User Tools

Site Tools

You are here: start » corpgov » rmf

Sidebar

Org. Governance

Home

Governance

Organizational Authority

Risk Management Framework

Audit Docs & Tasks

HR Personnel Policies

3.9 HR Policies

Functional/Technical Policies

(Satisfies SOC IS-1 Requirements)

3.1 Access Control

3.2 Awareness & Training Policies

3.3 Audit & Accountability

3.4 Configuration Management

3.5 Identification and Authentication

3.6 Incident Response

3.7 Maintenance

3.8 Media Protection

3.9 HR Policies

3.10 Physical Protection

3.11 Risk Assessment

3.12 Security Assessment

3.13 Systems & Communications Protection

3.14 Systems & Information Integrity

Internal Processes

Breach Notification

Contingency Planning - Internal - CP

Change Management - CM

SaaS App Management

Executive Compliance Directives

DOD Impact Levels

Definitions & References

IT Policy Artifacts

corpgov:rmf

Table of Contents

Security Assessment and Authorization - CA

Policy Page Template

Control Satisfaction Matrix

Framework Standard Category Controls Satisfied 800-53r4 Controls ISO/SEC 27001 Audit Controls
NIST Standard Various Various Various N/A N/A

Major Document History

Date Comment Who
5/1/2019 Initial Doc Tharp
6/03/2019 Edited Format, linked to Control Objectives Risk Assessment Tharp
8/16/2019 Moved RMF to Org. Governance Topic Tharp
8/29/2019 Copied Content For IS-1 SOC submission Tharp
9/27/2019 Added Risk Assessment Example Tharp
10/6/2021 Policy's Reviewed for Audit Tharp

Risk Management Framework

Figure 1

Step 1 - Categorize

FIPS 199

FIPS 199 Sets the Standards for Security Categorization of Federal Information and Information System and SP 800-60 guides the application of those standards. The table below summarizes the Security Objective vs. Potential Impact.

Potential Impact
Security Objective Low Moderate High
Confidentiality - Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.[44 U.S.C., SEC. 3542]The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Integrity - Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. [44 U.S.C., SEC. 3542]The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Availability - Ensuring timely and reliable access to and use of information. [44 U.S.C., SEC. 3542]The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

DLZP Group Security Standard

DLZP Group shall treat all client data and environments as **Confidential-High**

Therefore, all systems built and maintained by DLZP in the AWS cloud shall meet this standard. This is achievable in the AWS cloud environment at no extra cost to the client. Furthermore, by adopting a single standard DLZP limits the possibility of exposing data due to accidental mis-classification.

Step 2 - Select Security Controls

FIPS 200 sets the minimum security requirements for Federal Information Systems. And, NIST 800-53 rev.4 provides a library of controls configuration items (CI's) and policies that provides the operating environment framework that must be met to maintain compliance with FedRAMP standards. To meet the DLZP Group Security Standard of Confidential-High, DLZP will maintain appropriate 800-53 controls throughout its business and data processing practices.

DLZP Group Security Standard

All systems BASE CI's will meet relevant NIST 800-53 Confidential-High security objectives.
DLZP Group offers clients the choice of a Compliance Framework (Advanced CI's) to match their business requirements.

This ensure our client's have the most secure environment and matches the cost associated with their Compliance Standards e.g. FedRAMP, HIPAA, PCI, FERPA to the regulatory environment of the customers business model and entity needs.

Steps 3 - 6

Referencing Figure 1. Steps 3 thru 6 cover data processing and governance business practices that will we covered within their own wiki chapters.

Risk Assessment Example

Risk Planning

For projects of the scope and complexity of the CLC’s PeopleSoft Upgrade and cloud hosting, an AWS Cloud implementation reduces or eliminates many sources of technical, performance, and capacity risks associated with IT systems. DLZP Group’s 8+ years of AWS experience makes us fully aware of its services and their programing and deployment.

Performance issues may be mitigated rapidly in the AWS virtual environment with systems’ scale up. And capacity limitations are non-existent in the AWS cloud for projects of this scale.

Therefore, our leading risks are limited to personnel resource availability and the potential change in requirements from design due diligence, data conversion and 3rd Party Integration reference. Review Table for risk mitigation steps.

PhaseRisk by PhaseRisk TypeDLZP Mitigation
Scope
Project Start Is Delayed by client1; 2Outside DLZP Control
Project Scope is Changed by client1; 2Outside DLZP Control
CLC Requirements Change1; 2Outside DLZP Control
Design
Project Phase Is Delayed by client2; 3Outside DLZP Control
Project Scope is Changed by client1; 2Outside DLZP Control
CLC Requirements Change1; 2Outside DLZP Control
CLC Resource Availability2; 3Schedule Around Resource Constraints
DLZP Group Resource Availability1DLZP Team Approach Mitigates
Unknown Requirement Discovered2; 3DLZP Design Interview Process Mitigates
Build
Project Phase Is Delayed by client2; 3Outside DLZP Control
Project Scope is Changed by client2; 3Outside DLZP Control
CLC Requirements Change2; 3Outside DLZP Control
CLC Resource Availability1; 2Schedule Around Resource Constraints
DLZP Group Resource Availability1DLZP Team Approach Mitigates
Data Conversion1; 3DLZP Automation and Approach Mitigates
3rd Party Integration2; 3DLZP Experience and Cloud Microservices Mitigates
Deploy
Project Phase Is Delayed by client2; 3Outside DLZP Control
Project Scope is Changed by client2; 3Outside DLZP Control
CLC Requirements Change2; 3Outside DLZP Control
CLC Resource Availability2; 3Schedule Around Resource Constraints
DLZP Group Resource Availability1DLZP Team Approach Mitigates
Operate
CLC Requirements Change2; 3Upgrade/Maintenance Support
CLC Resource Availability1; 2Schedule Around Resource Constraints
DLZP Group Resource Availability1; 3DLZP Team Approach Mitigates
/opt/bitnami/dokuwiki/data/pages/corpgov/rmf.txt · Last modified: 2021/10/06 21:49 by brian.tharp

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki