Risk Management And Security Certification Process NIST SP 800 100
For successful information security program, the organization needs an important component called effective risk management process. Since it protects the organization & its ability to achieve missions, in addition to the information assets. As we have discussed the information security risk management in the blog, An Introduction To Information Security Guide - Risk Management, Assurance And Security Consideration, here we are going to explore deep into the risk management and its supporting activities including certification, accreditation and security assessments with the reference to the NIST Special Publication 800-100.
Risk Management is a combination of three processes, such as:
- Risk Assessment
- Risk Mitigation
- Evaluation & assessment
The main goal of this process is to determine and evaluate the risks to a specified environment. The organization needs to follow six important processes that are illustrated below to meet the risk assessment goals.
Image source: NIST
1. System Characterization
This step starts with the determination of the system resources, boundaries, and information. System characterization establishes risk assessment effort scope, defines the operational authorization boundaries and present information.
System characterization describes the following things:
Essential Components: Hardware, software, external interfaces, people, and data.
Factors that affect system security:
- System functional requirements
- Information flows throughout the system
- System network topology
- Organizational security policy & architecture
- Management, operational, & technical security controls implemented or premeditated to be implemented
- Physical & environmental security mechanisms
2. Threat Identification
Threat Identification involves in identifying the threat sources, which possess the potential to exploit the system weaknesses. The common threats are categorized into the following areas:
- Natural Threats: earthquakes, floods, tornadoes, electrical storms, landslides, and avalanches
- Human Threats: Intentional & non-intentional
- Environmental Threats: power failure
3. Vulnerability Identification
Organizations identify vulnerabilities by using a compilation of several sources and techniques. To begin the vulnerability identification process, an organization can review the sources like audit reports, previous risk assessments, security advisories and vulnerability lists. Security testing with automated vulnerability scanning tools like ST&E (Security, Test, and Evaluation) and Pen Test can be applied to identify vulnerabilities.
4. Risk Analysis
The risk analysis step involves the estimation of the risk, possible to the system. This analysis needs to consider some closely intertwined steps that include:
- Impact Analysis
- Control Analysis
- Likelihood determination
- Risk determination
- Impact Analysis
The impact analysis focuses on the factors like influence to the data, system and the enterprise’s mission. Furthermore, it also considers the sensitivity and criticality of the data and system. Impact analysis can be specified in the qualitative terms like high, low and moderate.
It analysis the controls in places to defend the system. It can be performed by using a questionnaire or checklist. The result of this step can be applied to strengthen the identification of the possibility, which a certain threat might exploit a specific vulnerability.
Likelihood determination focuses on the motivation of a threat source and its competency to exploit a weakness, the characteristic of the vulnerability, the effectiveness of the mitigating controls, and the existence of the controls. Likelihood ratings are specified in the qualitative terms like high, low and moderate.
Once the risk likelihood and impact analysis rating have been obtained, then the extent of risk to the organization and system can be determined by multiplying the threat impact and threat likelihood ratings. The following table explains how to calculate the risk rating from the result of threat likelihood and impact analysis using a 3X3 matrix :
The following table defines the risk scales as well as the required management actions:
5. Control Recommendations
The main goal of this step is to reduce the risk level to the information system & its data to the extent that an organization thinks acceptable. This recommendation remains as the important input for the process of risk mitigation at the time, which the recommended technical and procedural security controls are analyzed, prioritized and implemented.
The factors to consider in this step are as follows:
- Efficiency of recommended options
- Legislation & regulation
- Organizational policy
- Operational influence
- Safety & reliability
6. Results Documentation
This mechanism formally reports the outcomes of entire risk assessment activities. The reports aim to describe as well as document the risk position of the information system whilst it is functioning in its specified environment and to deliver managers with adequate information to make risk-based decisions.
The risk assessment reports describe the following things:
- Assessment scope according to the system characterization
- Methodology applied to perform the risk assessment
- Individual observations from the risk assessment process
- Estimation of the entire risk posture of the security system
Risk Mitigation attempts to prioritize, analyze and implement the proper risk-reducing controls suggested from the process of risk assessment.
An organization may use several ways to reduce the risks to the systems including:
- Risk avoidance
- Risk assumption
- Risk planning, research, & acknowledgment
- Risk transference
The following figure illustrates a simple strategy to determine whether the risk mitigation action is important:
Image source: NIST
Based on the result of the risk assessment process where each risk is determined and analyzed, managers then decide whether the identified risk is acceptable or unacceptable. In addition, they also decide whether to execute extra controls or not, in order to mitigate the unacceptable risks.
Once the organization has made a decision on which risks need to be addressed, then they follow a seven-step approach in the risk mitigation process to guide the security control selections. The seven-step approach comprises:
- Prioritize actions
- Evaluate recommended control options
- Conduct cost-benefit analyses
- Select controls
- Assign responsibility
- Develop a safeguard implementation plan
- Implement selected control(s)
Evaluation And Assessment
Generally, the changes, which happen to the systems during daily operations possess the potential to unfavourably affect the system’s security in some fashion. Focusing on it, is the main goal of the evaluation and assessment process and it also guarantee that the system endures operating in a safe & secure manner. This final step of the risk management is usually conducted at the security certification phase that offers input required to finalize the actions of risk assessment.
Certification, Accreditation, And Security Assessments
Security Certification and Accreditation are an integral part of the information security program of the organization and they support the risk management process. These activities are designed to guarantee that the system will function with the proper management review, that re-accreditation happens periodically and that there is continuous monitoring of system security controls.
As similar to the system security plans and risk assessments, security assessments possess an ideal role in the security accreditation. It is important that organization officials comprise the complete & accurate information on the status of their information security system to make risk-based decisions.
Security certification is defined as the comprehensive assessment of the operational, management and technical controls in terms of security in the system, created in support of the security accreditations, to identify the level to which the security controls are applied properly, functioning intended and providing the desired result to satisfy the security needs.
Certification, Accreditation, And Security Assessments Roles And Responsibilities
As we have described the roles and responsibilities involved in the information security, in the blog, An Introduction To Information Security - Roles & Responsibilities, the following section points out the specific responsibilities of the officials in the security certification and accreditation.
Chief Information Officer
Broadcast cost-effective practices to comprise risk assessment, threat & vulnerability assessments and outcomes of security control assessments.
In performance with authorizing personnel, identify proper resource allocation for security systems and programs.
Supervise the budget & business operations of the system
Create and issue a final/interim decision on granting, or denying authority to access the system
Senior Agency Information Security Officer
Designate as the primary liaison of the CIO to the authorizing officials, ISSOs, and information system owners
Information System Owner
Develop & maintain the system security plan
Produce necessary system-oriented documentation to the certification authority
Found rules for appropriate use & protection of the information
Interconnect level of information assurance compulsory for the system with the proper system owner
Information System Security Officer
Perform day-to-day security operations of the system
Develop system security policy and plan
Update security plan
Individual or a group responsible for performing a security certification/ security control assessment in the information system.
Assess the security plan to guarantee the plan delivers applicable security controls preceding to preparing the certification process
Performs a complete assessment of the operational, management, and technical controls in the information system
Responsible for recognizing mission/operational necessities and for fulfilling the security needs & security controls defined in the system security plan.
Delegation Of Roles
At the decision of the senior organizational officials, specific security certification & accreditation roles can be delegated and appropriately documented. For example, the organization may appoint properly qualified individuals like contractors, to carry out the activities related to the security certification & accreditation role.
Security Certification And Accreditation Process
Four distinct phases are involved in the security certification and accreditation process. They are:
- Initiation Phase
- Security Certification Phase
- Security Accreditation Phase
- Continuous Monitoring Phase
1. Initiation Phase:
This phase will guarantee that the certification agent will begin the security control assessment action only when the security plan content gets approval from the SAISO and authorizing officials.
This phase comprises three important tasks:
Notification & Resource Identification
Security plan review, analysis & acceptance
2. Security Certification Phase
This phase recognizes the level to which the system security controls are implemented properly, functioning as intended and providing the anticipated system security posture.
This phase includes two tasks:
Security Control Assessment
Security Certification Documentation
3. Security Accreditation
This phase aims to support the certification authority to identify whether the remaining identified vulnerabilities position an acceptable range of risk to the organization.
This phase comprises two important tasks:
Security accreditation decision
Security accreditation documentation
After completing this phase, the security personnel will be facing any one of the following scenarios:
Formal authorization to operate the system is granted
Authorization to operate the system is denied
Authorization to operate the system is granted under certain terms & conditions
4. Continuous Monitoring Phase
This phase is an essential component, which checks the security controls status in the system on a continuous basis. An effective continues monitoring program needs to consider the following things:
Configuration management & configuration control processes in the system
Security influence analyses on the modification of the systems
Evaluation of the chosen security controls in the system & reporting of the security status of the corresponding officials
Security Certification Documentation
The process of security certification and accreditation process ends with the risk management decision by the organizational official. The accreditation package documents the outcome of the security certification. This document produces the essential information required by the authorizing officials to make a risk-based decision. This package includes the following documents:
Approved system security plan – Produce an overview of the security needs and describes the measures that official has taken to match with those needs.
Security assessment report – Summarizes the outcome of the activities stated by the certification agent.
Plan of Action and Milestones – Describes the measures, which have been applied to correct the deficiencies recognized at the time of security controls assessment and to eliminate identified system vulnerabilities
The accreditation decision communicates the decision of the accreditation authority and provides the official with:
- Security accreditation decisions
- Supporting foundation for the decision
- Terms & conditions for the authorization
Federal Information Security Management Act (FISMA) needs each organization to develop, implement and document an organization-wide security program to offer information security for the system, which supports assets and operations of the organization including those managed by another contractor, agency or other source. To guarantee the effectiveness and adequacy of the security controls, organization officials need to conduct the annual reviews of the security program of their organization & submit the resulting report to the Office of Management and Budget (OMB).
On the whole, the organization needs to assess the risk to establish the effective security controls, in to order to manage the unacceptable risk. In addition, they need to perform security certification, accreditation and assessment to ensure the effectiveness of the security controls.