Instructions

The Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy document (SP800-37) by NIST describes the Risk Management Framework (RMF) and provides guidelines for applying the RMF to information systems and organizations. According to the SP800-37 Abstract, The RMF provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. In this assignment, you will learn about NIST's recommendations for organization-wide risk management. While the NIST guidelines are not mandatory for organizations in the private sector, many cybersecurity professionals rely upon the NIST guidance as a set of best practices in the context of maintaining cybersecurity.

For this assignment, you will explore NIST SP 800-37 and analyze how some of its critical components can help in the preparation of a risk management plan. Put together a report by finishing all the following tasks.

Navigate to page 6 and read the opening paragraphs of Section 2.1. Explain Figure 1: Organization-wide Risk Management Approach.

Navigate to page 7 and continue reading the Section 2.1 paragraphs about preparing the organization for RMF execution. Briefly explain two of the items from the preparation list.

Navigate to page 8 and continue reading the Section 2.1 paragraphs about risk decisions. Provide a reason why you think the risk decisions at Levels 1 and 2 can impact the selection and implementation of controls at the System level.

Navigate to pages 8 and 9 and read the opening paragraphs of Section 2.2. Summarize Figure 2: Risk Management Framework.

Navigate to page 76 and read Section 3.7 about the Monitor step.

Briefly explain why the Monitor step is needed. Provide two examples of what the Monitor step should cover.

Note: Appendix E of SP 800-37 provides summary tables for the seven steps of the Risk Management Framework. These tables summarize tasks, responsibilities, and roles for each step.

7. Navigate to page 126 and review Table E-1.

8. Select one of the 18 preparation tasks and briefly explain that specific task.

9. Review the corresponding primary responsibility field for the task that you selected in the previous step.

10. Select one associated title (for example, Head of Agency, Authorizing Official, Business Owner) and identify at least two of their main duties related to the task you selected.

11. Repeat steps 9 for the supporting roles field.

12. Select one associated title and identify at least two of their main duties related to the task you selected.