Risk Management and Compliance concerning Cybersecurity Policy and Industry Standards Part 1 Risk Management Framework
The National Institute of Standards and Technology (NIST) is a body purposefully formed to protect confidential information for organizations or individuals from being used for malicious gains. The information technology laboratory is tasked with developing tests, test methods, proof of concept of implementation, and technical analyses in propelling productive use of information technology (IT). Many threats may face information systems in organizational settings, disrupting normal operations. Some of these disruptions include but are not limited to machine errors and purposeful attacks that are organized and adequately funded. Successful attacks on an organization’s information system are responsible for detrimental impacts on organizational operations, employees, and tangible and intangible assets (Alhawari et al., 2012). Therefore, the management team must implement measures to prevent attacks from being successful by moving with speed and managing any form of security vulnerabilities identified. This paper evaluates the NIST SP 800-37 Risk Management Framework and its utilization in organizational settings.
The Risk Management Framework (RMF) comprises seven steps that organizations should follow per the outlined order. The first step of the Risk Management Framework is the preparation that offers substantial support to the other steps within the framework. In some incidents, organizations may discover that they have executed some of the tasks of the preparation step in the risk management program. Therefore, to reduce this kind of confusion, the preparation step aids in overcoming the complexity during the implementation of the Risk Management Framework, conserving security and privacy resources, and prioritizing essential activities within the organization (Wang et al., 2010). This step is composed of regulatory standards from NIST publications and requirements set by the Office of Management and Budget or both measures (Wang et al., 2010). The second step entails categorizing information systems that foster the administration’s understanding of the systems utilized within the organization’s premises. This step sets off with the definition of the system boundary. The purpose of system boundary involves identifying all the information about the organization, such as the mission, roles, and responsibilities of employees, the system’s operating environment, and its connection with other systems.
Do you need help with your assignment? Reach out to us at eminencepapers.com.
The third step involves selecting security controls that would protect the system’s confidentiality, integrity, availability, and information. Some security controls that should be chosen include the management team, operational and technical experts, and countermeasures that can be adopted in case of system failure. The next step would entail implementing the security controls selected in the third step. Security control implementation describes how the management can be deployed within the information system and its operating environment (Lee, 2021). This calls for policies tailored to each device to align with the required security documentation. Fifthly, assessing the security controls is influential in determining the extent to which commands work correctly, operate as needed, and meet the system’s security requirements. The second last step is authorizing an information system to determine the risks linked to organizational operations and individuals, assets, and the acceptable risk threshold (Lee, 2021). Finally, the organization must monitor the security controls by seamlessly ensuring adaptability to changing threats, vulnerabilities, and business processes.
Besides the seven-stage risk management framework, there are also other essential aspects that an organization should consider to protect its confidential information from falling into the wrong hands. One of these concepts relates to information security and privacy in the Risk Management Framework. Effective Risk Management Framework implementation requires integrating information security and privacy programs. Even though these disciplines are composed of often overlapping objectives, they are often complementary. On the one hand, information security programs protect the information and the systems from unauthorized access, disclosure, modification, or even destruction (Ross, 2018). On the other hand, the privacy programs are responsible for ensuring compliance with the formulated privacy standards and managing the risks linked to creating, processing, disseminating, and disclosing personally identifiable information. Therefore, an organization should ensure that it incorporates these two programs in its implementation of RMF so that the objectives of either discipline can be attained.
When