Running head: RMF READ AHEAD NOTES 1

Read Ahead Notes for the

Risk Management Framework Meeting

G Logan Gombar
7/14/2019

To prepare for the upcoming meeting, the following is to ensure a base level of

knowledge, a standard set of terms to utilize, and to facilitate discussion. The topic at hand will

be the risk management planning, approaches to cyber security, and the potential damages of

ungoverned risk. The notes will include definitions, key elements of a risk management plan

(RMP), and examples of damages when risks are not mitigated.

Definitions

It is best to start by defining a set of terms for this discussion. What is risk, and what does

it mean to manage risk? Risk is where a vulnerability meets a threat (Van Impe, 2017). Said

another way, it is when someone who wants to steal stuff is given a way to break in. Managing

risk isn’t only preemptive, it is often accepting risk and enforcing policies to recover from losses.

The CIA triad is what many consider to be the pillars of cyber security. The CIA triad is

composed of the principles of Confidentiality, Integrity, and Availability. Confidentiality is the

concept of keeping information out of the hands of bad actors. Integrity is keeping data from

being changed without authorization, where Availability is keeping information available to

legitimate users – information that cannot be reached when needed is as useless as information

that has been stolen. Utilizing these definitions, we can move onto defining an RMP.

Elements of a Risk Management Plan (RMP)

Defining an RMP can be done in a series of steps. More tailored specifics must be created

for each organization, but that discussion is beyond the scope of these notes. The key steps are as
RMF READ AHEAD NOTES 2

follows: frame, assess, respond, and monitor (NIST, 2011, p. 7-8). With these steps worked out,

the overarching goal and vision of the RMP is made clear.

Framing risk is integral to the creation of a “risk management strategy”. This creates the

baseline for risk acceptance in the organization, and creating this foundation allows all layers of

the organization to adhere to the policies at hand. Framing risk clearly defines left and right

bounds on decision making, and can even influence investment strategies (NIST, 2011, p. 34).

Assessing risk is the evaluation of vulnerabilities and threats. Denoting the risk to the

organization can typically be done via an “impact vs. urgency” matrix (Topalovic, 2015). By

prioritizing risks, the mitigation strategies and responses can be more focused and specific.

Responding to risk is developing strategies for accepting, mitigating, etc. risks (NIST,

2011, p. 41) assessed in the previous step. By providing these policies, a company can prevent

risk from causing lasting damage to systems. The steps in this process will vary, but should

include steps for responding to active risks, such as containment, damage reduction, and service

restoral. With these regulations, a company will be more resilient in the event of an attack.

Monitoring risk is imperative as the threat landscape is constantly changing. These

changes are not only external changes – internal changes increase the threat to a network as well.

The inability to adapt to a changing cyber battlefield will also lead to more loss than accepting

the risk of a change. By adapting to known threats, an organization can maintain a given level of

risk. This requires a level of risk acceptance, but the risk needs to be accepted to ensure

continued resiliency and protection from attacks.

Potential Damages

The above RMP may seem extensive when diving into the specifics, as many of the

controls will not seem to apply. However, when looking into the potential damages caused when
RMF READ AHEAD NOTES 3

a single leg of the CIA triad is compromised, it becomes readily apparent why this is a critical

consideration when it comes to the security stance of this organization.

When the Confidentiality of a system is compromised, all data is available to all

attackers. This can lead to knowledge being leaked (trade secrets or personally identifiable

information, for example) that may be extremely costly. By not securing the Confidentiality of

the data, the company is putting the information directly into the hands of attackers.

When the Integrity of a system is compromised, the data on the system is subject to

change. This change could be an alteration or could be complete deletion. Without assurance that

the data cannot be changed by an unauthorized user, there is no way to trust the data on a system.

If a payroll system could not be trusted, all payroll would have to be done by hand, costing the

company by requiring extensive new hires. This lack of trust in the systems would cause a

cascade of issues, rendering the system useless, making the company obsolete.

If Availability is compromised, the system becomes inaccessible. During a self-inflicted

DDoS, Amazon reported a loss of $75 million in about an hour (Newman, 2018). If a resource is

unavailable, it is a waste of resources and money. Availability is critical to a network-based

ecosystem, and any web-based company knows that high availability is a very high priority.

Summary

By implementing a rigorous risk management plan, a company can prevent many attacks

from occurring. Enforcing a series of policies designed by framing, assessing, responding to, and

monitoring risk will enable greater resilience to attacks. Addressing the threats to the CIA triad

can reduce the risk to systems and profit, while increasing resiliency and reliability of those

systems. The network will never be fully secure, but by providing a baseline we can begin to

increase the strength of our security stance to reduce risk that exists on our systems.
RMF READ AHEAD NOTES 4

References

Newman, S. (2018, July 24). Amazon Invited DDoS Attack On Prime Day. Retrieved from

https://www.informationsecuritybuzz.com/expert-comments/amazon-invited-ddos-attack-

on-prime-day/

NIST. (2011). Managing Information Security Risk: Organization, Mission, and Information,

System View (800-39). Retrieved from

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf

Topalovic, D. (2015, July 9). ITIL & ISO 20000 Service Desk Incident Classification. Retrieved

from https://advisera.com/20000academy/knowledgebase/incident-classification/

Van Impe, K. (2017, April 22). Simplifying Risk Management. Retrieved from

https://securityintelligence.com/simplifying-risk-management/