Analyze the following with respect to NIST’s approach to managing risk in the organization.
Building information security capabilities into federal information systems through the application of state-of-the-practice management, operational, and technical security controls
Maintaining awareness of the security state of information systems on an ongoing basis through enhanced monitoring processes
Providing essential information to help senior leaders make decisions about accepting risk to an organization’s operations and assets, individuals, and other organizations arising from the use of information systems
Examine the characteristics that are part of the Risk Management Framework (RMF):
Promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring
Encourages the use of automation to provide senior leaders with necessary information to make cost-effective, risk-based decisions about information systems that support an organization’s core missions and business functions
Integrates information security into the enterprise architecture and system development life cycle
Emphasizes the selection, implementation, assessment, and monitoring of security controls and the authorization of information systems
Links risk management processes at the information system level to risk management processes at the organization level through a risk executive function
Establishes responsibility and accountability for security controls deployed within an organization’s information systems and inherited by those systems (i.e., common controls)