Governance Risk and Compliance - Risk Management Framework
CGRC ·CGRC and the NIST Risk Management Framework
RMF and other standards for the CGRC exam
This is the first of a series of articles to use as a study guide for the (ISC)2 CGRC exam.
Primary Roles for Risk Management
- Authorizing Official (AO)
- AO DR – can perform Authorizing tasks EXCEPT signing off on Auth Pkg
- Chief Acquisition Officer – management of acquisition activities based on the Head of Agency mission/business objectives
- Chief Information Officer – develop and maintain security policies, procedures. Designates the Sr - Agency Information Security Officer
- Common Control Provider
- Control Assessor
- Enterprise Architect
- Head of Agency
- Information Owner or Steward
- Mission or Business Owner
- Risk Executive
- Security or Privacy Architect
- Sr. Accountable Official for Risk Management
- Sr. Agency Information Security Officer
- Sr. Agency Official for Privacy
- System Administrator
- System Owner
- System Security or Privacy Officer
- System User
- Systems Security or Privacy Engineer
Standards and Regulations
- 800-37 – RMF
- FIPS 199 – Security Categorization (17 categories), - CIA low, moderate, high
- Categorize and Select
- FIPS 200 – Minimum Security Requirements, high water mark
- Categorize and Select
- 800-18 – Security Plan guide
- Assess, P.3, P.14
- 800-30 – Risk Assessment guide
P.3 and P.14.
- PCCM – Prepare- Conduct- Communicate- Maintain
- 800-59 – Information System as National Security System
- CNSS 1253 – Security Categorization and Control Selection, CIA high, moderate, low impact values Categorize and Select
- 800-53 (Security and Privacy controls) and 53B (Overlays)
- 800-60 vol 1 – Mapping Information Systems to Security Categories Categorize
- 800-60 vol 2 – Appendices to vol 1
- 800-137 – Continuous Monitoring Life Cycle DEIARR
- SDLC – new systems – disposal n/a
- SDLC – existing systems – operations/maintenance throughout (until M-7)
- 800-37 Appendix F – Authorization
- 800-34 – selection. DCICDEE
- Contingency planning
- Types of plans (BCP, DRP)
- 800-70 National Checklist
- 800-122 PII
- 800-128 Configuration Management Process – PICMU
- 800-88 Media Sanitization
- 800-39 FARM – Managing Security Risk, P2 Risk Management Strategy
- 800-137 Monitoring – DEIARR
- NIST CSF – Cybersecurity Framework – IPDRR
-
800-115 SP 800-115, Technical Guide to Information Security Testing and Assessment CSRC (nist.gov)
Diagrams
CIA Triad
800-39 FARM
Tiers of RMF
RMF Strategy
