Understanding Risk Management Framework (RMF) in Cybersecurity and Privacy (Full Transcript)

Speaker 1: Risk is where your focus is. It doesn't matter what trade you're in. It doesn't matter if you're doing software, if you're doing networks, if you're doing pen testing, if you're doing AppSec, application security, if you're doing open source intelligence, right? It's all about the risk. What is the risk? Open source intelligence, there's risk? Yeah, what data do you have out there that somebody can find, right? That's your risk. You've got data out there and they can find it. So that's something to take into account. So you need a process to identify, select, assess, and apply controls as well as monitor the success and failure of those controls, right? So a risk framework is the process of selecting, implementing, and assessing those controls. And they could be security-focused or they could be privacy-focused. So everything that we're going to talk about comes from this document. This is the NIST Special Publications 837. This is revision two. So that's what I'm teaching. Revision one is pretty straightforward. There's just a step missing and I'll get to that, okay? What you will see on the exam is exactly what I'm going to teach you, I promise. There's nothing left out here, okay? Now, the RMF is really a lifecycle approach for security and privacy. It is a complete lifecycle and it gives you a flexible process for managing both security and privacy risk using a seven-step process. Now, version one was a six-step process and all they did was add an extra step and I'll explain where that comes in, okay? Now, the background, there's a huge background. I don't want you to read all this and I'm not going to read all of it, but this comes out of the document. The one quote that you need to know and take away is this right here. The RMF emphasizes building risk management, right? Building it into the SDLC. That is the strategy here and that's what it's all about. And that's why I like it so much because you get to build security into the system and that's really awesome to do if you ever get the chance, right? So this is the big quote to take away from all of this. It emphasizes promoting the development of security and privacy into the SDLC. Notice how there's a domain eight reference right there, right, the SDLC. So replace the word system with software, same thing. And really it is a system development life cycle. I don't know why ISC Swearer calls it software, but whatever, we apply it to both whenever we do it. So here are the steps. You have prepare, categorize, select, implement, assess, authorize, and monitor. This right here is your new step. This was never in the RMF. Everything started with categorize, but in reality we did all of the prep work as part of categorization and it was a drag. It was a long process if you do it right, okay? In preparations, these are all the activities that you're gonna use, right, to prepare to manage security and privacy risk. Once you're complete with that, you're gonna move on to categorization. This is now called step two. So this is one, right? This is two, and this is where you categorize or classify all of your system and information assets, okay? Then in step three, you're going to select all of the controls that are going to protect all of that information that you classified. Then in step four, you're gonna implement all of the controls necessary to meet the objectives in all of those different controls. Then you're going to test and assess and make sure that those controls actually do meet the intent of the control, that the implementations meet the intent of the control. Then at some point, somebody has to say, I agree with the risk, and they gotta make a decision and accept that risk, and that's based on everything else that you've done before. And then in step seven, you're gonna do continuous monitoring, where you're gonna monitor those control implementations against the risk, okay? This often gets confused, monitoring gets confused with like using Splunk or AlienVault or Elk or whatever, right, like, oh, we gotta watch the system. Not true, that is not what we're doing here. What we're doing here is making sure that all of our controls work as we planned them to work. So that is the process in a nutshell. And if you're new to this channel, you're new to me, I invite you to subscribe to this channel, click the notification bell, so that you'll be first to know when a new video comes out. I hope you found something valuable in this video. Thanks for watching, we'll see you in the next one. Take care.