SECURITY POLICY 9
SecurityPolicy
RMFTo-Do List
RMF Tasks | Status (done/not done) | How the status are determined | External documents needed for task | |
RMF Step 1: Categorize Information Systems | ||||
1.1 Security Categorization | Not done | As highlighted in the risk assessment, there is no security plan done (p.18). Add the security categorization information to the security plan. The security categorization that was completed in the risk assessment can be included in the security plan. The full categorization can be found on pp. 14-16. The categorization done in the risk analysis is based on FIPS 199. | FIPS 199 for conational security systems, CNSS 1253 for national security systems | |
1.2 Information System Description | Done | In P.9, the system boundary has been described as ste­­p 1in the risk assessment | No external document will be needed. | |
1.3 Information System Registration | Not done | As presented on page 19.24 of the findings, there is no information registration with copyright or patent office. The management system certification needs to certify the system | IMS number and registry probate court for system developer | |
RMF Step 2: Select Security Controls | ||||
2.1 Common Control Identification | Done | In page 9, there is a risk assessment approach: the first step defines the system boundary | FIPS Publication, 200, 199 CNSS instructions 123 and special publication | |
2.2 Security Control Selection | Not done | There is no security control selection. The management system certification needs to certify the selection | FIPS publications 199, CNSS Instruction 1253 | |
2.3 Monitoring Strategy | Not done | As presented in the findings, no control strategy has been submitted for effectiveness of security controls | NIST publication 800-30, 800-39 CNSS Instruction 1253 | |
2.4 Security Plan Approval | Not Done | A system security plan has not been developed | Develop an SSP that addresses the training personnel, rules of the system, rules of the system and technical security. CNSS Instruction 1253 | |
RMF Step 3: Implement Security Controls | ||||
3.1 Security Control Implementation | Done | Security control has been done. Additional security controls will be added to protect the integrity inherent in the application | Does not require documentation since it has already been done | |
3.2 Security Control Documentation | Done | Adequate security documentation has been considered by reviewing the relevant INFOSEC documents | Does not require documentation since it has already been done | |
RMF Step 4: Assess Security Controls | ||||
4.1 Assessment Preparation | Done | Risk assessment has been prepared by determining the relative value of SHGTS based on sensitivity and criticality of the data, determining risks and developing countermeasures | Does not require documentation since it has already been done | |
4.2 Security Control Assessment | Not done | Security control assessment has not been developed, approved and reviewed to provide the objectives of control assessment | NIST publication 800-53-A | |
4.3 Security Assessment Report | Done | The risk assessment report has been reviewed to identify vulnerabilities and threats applicable to SHGT, probability that vulnerability will be exploited and impacts | Does not require documentation since it has already been done | |
4.4 Remediation Action | Not done | The initial remediation actions based on security controls have not been done to provide the visibility into specific weaknesses during development of the system | NIST special publication 800-30 and 800-53A | |
RMF Step 5: Authorize Information System | ||||
5.1 Plan of Action and Milestones | Not done | The plan of milestones and action prepared for authorizing officials by the owner has not been done | OMB Memorandum 02-01, NIST 800-30, 800-53A | |
5.2 Security Authorization Package | Not done | Security authorization package has not been assembled | None | |
5.3 Risk Determination | Done | Risk determination has been done in risk assessment where SHGTS is measured regarding data and system critically | NIST 800-39, 800-30 | |
5.4 Risk Acceptance | Not done | The explicit acceptance of risk is the responsibility of the authorized officials has not been done | NIST 800-39 | |
RMF Step 6: Monitor Security Controls | ||||
6.1 Information System and Environment Change | Done | Adequate documentation is considered as an integral aspect of the information systems and should be completed before the system is ready for use | NIST SP 500-169 | |
6.2 Ongoing Security Control Assessments | Done | Technical control focuses on the safety control that will be executed by the computer. Additional security controls will be added to protect the integrity of the application and public confidence (Davis, CISSP, & Analyst) | Does not require documentation since it has already been done | |
6.3 Ongoing Remediation Action | Done | Periodic evaluation and testing of security controls are needed | Based on FISMA provisions | |
6.4 Key Updates | Done | The executives allow report and capacity to update the key fields dealing with grants assignment. It has included the real time risk management with use and operation of information system | NIST 800-53A | |
6.5 Security Status Reporting | Done | A weekly status report is prepared for the offices. The grant assignor is briefed on document with reports in the database | Does not require documentation since it has already been done |
B.a White Paper that Compares COBIT, ISO 27002, ITIL and NIST
Purpose
ISO27002 recommends the best practices for the information securitymanagement system standard. It is implemented through the use of ISO27001. COBIT is an advanced framework about ITIL, NIST and ISO 27002that plot the important information technology processes in a waythat it gives the governing bodies the capacity to execute thefundamental procedures and policies. It is similar to ISO 27002 sinceit answers the whatthatis managed as contrasted to the howpresentedby ITIL. Nevertheless, whereas ISO 27002 and ITIL focus on thesecurity of information, COBIT gives the capacity for broader scopeconsidering all the processes of information management(Peltier, 2010).
ITILis an array of the best practices a given enterprise may implement toalign information technology resources presenting organizationalgoals. It is recommended in a set of five core publications eachresembling a phase in IT lifecycle. This process derivesdocumentation of tasks, processes, and checklists that are notpeculiar to the business with the goal of creating the basis forwhich the controls are implemented(Peltier, 2010).
NISTis vital for federal agencies in the United States for Securitycontrol compliance with the omission of those related to the nationalsecurity. National Institute of Standards and Technology publishesNIST special publication. It is related to FISMA(2002).
CommonUses
ISO27002 is used in or in accord with information technology departmentparticular to the company. The Information Technology departmentconcentrates on the resulting management control. COBIT is used bythe executive of a business to execute the fundamental procedures andpolicies. It is used to unite the technical issues, inspections andrisks in an organization. NIST covers all the levels in RiskManagement Framework that tackles the selection of security controlbased on FIPS(Workman, Phelps, & Gathegi, 2012).It is used to meet the requirements of ISMS by the federalorganization in the US. Initially, ITIL was designed for use by thestate in the UK. Nevertheless, it is accepted globally.
Strengths
ISO 27002 is related to a widely known and respected standard (ISO 27001). It will be understood and recognized by those accustomed to IEC/ISO standards. It allows system managers to reduce and identify gaps and overlap.
ITIL is a natural fit for companies and excels at increasing management and visibility into the internal process to impact the economy and efficiency positively.
COBIT is accepted globally and encompassed far more. It is easier to implement COBIT partially without the need of an entire spectrum commitment and analysis.
The detail level based on NIST is considerable. It can be used by organizations that are not wishing to take time in customizing the framework.
Weaknesses
COBIT can be a detractor during implementation since it is not limited to a single area and may lead to gaps during coverage
ITIL is a higher level standard than ISO 27002. However, particular details of implementation are racking
ISO 27002 focuses purposefully and specifically on information security. Therefore, it is limited in scope
NIST is limited in scope and therefore various publications have to be made to achieve compliance. This may lead to gaps in coverage.
Certificationand Accreditation
COBIT
CISM (Certified information security manager)
CISA (Certified Information system auditor)
CGEIT (Certified in governance of enterprise
ITIL(four levels of Certification)
Foundation
Intermediate
Expert
Master
ISO27002
The standard is associated with ISO 27001 and does provide certification for organizations. However, Certification remains rare
NIST
The federal bodies do not obtain NIST certification. Rather, are certified by maintaining and getting an adherence proof related to FISMA
Whento Use
COBIT can be used when organizations ant to generate organization-wide framework scoped outside information security solely. Certification can be attained through aligned paths
ITIL points to ISO as a framework to implement solutions. This is applicable for organizations wishing to utilize ISO with global standards
ISO 27002 provides a global acceptance and recognition and thus, the businesses wanting to operate across global scale may find certification and implementation to be beneficial.
NIST is used by government organizations in the US to comply with the federal law
References
Graubart,R., & Bodeau, D. (2016). The Risk Management Framework and CyberResiliency
Davis,J. L., CISSP, & Analyst. HealthyBody Wellness Center Office of Grants Giveaway Small Hospital GrantsTracking System.Healthy Body Wellness Center Office of Grants Giveaway.
Peltier,T. (2010). InformationSecurity Risk Analysis, Third Edition.CRC Press.
Workman,M., Phelps, D., & Gathegi, J. N. (2012). InformationSecurity for Managers.Jones & Bartlett Publishers.