Running head: IMPLEMENTING RISK MANAGEMENT FRAMEWORK 1

Implementing Risk Management Framework

Raul Mendoza

University of San Diego

Cyber Security Risk Management

CSOL-530

Mr. Dorian Pappas

March 11, 2018

IMPLEMENTING RISK MANAGEMENT FRAMEWORK 2

Implementing Risk Management Framework

Implementing Risk Management Framework (RMF) provides the company an ability to

assess and understand what risk exists and how best to reduce our risk. As a risk-based approach

we integrate security early and determine how best to implement applicable laws, policies,

standards, and security controls.

RMF is best explained in detail through NIST Special Publications. These publications

explain Security and Privacy Controls for Federal Information Systems and Organizations. RMF

is a six-step process we used to assess our payroll system and apply the necessary security

controls to protect employees and the operations and assets of the company.

RMF six-step cycle(NIST, 2018, p. 1)

Step 1: Categorization
IMPLEMENTING RISK MANAGEMENT FRAMEWORK 3

When determining how best to implement security, it is important to understand the

requirements. Because our payroll system handles personal and sensitive data, we must apply the

appropriate security and privacy controls to protect it. Ultimately our goal is to implement

security and privacy controls in a manner that safeguards the Confidentiality, Integrity, and

Availability of our payroll data. There are three defined security objectives for information and

information systems. Within each we are able to determine whether the impact to each is Low,

Moderate, or High.

 Confidentiality (Low, Moderate, High)

o L: we expect the impact to have a limited adverse effect to our operations

o M: we expect serious adverse effect to our operations

o H: we expect severe or catastrophic adverse effect to our operations

 Integrity (Low, Moderate, High)

o Same as above

 Availability (Low, Moderate, High)

o Same as above

Because payroll is such an integral part of our company, we must understand for each

security objective what the impact levels should be. Payroll has the responsibility of, not only

employee compensation and salary, but contributes to our company’s reputation. When

considering the importance of the payroll system we must ensure that the information is only

accessible to authorized employees, the information is accurate and reliable, and is available with

the least amount of down time. The following categorization was recommended and approved by

leadership.

Confidentiality – High
IMPLEMENTING RISK MANAGEMENT FRAMEWORK 4

 If payroll information is disclosed to unauthorized individuals

o Loss of morale; employees may see another employee’s salary

o Loss of trust

o Financial impact if payroll information is disclosed to unauthorized

people

Integrity – High

 Pay amounts rerouted to unauthorized individual

 Inaccurate pay to vendors or employees

 Become delinquent in payment to other companies

Availability – High

 If the payroll system becomes unavailable for any amount of time

o Employees and vendors won’t get paid

o Payment may not be received for services/product we provide

Step 2: Select

Within our payroll system we have identified specific controls that must be implemented

to meet the Confidentiality, Integrity, and Availability (CIA) categorization. The sensitivity of

payroll data demands that we apply the highest level of security and privacy controls available.

Effective use of these controls helps us protect the payroll system and information against

advanced persistent threats. Because the controls are designed to address our companies protect

needs, I am confident we have applied them in a manner complementary to the business and our

employees. The following controls have been selected to meet our needs:

 Access Control: (NIST, 2017, table E-1)

o AC-1: Access control Policy and Procedures

IMPLEMENTING RISK MANAGEMENT FRAMEWORK 5

o AC-2: Account Management

o AC-3: Access Enforcement

o AC-5: Separation of duties

 Auditing: (NIST, 2017, table E-3)

o AU-1: Audit and Accountability Policy and Procedures

o AU-2: Audit Events

o AU-6: Audit Review, Analysis, and Reporting

 Maintenance: (NIST, 2017, table E-10)

o MA-1: System Maintenance Policy and Procedures

o MA-2: Controlled Maintenance

o MA-6 Timely Maintenance

 System and Information Integrity: (NIST, 2017, table E-20)

o SI-1: System and Information Integrity Policy and Procedures

o SI-4: System Monitoring

o SI-7: Software, Firmware, and Information Integrity

Step 3: Implement

Implementation of selected security controls is an important step to reducing the attack

surface of our payroll system. Since we have categorized our system as High – Confidentiality,

High – Integrity, and High – Availability, we must implement the associated controls within each

control family that are marked as high. I have identified the following control families and a few

controls within each that address the CIA areas we should focus our efforts; AC –

Confidentiality, AU – Integrity, MA – Availability, SI – Integrity. Within each family are

IMPLEMENTING RISK MANAGEMENT FRAMEWORK 6

specific controls that must be implemented to ensure we meet the recommended baseline

security configuration for that categorization.

Access Control: (National Institute of Standards and Technology [NIST], 2017, table E-1)

AC-1: Access control Policy and Procedures – In order to ensure the appropriate

controls are understood and implemented appropriately, we must develop an access control

policy to ensure employees understand who is authorized to access the payroll system. In

addition, we must also develop procedures that outline how best to allow the employees access.

AC-2: Account Management – By implementing account management we are able to

control whom has access and the level of access based on permissions granted. In addition, it

creates a mechanism to ensure we can monitor the use of system accounts.

AC-3: Access Enforcement – Allows for administrators implement multiple access

control mechanisms to constrain what actions a person can take despite having access to the

information.

AC-5: Separation of duties – Understanding that the payroll system is extremely

sensitive, we must ensure that no one person can perform all functions within it. Separation of

duties allows us to ensure employees cannot abuse their privileges and reduces the risk of

collusion.

Auditing: (NIST, 2017, table E-3)

AU-1: Audit and Accountability Policy and Procedures – Defines the role and

responsibilities of all individuals responsible for enforcing and monitoring user activity within

the payroll system. Procedures must also be defined to ensure the appropriate steps are taken

when reviewing audit logs.

IMPLEMENTING RISK MANAGEMENT FRAMEWORK 7

AU-2: Audit Events – By implementing the audit events control we are able to define

which types of events we are monitoring. Some events must be monitored based on laws and

regulations that are mandated when using systems like payroll.

AU-6: Audit Review, Analysis, and Reporting – Regular review, analysis, and

reporting must be implemented to ensure we maintain situational awareness of the activity

occurring within the payroll system. If suspicious activity occurs, we must understand and

determine if the activity is authorized and report on it if it is not.

Maintenance: (NIST, 2017, table E-10)

MA-1: System Maintenance Policy and Procedures – Defines the roles and

responsibilities of all individuals responsible for maintenance of the payroll system. Procedures

must also be defined to ensure the appropriate maintenance steps are taken to ensure the

availability of the payroll system is minimally impacted.

MA-2: Controlled Maintenance – All maintenance activities must be performed in

accordance with manufacturer and vendor specifications. In addition, controlled maintenance

provides us the ability to document, approve, and verify that the appropriate controls are still

implemented.

MA-6 Timely Maintenance – Affords the company the ability to ensure that

maintenance is performed proactively. Preventative, predictive, automotive support, and

adequate supply can all impact the availability of the payroll system, but by addressing and

implementing each we are able to minimize the downtime.

System and Information Integrity: (NIST, 2017, table E-20)

SI-1: System and Information Integrity Policy and Procedures – Defines the roles

and responsibilities of all individuals responsible for enforcing and monitoring the integrity of
IMPLEMENTING RISK MANAGEMENT FRAMEWORK 8

the information contained within the payroll system. Procedures must also be defined to ensure

the appropriate remediation steps are taken when determining that the integrity of the

information has been compromised.

SI-4: System Monitoring – By implementing an effective monitoring system we are able

to determine if attacks are occurring, if unauthorized access has occurred, or if unauthorized

remote connections have been made. Monitoring these areas will provide us the ability to

determine if any information was manipulated and how best to respond.

SI-7: Software, Firmware, and Information Integrity – Implementing integrity

verification tools provides us the ability to ensure unauthorized changes to software, hardware,

and information cannot occur. If manipulation of each occurs, the verification tools provide

alerts and notify administrators of the potential attack or issue.

Step 4: Assess

To better understand which controls have been applied and which have not, we must

assess the system to ensure traceability of the assessment results can be linked to the specific

control baselines. Without properly assessing our implementation of the selected controls, we

increase our risk by not understanding if we implemented them correctly. Since we have

categorized and implemented security baseline controls to meet High, High, High across the CIA

triad, we reviewed the following controls to assess their implementation:

Overall Assessment

Access Control Not Compliant

Auditing Partially Compliant

Maintenance Compliant

System and Information Integrity Not Compliant

IMPLEMENTING RISK MANAGEMENT FRAMEWORK 9

Step 5: Authorize

Prior to receiving an Authorization to Operate (ATO), there are a number of artifacts that

must be completed. An authorization package must be provided to the authorizing official for

review and contains the following items:

o System Security Plan (SSP)

o Security Assessment Report (SAR)

o Plan of Action and Milestones (POA&M)

Once we have provided the necessary package, the AO will review and determine

whether or not our current plan and risk mitigation is acceptable. Within the POA&M we

outlined specific actions that will be performed and the timeline in which they will be completed.

Because we understand the risk and have established specific tasks to reduce the risk, it is

expected that the AO will approve and grant us an ATO based on our input.

Table 1: Payroll POA&M (NIST, 2017, p. 73)

IMPLEMENTING RISK MANAGEMENT FRAMEWORK 10

Step 6: Monitor

Continuous monitoring is a critical step in the framework that provides security

professionals and executive leadership visibility across our system on a consistent basis.

Implementation of a continuous monitoring plan facilitates ongoing awareness of information

security, threats, and vulnerabilities despite our dynamic operational environment. Our plan will

enhance our ability to measure actionable and relevant issues as they arise. By applying specific

controls, we are able to define our plan and ensure our payroll system is effectively monitored. In

addition to the previously mentioned controls, we will include the following:

 CA-1 Security Assessment and Authorization Policies and Procedures

 CA-2 Security Assessments

 CA-7 Continuous Monitoring & CA-7 (1,2,& 3)

 CM-1 Configuration Management Policy and Procedures

 CM-2 Baseline Configuration

Throughout the entire process we have identified the security levels needed to ensure our

information meets the protection levels associated to the appropriate categorization. In doing so,

we are able to ensure the system remains secure despite employee rotation, changes to

hardware/software/firmware, or changes to our environment. The continuous monitoring

provides us the ability to identify additional risks and reduce those risks by implementing

additional security controls as needed.

IMPLEMENTING RISK MANAGEMENT FRAMEWORK 11

References

NIST. (2017). Plan of Action and Milestones. In In Security and Privacy Controls for

Information Systems and Organizations (Rev 5 ed., 73-74). Retrieved from

https://ole.sandiego.edu/bbcswebdav/pid-1096872-dt-content-rid-

4627450_1/courses/CSOL-530-MASTER/M3/sp800-53r5-draft.pdf

NIST. (2018). Risk Management Framework (RMF) Overview. Retrieved from

https://csrc.nist.gov/projects/risk-management/risk-management-framework-(RMF)-

Overview

National Institute of Standards and Technology. (2017). Security and Privacy Controls for

Information Systems and Organizations (Rev 5 ed.). Retrieved from

https://ole.sandiego.edu/bbcswebdav/pid-1096883-dt-content-rid-

4627450_1/courses/CSOL-530-MASTER/M3/sp800-53r5-draft.pdf