Training & Certification: Risk Management Approach to Security Authorization

by Bruce Brown | 2 Comments

Understand the Risk Management Approach to Security Authorization

The concept of management of information security risks across an enterprise is discussed in 800-39. An organization takes a multitier approach to the risk management at the organizational, mission, and system levels. Risk management framework is a process that is broken down in NIST 800-37, Risk Management Framework. The CAP addresses the following:

    Distinguish between applying risk management principles and satisfying compliance requirements
    Identify and maintain information systems inventory
    Understand the criticality of securing information
    Understand organizational operations

Distinguish between applying risk management principles and satisfying compliance
Risk management includes satisfying compliance. Even though some controls may not be able to be made fully compliant due to limited resources, residual risk to the organization can still be mitigated and managed. Concepts of NIST SP 800-37, Guide of RMF

Identifying and maintaining information system (IS) inventory is addressed in NIST 800-37, Risk Management Framework, 800-18, System Security Plan & 800-64, System Development Life Cycle. 800-37 addresses inventory of the IS in RMF Step 1 Categorization of IS. Of the tasks of categorization includes information system registration which begins with by identifying the information system in the system inventory. This is documented in the security plan. NIST SP 800-18 discusses how the inventory is documents, and logically separates the system authorization boundary. That inventory is maintained and monitored throughout the life cycle of the IS (from imitation to disposal and from categorization to monitoring of the system).

A CAP candidate can understand the criticality of security information from reading FIPS 199, categorization of federal information systems.

Understanding the organizational operations of the system is imperative to a CAP candidate for the purpose of scope guidance described in NIST SP 800-53.

2 Comments on Training & Certification: Risk Management Approach to Security Authorization

  1. @booboop
    September 28, 2011 at 8:18 am (7 years ago)

    Just discovered this site (blog) THIS IS ALOT OF INFO..where do you find the time…?

    Reply

1Pingbacks & Trackbacks on Training & Certification: Risk Management Approach to Security Authorization

  1. […] Read this article: Training & Certification: Risk Management Approach to Security Authorization […]

Leave a Reply

Your email address will not be published. Required fields are marked *

Comment *