In this course, we introduce the authorization process and the risk management framework steps. These are the key risk management framework steps we'll be discussing as part of the authorization process. You'll notice I have placed the NIST publication numbers we discussed previously in each one of the respective steps. Those are the primary documents supporting those particular steps. There are six main steps in the risk management framework and a preparatory step to ensure that organizations are ready to execute the process. In the center of this circle is the prepare to execute function. We first prepare to execute the risk management framework from an organizational level and a system level perspective by considering a variety of inputs and carrying out specific activities that establish the context for managing security and privacy risks for the system of interest, and establishing your baselines for security controls. The rest of the steps in circling the preparatory step are; categorize the system and the information processed, stored, and transmitted by the system based on the security impact analysis. Select an initial set of controls for the system and tailor the controls as needed based on the organizational assessment of risks and local conditions. Implement the controls and describe how the controls are employed within the system and its environment of operation. Assess the controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and satisfying security and privacy policy. Authorize the system or common controls based on the determination that the risk to the organizational operations and assets, individuals, other organization, and the nation is acceptable. Finally, monitor the system and the associated controls on an ongoing basis to include assessing controls effectiveness, documenting changes to the system and environment of operation, conducting risk assessment and impact analysis, and reporting the security and privacy posture of the system. What is security authorization? Security authorization is the official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risks to organizational operations and assets, individuals, other organizations, and the nation based on the implementation of an agreed upon set of security controls. Remember that the US government systems must have an authorization to operate in place. The prepare step has seven tasks at the organizational and 11 tasks at the system level for a total of 18 tasks conducted, which can be mapped to the cybersecurity framework, functions, categories, subcategories, and informational references. The purpose of the prepare step is to carry out essential activities at the organization, mission and business process, and information system level of an organization to help prepare that organization to manage it's security and privacy risks using the Risk Management Framework. For informational purposes, I've placed the tasks and outcomes on the screen for you. Here we have the first two steps of the process. The purpose of the categorize step is to inform organizational risk management processes and tasks by determining the adverse impact to organizational operations and assets, individuals, other organizations, and the nation with respect to the loss of confidentiality, integrity and availability of organizational systems and the information processed, stored, and transmitted by those systems. It has three tasks; system description, security categorization, and security categorization review and approval. The purpose of the selects that is to select, tailor, and document the controls necessary to protect the information system and organization commensurate with the risks to the organizational operations and assets, individuals, other organizations, and the nation. It has six tasks; control selection, control tailoring, control allocation, documentation of plan control implementation, continuous monitoring strategy, system and plan review and approval. I'll cover these respective tasks when we break down the individual steps later in the course. Here we have the third, fourth steps in the process. The purpose of the implement step is to implement the controls, and the security and privacy plan for the system and the organization, and to document in a baseline configuration the specific details of the control implementation. It has two tasks; control implementation and update control implementation information. The purpose of the assess step is to determine if the controls are selected for implementation are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and the organization. It has six tasks; assessor selection, assessment plan, control assessments, assessment reports, remediation action, and plan of action and milestone. The last step in the risk management process is the monitor step. The purpose of the monitor step is to maintain an ongoing situational awareness about the security and privacy posture of the information system, and the organization in support of risk management decisions. It has seven tasks; system and environment changes, ongoing assessment, ongoing risk response, authorization package update, security and privacy reporting, ongoing authorization, and system disposal. In summary, in this course, we introduced the risk management framework authorization process and steps of prepare, categorize, select, implement, assess, authorize, and monitor.
