The NIST Risk Management Framework represents a prominent source of
authority and expertise when it comes to security risk assessments. As such,
there are many advantages, as well as some potential implications, for
individuals considering this approach. It is important for an individual or
organization to consider the specific context of the organizational
environment before moving forward with this method.
The NIST, or National Institute of Standards and Technology, Risk
Management Framework is a more traditional approach that is composed of
established practices and protocols that are effective when implemented in
a risk management setting. This method has been highly effective in the
past due to the fact that it has been utilized by government agencies in
order to ensure that security processes, protocols, and practices are
adequately evaluated and implemented. This further helps to ensure a
higher level of security within organizations. At the same time, the NIST
Risk Management Framework is constantly being updated and changed in
alignment with newly-developed advancements, progressions, and
evolutions within technology, the legal environment, and society as a whole.
Nevertheless, even though a large number of independent firms and
government agencies have changed and updated the utilization of this
framework based on new guidelines and contexts, there are still significant
drawbacks that need to be considered. For instance, even though the
framework is changed to adapt to new technologies, in many cases, the
rapid pace of technology’s advancement makes it so certain policies or
practices occasionally remain outdated. In addition to this, due to the fact
that it is, as the name suggests, a framework, the NIST Risk Management
Framework is not able to indicate to an organization how to attain their
recommended steps. Fundamentally, this means, for a lot of smaller
agencies or businesses, including those without a great deal of security
experiences or resources, incorporating and launching this framework may
be difficult and problematic. It is important to also note that the subjectivity
of the objectives set by the organization could impact the outcome of the
results, as this framework is not automated. It is a documented approach
that requires immense objectivity and thoroughness. This can be difficult
for some businesses to follow through with.
Regardless, however, the NIST Risk Management Framework remains to be
a solid platform. It can be extremely effective for many organizations
seeking to improve their security efforts. As a result of how flexible it is,
how often it is updated, and how adaptable it can be, this framework
represents a highly cost-effective tool that businesses can adopt to improve
security initiatives, address risks and vulnerabilities, and enhance overall
security compliance.
References
NIST Computer Security Resource Center. (2022a). NIST Risk Management
Framework. https://csrc.nist.gov/Projects/risk-management
NIST Computer Security Resource Center. (2022b). SP 800-53 Controls and
SP 800-53B Control Baselines Resources for Implementers.
https://csrc.nist.gov/projects/risk-management/sp800-53-controls
Handout
As indicated by the SP 800-37 Rev. 1, Guide for Applying the Risk
Management Framework to Federal Information Systems: a Security Life
Cycle Approach, which is maintained by the Joint Task Force
Transformation Initiative, the main goal associated with SP 800-37
encompasses providing specific guidelines and practices regarding putting
the NIST Risk Management Framework in place for government security
systems to begin carrying out assignments related to a variety of subjects,
including:
• Segmentation of security
• Control and integration of security initiatives
• Assessment of controls developed for security purposes
• IT system authorizations
• Monitoring of IT security controls
With that said, risk management involves addressing, controlling, dealing
with, and preventing various potential threats that could compromise the
overall success and integrity of a business or agency. For instance, a
software development organization, in order to prevent security threats or
data loss, will develop a risk management plan that addresses prevention,
management, and control of their data assets. Essentially, an organization
needs to be properly prepared for both anticipated and unanticipated
defense that could jeopardize their success and reputation. A risk
management plan allows an organization to identify those risks, as well as
come up with a plan to prevent, address, and overcome them. Of course,
risk management reflects the current context and environment of an
organization and industry, requiring them to frequently be reformed and
updated to match the current state of an organization’s affairs. Otherwise, a
company or agency may be more vulnerable to new threats that have not
yet been identified nor prepared for.
Risks are essentially threats that could compromise the success or integrity
of a business or agency, and they must be tangible and have the potential to
occur in the future. Organizations are constantly changing, and new security
threats are always being developed. This is why it is imperative for a risk
management plan to be dynamic and consistently revisited so that
appropriate updates can be made. Doing so will ensure that an organization
is more adequately prepared for any potential threats that may come their
way.
References
NIST Computer Security Resource Center. (2014, June 5). Guide for
Applying the Risk Management Framework to Federal Information Systems:
A Security Life Cycle Approach.
https://csrc.nist.gov/publications/detail/sp/800-37/rev-1/final
NIST Computer Security Resource Center. (2022). SP 800-37 Controls.
Control Baselines Resources for Implementers.
https://csrc.nist.gov/projects/risk-management/sp800-57-controls