The Risk Management Framework, initially developed by the Department of Defense (DOD), provides organizations a guide to how they should build, secure, and monitor their IT systems; while this risk methodology is intended for government use, it offers a unique perspective on how to secure private organizations as well. Within the RMF, there are several additional methodologies that all work together to facilitate an efficient risk management process and promote the CIA (confidentiality, integrity, and availability) triad. Not to be confused with the standard concept of risk management, the RMF, outlined by the NIST, offers a six-step process for assessing and mitigating risk and shares an expansive list of best practices and procedures.
The RMF is an excellent method to categorize, select, implement, assess, authorize, and monitor risk management, in that it utilizes each of the six steps to strengthen information security and risk management processes, as well as facilitates the discussion and exchange between an organization and federal agencies, in the goal for improving an infrastructure’s cybersecurity by reducing risk. Similar to a chain, one weak link can diminish the integrity of the entire structure. In the RMF, each of the six stages is vital to the success of the whole operation.
By using risk monitoring tools, vulnerability scanning, researching emerging technologies that could be beneficial if added into the current RMF, and automation of security controls, a monitoring program and schedule can be formulated, thus ensuring the constant supervision and upkeep of all implemented RMF aspects. The monitoring step of the RMF, being the last phase of the entire process, serves as a final examination; it ensures that all of the previous actions have had their risk assessments measured and tested accurately, as well as confirms that the risk-prevention procedures have been correctly enforced (NIST, 2011).
While the RMF is truly remarkable in its abilities to transcend an organization’s IT structure and risk management policies, the framework can be challenging, especially for those who don’t adopt it early. Many of the RMF’s suggestions might not apply to the needs of most smaller businesses, resulting in a loss of time and resources trying to adapt the framework into their likely unfunded hands. The organization I work in currently is extremely limited in personnel (under twenty-five members;) however, we steadily reach millions of sales each year and manage four different brands. During my time, while I have used much of the RMF to my advantage, I had to realize that I could not expect complete compliance with its suggestions. Instead, I took the best parts of the RMF, along with several other risk methodologies, and built my own method of predicting, analyzing, and preventing risk as we continue to expand quickly. As the best time to adopt a new way of designing and building entire IT systems and risk policies is during the early stages of a business, I made sure to plan for the worst as soon as I could. We just recently moved to a larger location, so I took it upon myself to construct an entirely new IT infrastructure, complete with a disaster recovery plan, emergency response plan, and the development of quarterly risk review meetings. I am often told that I go overboard with my workload; however, I believe there is never too much one can do to prevent the unforeseeable from occurring (within budget limits, of course).
Joint Task Force. (2018, December). NIST Special Publication 800-37: Risk Management Framework for Information Systems and Organizations. Retrieved October 7, 2020, from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf.
Joint Task Force. (2011, March). NIST Special Publication 800-39: Managing Information Security Risk. Retrieved October 7, 2020, from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf.