Nist 80053a Call for Continuous Monitoring

Risk management is a process in which an organization constantly assesses the level of risk it faces and takes action to reduce that risk. You look at the threats and vulnerabilities that your organization faces. You then take steps to reduce the resulting risk by mitigating the vulnerabilities and planning for the threats. The goal is to successfully mitigate such risks before the associated threat(s) can manifest and harm the organization.

Protect Assets

Protect Assets

Guide Decisions

Guide Decisions

Reduce Risk

Reduce Risk

How is risk managed?

The National Institute of Standards and Technology (NIST) lays out its recommended plan for identifying, controlling, and continuously monitoring risk tied to each information system in an organization. This framework is designed to create a repeatable process that accomplishes the following tasks using a variety of publications and guidance provided by NIST:

  • Categorize System
    Categorize the sensitivity of the system's data, followed by the enumeration of risks that might compromise the confidentiality, integrity, and availability of both the data and the information system.
    Associated NIST publications: FIPS 199 and SP 800-60.
  • Select Controls
    Select a specific set of security controls based on the sensitivity of the data and implement these controls while architecting the information system during the software/system development life cycle (SDLC).
    Associated NIST publications: FIPS 200 and SP 800-53
  • Implement Controls
    Implement and test the security controls as the information system is built.
    Associated NIST publications: SP 800-34, SP 800-61, and SP 800-128
  • Assess Controls
    Assess the performance and effectiveness of both the information system and the security controls to provide assurance that they are working as intended.
    Associated NIST publication: SP 800-53A
  • Authorize System
    Gain authorization and approval for the information system to begin processing, transmitting, and storing data to accomplish its mission.
    Associated NIST publication: SP 800-37
  • Monitor Controls
    Continuously monitor the security controls to ensure they are effective during the life cycle of the information system.
    Associated NIST publications: SP 800-37, SP 800-53A, SP 800-137.

Risk Assessments

One of the best ways to identify your risk of threats and vulnerabilities is to conduct a risk assessment. Risk assessment is a process of identifying, estimating, and prioritizing risks to organizational operations and assets that are tied to the operation of an information system. At a minimum, we recommend that UAB organizations conduct risk assessments when:

  • A new third-party vendor is being considered to provide a service or product that involves UAB data, UAB information systems, and/or UAB information technology resources, such as networking.
    Note: Vendors that already provide such services or products should be required to annually complete a risk assessment to determine whether the associated level of risk has increased or decreased during the previous year.
  • A new information system or web application is being developed and deployed by a UAB organization.
    Note: Existing UAB-owned information systems and web applications should annually undergo a risk assessment to determine whether the associated level of risk has increased or decreased during the previous year.
  • Compliance frameworks, such as PCI DSS, HIPAA, or FISMA require that a risk assessment is conducted.

We can assist in the risk assessment process by providing the tools, offering guidance in how to address questions in the tools, reviewing the final assessment, and aiding the organizations in reducing areas of significant risk to an acceptable level.

Learn More

Are you interested in learning more details about Risk Management? See various NIST special publications:

FIPS 199 Standards for Security Categorization of Federal Information and Information Systems
FIPS 200 Minimum Security Requirements for Federal Informationand Information Systems
NIST SP 800-30 Guide for Conducting Risk Assessments
NIST SP 800-34 Contingency Planning Guide for Federal Information Systems
NIST SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems
NIST SP 800-50 Building an Information Technology Security Awareness and Training Program
NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations
NIST SP 800-53A Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans
NIST SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories
NIST SP 800-61 Computer Security Incident Handling Guide
NIST SP 800-64 Security Considerations in the System Development Life Cycle
NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems
NIST SP 800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations

williamssaim1974.blogspot.com

Source: https://www.uab.edu/it/home/index.php?option=com_content&view=article&id=69:more-options&catid=32

0 Response to "Nist 80053a Call for Continuous Monitoring"

Publicar un comentario

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel