones

Not done

The plan of milestones and action prepared for authorizing officials by the owner has not been done

OMB Memorandum 02-01, NIST 800-30, 800-53A


Security Authorization Package

Not done

Security authorization package has not been assembled



Risk Determination


Risk determination has been done in risk assessment where SHGTS is measured regarding data and system critically

NIST 800-39, 800-30


Risk Acceptance

Not done

The explicit acceptance of risk is the responsibility of the authorized officials has not been done

NIST 800-39

RMF Step 6: Monitor Security Controls


Information System and

Environment Change


Adequate documentation is considered as an integral aspect of the information systems and should be completed before the system is ready for use

NIST SP 500-169


Ongoing Security Control Assessments


Technical control focuses on the safety control that will be executed by the computer. Additional security controls will be added to protect the integrity of the application and public confidence (Davis, CISSP, &amp Analyst)

Does not require documentation since it has already been done


Ongoing Remediation Action


Periodic evaluation and testing of security controls are needed

Based on FISMA provisions


Key Updates


The executives allow report and capacity to update the key fields dealing with grants assignment. It has included the real time risk management with use and operation of information system

NIST 800-53A


Security Status Reporting


A weekly status report is prepared for the offices. The grant assignor is briefed on document with reports in the database

Does not require documentation since it has already been done

B.a White Paper that Compares COBIT, ISO 27002, ITIL and NIST


ISO27002 recommends the best practices for the information securitymanagement system standard. It is implemented through the use of ISO27001. COBIT is an advanced framework about ITIL, NIST and ISO 27002that plot the important information technology processes in a waythat it gives the governing bodies the capacity to execute thefundamental procedures and policies. It is similar to ISO 27002 sinceit answers the whatthatis managed as contrasted to the howpresentedby ITIL. Nevertheless, whereas ISO 27002 and ITIL focus on thesecurity of information, COBIT gives the capacity for broader scopeconsidering all the processes of information management(Peltier, 2010).

ITILis an array of the best practices a given enterprise may implement toalign information technology resources presenting organizationalgoals. It is recommended in a set of five core publications eachresembling a phase in IT lifecycle. This process derivesdocumentation of tasks, processes, and checklists that are notpeculiar to the business with the goal of creating the basis forwhich the controls are implemented(Peltier, 2010).

NISTis vital for federal agencies in the United States for Securitycontrol compliance with the omission of those related to the nationalsecurity. National Institute of Standards and Technology publishesNIST special publication. It is related to FISMA(2002).


ISO27002 is used in or in accord with information technology departmentparticular to the company. The Information Technology departmentconcentrates on the resulting management control. COBIT is used bythe executive of a business to execute the fundamental procedures andpolicies. It is used to unite the technical issues, inspections andrisks in an organization. NIST covers all the levels in RiskManagement Framework that tackles the selection of security controlbased on FIPS(Workman, Phelps, &amp Gathegi, 2012).It is used to meet the requirements of ISMS by the federalorganization in the US. Initially, ITIL was designed for use by thestate in the UK. Nevertheless, it is accepted globally.


  • ISO 27002 is related to a widely known and respected standard (ISO 27001). It will be understood and recognized by those accustomed to IEC/ISO standards. It allows system managers to reduce and identify gaps and overlap.

  • ITIL is a natural fit for companies and excels at increasing management and visibility into the internal process to impact the economy and efficiency positively.

  • COBIT is accepted globally and encompassed far more. It is easier to implement COBIT partially without the need of an entire spectrum commitment and analysis.

  • The detail level based on NIST is considerable. It can be used by organizations that are not wishing to take time in customizing the framework.


  • COBIT can be a detractor during implementation since it is not limited to a single area and may lead to gaps during coverage

  • ITIL is a higher level standard than ISO 27002. However, particular details of implementation are racking

  • ISO 27002 focuses purposefully and specifically on information security. Therefore, it is limited in scope

  • NIST is limited in scope and therefore various publications have to be made to achieve compliance. This may lead to gaps in coverage.

Certificationand Accreditation


  • CISM (Certified information security manager)

  • CISA (Certified Information system auditor)

  • CGEIT (Certified in governance of enterprise

ITIL(four levels of Certification)

  • Foundation

  • Intermediate

  • Expert

  • Master


  • The standard is associated with ISO 27001 and does provide certification for organizations. However, Certification remains rare


  • The federal bodies do not obtain NIST certification. Rather, are certified by maintaining and getting an adherence proof related to FISMA

Whento Use

  • COBIT can be used when organizations ant to generate organization-wide framework scoped outside information security solely. Certification can be attained through aligned paths

  • ITIL points to ISO as a framework to implement solutions. This is applicable for organizations wishing to utilize ISO with global standards

  • ISO 27002 provides a global acceptance and recognition and thus, the businesses wanting to operate across global scale may find certification and implementation to be beneficial.

  • NIST is used by government organizations in the US to comply with the federal law


Graubart,R., &amp Bodeau, D. (2016). The Risk Management Framework and CyberResiliency

Davis,J. L., CISSP, &amp Analyst. HealthyBody Wellness Center Office of Grants Giveaway Small Hospital GrantsTracking System.Healthy Body Wellness Center Office of Grants Giveaway.

Peltier,T. (2010). InformationSecurity Risk Analysis, Third Edition.CRC Press.

Workman,M., Phelps, D., &amp Gathegi, J. N. (2012). InformationSecurity for Managers.Jones &amp Bartlett Publishers.