this is from the NIST 800-37 risk management framework. It’s the federal government’s version of governance, risk, and compliance.
Many more videos on https://www.youtube.com/convocoursesshort videos at https://www.tiktok.com/@convocourses?lang=enand https://www.instagram.com/convocourseqs/https://www.facebook.com/ConvoCourses-108091850619388Podcast version of the content:https://podcasts.apple.com/us/podcast/convocourses/id1500188278http://convocourses.org/google_podcast
Risk Management is being aware of and taking actions to prepare for probable unfavorable outcomes.
Risk Management Framework is a process the implement risk management in an organization.
There are (6) steps to the RMF:
6. Continuous Monitoring
More on the Risk Management Framework Steps here:
The Federal Communication Commission (FCC) Communications Security, Reliability and Interoperability Council (CSRIC) developed a Cybersecurity Risk Management and Best Practice Final Report dated March 2015.
The 400 page document discusses voluntary mechanisms that give the Federal Communications Commission (FCC) and the public assurance that communication providers are taking the necessary measures to manage cybersecurity risks across the 5 major parts of communications: broadcasting, satellite, cable, wireless and wireline.
The document also details implementation guidance to help communication providers adapt to NIST Cybersecurity Framework. The NIST Cybersecurity Framework was created to satisfy the President’s Executive Order 13636 – Improving Critical Infrastructure Cybersecurity.
Each of the 5 major components of FCC communications ( broadcasting, satellite, cable, wireless and wireline) have been be treated as critical infrastructure and evaluated by the NIST Cybersecurity Framework.
The segment and feeder subgroup findings and resulting NIST Cybersecurity Framework implementation guidance are contained in the appendices to this report. – more info here
Risk management principles can be found in ISO 31000:2009, Risk management – Principles and guidelines and its companion guides ISO Guide 73:2009, Risk management – Vocabulary with has a collection of definitions relevant to the management of risk. ISO/IEC 31010:2009, Risk management – Risk assessment techniques focuses on risk.
Other documents with risk management principles include NIST SP 800-39, and NIST SP 800-30.
The principle of risk management center around looking at corporate risk. What is the risk to the bottom-line of the organization? Whether the bottom-line is money, reputation, a mission, or process. How will the organization address risk from the top down? Risk is addressed at every level of the organization from the very top to the bottom. NIST 800-39 breaks this all down in tiers.
To address the actual risk and organization must be able to predict the likelihood of a harmful event (threat) adversely affecting an asset vulnerability.
Risk = ((Vulnerability * Threat) / Countermeasure) * Asset Value at Risk IT Risk
An organization uses a quantitative approach to analyzing and managing the risk to its resources. To do this, they must identify the threat, the asset, the vulnerability and countermeasures (security controls) of the asset. They must determine the level of impact that the organization would suffer if the harmful event occurs. To determine all this they must do risk assessments.