... I Page 1 of 13 I... Back 'i

Transcription

1 Lesson 2.1 RM~ Relationship to.?~'s Risk, Issue and Opportunity Management Guide for OoO Acqu1s1t1on Programs Welcome to RMF Relationship to OoO's Risk Management Guide for Acquisition Programs RESOURCES I PRIN T I HELP View CR Submit CR The Risk Management Framework (RMF) is not the only process that req uires us to manage risk throughout a system's life cycle from a security perspective. The Department of Defense (DoD)'s Risk, Issue, and Opportunity Management ( RIOM) Guide for Defense Acquisition Programs requirements should also be considered when addressing cybersecurity life cycle risks. There are steps and phases involved in each process that we will integrate in efforts to truly "bake in security" for our DoD Information Systems ( IS) and Platform Information Technology (PIT) Systems, IT Products, and IT Services.... I Page 1 of 13 I... Back 'i J Next

2 ISA220 Risk Managem ent Framework for Practitio ner s Lesson RM~ Relationship to _D_o;D"s Risk, Issue and Opportunity RESOURCES f PRINT f HELP Welcome to RMF Relationship to DoD's Risk Management Guide for Acquisition Programs, Cont. As system owners, we strive for the alignment and balance in our system(s). Using the RMF process along with the DoD's Risk Management for Acquisition program requirements enables us to manage risk throughout a system's life cycle from a security perspective. Each of these processes includes steps and phases. We will discuss how these processes are integrated in efforts to solidify security requirements into our DoD IT and PIT Systems, IT Products, and IT Services. ~ I P ge2of13 I... Back ii Next

3 Lesson RM~ Relationship to_d_o_o's Risk, Issue and Opportunity Management Guide for DoO Acqms1t1on Programs RESOUR CES I PRINT I HELP Effective Cyber security in DoO Acquisition Programs Effective cybersecurity in DoD acquisit ion programs encompasses all of the actions taken t o ensure t he confidentialit y, integrit y, and availabilit y of system information to enable warfighting operations. Cybersecurity risk managemelilt tasks begin early in the system development life cycle and are important in shaping the secu rity capabilities of the I nformation System (I S). If these t asks are not adequately performed during the initiation, development, and acquisition phases of the system development life cycle, the tasks will, by necessity, be undertaken later in the life cycle a nd will be more costly and time consuming to implement, and could negatively affect the performance of the I S. Cybersecurity risk managemelilt must continue during operations and sustainment. Risk management may include the application of new or rev ised security controls prior t o the integration of new IT services or products into an existing operational I S, in order t o maintain the security of the operational IS. Program Managers bear the responsibilit y of int egrating cybersecurit y, including required resources, int o the system's acquisition life cycle activities. ~ I Page3of13 l... Back Next

4 Lesson RM~ Relationship to_d_o_o s Risk, Issue and Opportunity Risk Management Process for Acquisition Programs Risk management is a cyclical five-step process that provides a useful framework for understanding and dealing with any and all program risks, including cybersecurity. It serves as the overarching risk Risk ~ management process for all DoD acquisition Monitoring~ programs. These risk items include: Risk Planning Risk Identjficatjon Risk Analysjs Risk Handljng Risk Monjtorjng Risk Handling How has the risk changed? Should the risk be accepted, avoided, transferred, or mitigated? Risk Analysis Wtlat are the likelihood and consequence of the risk? Risk Planning What is the program's risk management process? Risk Identificat ion Wtlat can go wrong?... I P ge 4ofl3 I... Back Next

5 Lesson RM~ Relationship to.o.o.o s Risk, Issue and Opportunity Risk Management Process for Acquisition Programs Risk management is a cyclical five-step process that provides a useful framework for understanding and dealing with any and all program risks, including cybersecurity. It serves as the overarching risk management process for all DoD acquisition programs. These risk items include: Risk !;M;lloll.lli~~... Long Descript ion ~ Risk Planning Mo ni toring~ What is 1he program's risk Risk Planning Risk Identificati The risk management process is a five-step process. Risk Analysis With communication and feedback, the process can flow from one risk Risk Handling item to another. Important questions are asked at each risk item. Risk Monitoring These risk items and questions are: Risk Planning: What is the program's risk management process? Risk Identification: What can go wrong? Risk Analysis: What are the likelihood and consequence of the risk? Risk Handling: Should the risk be accepted, avoided, transferred, or mitigated? Risk Monitoring: How has the risk changed? Risk tification at can go vrong? likelihood and consequence of the risk?... I Page4of13 I... Back Next

6 Lesson RM~ Relationship to_d_o_o s Risk, Issue and Opportunity Risk Management Process for Acquisition Programs Risk management is a cyclical five-step process that provides a useful framework for understanding and dealing with any and all program risks, including cybersecurity. It serves as the overarching risk Risk ~ management process for all DoD acquisition Monitoring~ programs. These risk items include: Risk Planning Risk Identjficatjon Risk Analysjs Risk Handljng Risk Monjtorjng Risk Planning is developing and Risk Handling How has the risk changed? documenting organized, Should the risk be comprehensive, and interactive accepted, avoided, strategies and methods for transferred, or identifying risks. What is the program's risk management process? mitigated? Risk Analysis Wtlat are the likelihood and consequence of the risk? Risk Planning What is the program's risk management process? Risk Identification Wtlat can go wrong?... I P ge 4ofl3 I... Back Next

7 Lesson RM~ Relationship to_d_o_o s Risk, Issue and Opportunity Risk Management Process for Acquisition Programs Risk management is a cyclical five-step process that provides a useful framework for understanding and dealing with any and all program risks, including cybersecurity. It serves as the overarching risk Risk ~ management process for all DoD acquisition Monitoring~ programs. These risk items include: Risk Planning Risk Identjficatjon Risk Analysjs Risk Handljng Risk Monjtorjng Risk Identification is discovering, Risk Handling How has the risk changed? defining, describing, documenting Should the risk be accepted, avoided, transferred, or adversely affect a project. mitigated? and communicating risks before they become problems and What can go wrong? Risk Analysis Wtlat are the likelihood and consequence of the risk? Risk Planning What is the program's risk management process? Risk Identification Wtlat can go wrong?... I P ge 4ofl3 I... Back Next

8 Lesson RM~ Relationship to_d_o_o s Risk, Issue and Opportunity Risk Management Process for Acquisition Programs Risk management is a cyclical five-step process that provides a useful framework for understanding and dealing with any and all program risks, including cybersecurity. It serves as the overarching risk Risk ~ management process for all DoD acquisition Monitoring~ programs. These risk items include: Risk Planning Risk Identjficatjon Risk Analysjs Risk Handljng Risk Monjtorjng Risk Analysis is to assess all the Risk Handling How ha sthe risk changed? risks identified during the Should the risk be accepted, avoided, determine their likelihood of transferred, or mitigated? Identification step in order to occurrence and most probable impac t. Risk Analysis What are the likelihood and consequence of the risk? Wtlat are the likelihood and consequence of the risk? Risk Planning What is the program's risk management process? Risk Identification Wtlat can go wrong?... I P ge 4ofl3 I... Back Next

9 Lesson RM~ Relationship to_d_o_o s Risk, Issue and Opportunity Risk Management Process for Acquisition Programs Risk management is a cyclical five-step process that provides a useful framework for understanding and dealing with any and all program risks, including cybersecurity. It serves as the overarching risk Risk ~ Risk Planning management process for all DoD acquisition M onitoring~ What is the programs. These risk items include: How has the risk program's risk management changed? Risk Planning Risk Identjficatjon Risk Analysjs Risk Handljng Risk Monjtorjng Risk Handling is the methodology Risk Handling used by the DoD to handle risk as part of the DoD Risk, Issue and Opportunity Management Process. Four options are recognized by the DoD for handling risks. These include: Risk Acceptance, Risk Should the risk be accepted, avoided, transferred, or mitigated? Risk Analysis Avoidance, Risk Transfer, and Risk Wtlat are the Mitigation. likelihood and Should the risk be accepted, avoided, transferred, or mitigated? consequence of the risk? process? Risk Identification Wtlat can go wrong?... I P ge 4ofl3 I... Back Next

10 Lesson RM~ Relationship to_d_o_o s Risk, Issue and Opportunity Risk Management Process for Acquisition Programs Risk management is a cyclical five-step process that provides a useful framework for understanding and dealing with any and all program risks, including cybersecurity. It serves as the overarching risk Risk ~ Risk Planning management process for all DoD acquisition Monitoring~ What is the programs. These risk items include: How has the risk program's risk Risk Planning Risk Identjficatjon Risk Analysjs Risk Handljng Risk Monjtorjng Risk Handling changed? management process? Risk Monitoring is the process that Identification systematically tracks and evaluates Should the risk be the effectiveness of risk-handling accepted, avoided, actions against established metrics. transferred, or Monitoring results may also provide mitigated? a basis for developing additional handling options and identifying new Risk Analysis risks. likelihood and Wtlat are the How has the risk changed? consequence of the risk? Risk Wtlat can go wrong?... I P ge 4 ofl3 I... Back Next

11 Lesson RM~ Relationship to_d_o_o s Risk, Issue and Opportunity Risk Planning Risk Planning involves developing and documenting organized, comprehensive, and interactive strategies and methods for identifying risks. It is also used for perfonning risk assessments to establish risk handling priorities, developing risk handling plans, monitoring the status of risk handling actions, detennining and obtaining the resources to implemen t the risk management strategies. Important question to ask: What can go wrong?... I P ge Sof l J Back

12 Lesson RM~ Relationship to_d_o_d's Risk, Issue and Opportunity Risk Identification Risk Identification includes discovering, defining, describing, documenting and communicating risks before they become problems and adversely affect a proj ect. Accurate and complete risk identification is vital for effective risk management. I n order t o manage risks effectively, they must first be identified. The important aspect of risk identification is to capture as many risks as possible. During the risk identification process,.all possible risks should be submitt ed. Not all risks will be acted upon. Once more details are known about each risk, the decision will be made by the proj ect members as t o the handling of each risk. There are various t echniques that can be used for risk identification. Useful techniques include brainstorming methods as well as systematic inspections and process analysis. Regardless of the technique used, it is essential t o include key functional area personnel t o ensu re no risks go undiscovered. Important question to ask: ' What is the program's risk management process? "AU... I Page6oft3 I... Back Next

13 Lesson RM~ Relationship to_d_o_o s Risk, Issue and Opportunity Risk Analysis Risk analysis provides an estimate of each risk's likelihood and consequence, as well as the resulting risk level in order to more effectively manage risks and prioritize risk handling efforts. Likelihood is the evaluated probability an event will occur given existing conditions. The estimated likelihood of the risk must be tied to a well-defined risk event or condition, and risk statement. Important questions to ask: How big is the risk? What is the likelihood and consequence of the risk?... I P ge7ofl3 I... Back Next

14 Lesson RM~ Relationship to_d_o_o s Risk, Issue and Opportunity Risk Handling Risk Handling is the methodology used by the DoD to handle risk as part of the DoD Risk, Issue, and Opportunity Management Process. The DoD recognizes four options for handling risks: Risk Acceotance Risk Ayojdance Risk Transfer Risk Mi tjgatjon Important question to ask: Should the risk be accepted, avoided, transferred, or m itigated?... I P ge8ofl3 I... Back

15 Lesson RM~ Relationship to.o.o.o s Risk, Issue and Opportunity Risk Handling Risk Handling is the methodology used by the DoD to handle risk as part of the DoD Risk, Issue, and Opportunity Management Process. The DoD recognizes four options for handling risks: Risk Acceptance Risk Avoidance Risk Transfer Risk Mitigation Risk Accept ance A risk management method used in the business or investment field. Accepting risk occurs when the cost of managing a certain type of risk is accepted, because the risk involved is not adequate to warrant the added cost it will take to avoid it. Important question to""" ~ Should the risk be accepted, avoided, transferred, or mitigated?... I Page8of 13 I... Back Next

16 Lesson RM~ Relationship to.o.o.o s Risk, Issue and Opportunity Risk Handling Risk Handling is the methodology used by the DoD to handle risk as part of the DoD Risk, Issue, and Opportunity Management Process. The DoD recognizes four options for handling risks: Risk Acceptance Risk Avoidance Risk Transfer Risk Mitigation Risk Avoidance Risk avoidance is the elimination of hazards, activities and exposures that can negatively affect an organization's assets. Whereas risk management aims to control the damages and financial consequences of threatening events, risk avoidance seeks to avoid Important question to compromising events entirely. Should the risk be accepted, avoided, transferred, or mitigated?... I Page8of 13 I... Back Next

17 Lesson RM~ Relationship to.o.o.o s Risk, Issue and Opportunity Risk Handling Risk Handling is the methodology used by the DoD to handle risk as part of the DoD Risk, Issue, and Opportunity Management Process. The DoD recognizes four options for handling risks: Risk Acceptance Risk Avoidance Risk Transfer Risk Mitigation Risk Transfer Risk transfer is a risk management and control strategy that involves the contractual shifting of a pure risk from one party to another. One example is the purchase of an insurance policy, by which a specified risk of loss is passed from the policyholder to the insurer. Important question to """ ~ Should the risk be accepted, avoided, transferred, or mitigated?... I Page8of13 I... Back Next

18 Lesson RM~ Relationship to.o.o.o s Risk, Issue and Opportunity Risk Handling Risk Handling is the methodology used by the DoD to handle risk as part of the DoD Risk, Issue, and Opportunity Management Process. The DoD recognizes four options for handling risks: Risk Acceptance Risk Avoidance Risk Transfer Risk Mitigation Risk Mit igat ion Develop a high-level mitigation strategy. This is an overall approach to reduce the risk impact severity and/ or probability of occurrence. It could affect a number of risks and include, for example, increasing staffing or reducing scope. Important question to """ ~ Should the risk be accepted, avoided, transferred, or mitigated?... I Page8of13 I... Back Next

19 Lesson RM~ Relationship to_d_o_o s Risk, Issue and Opportunity Risk Monitoring Risk Monitoring is a continuous process to systematically track and evaluate the performance of risk handling plans against established metrics throughout the acquisition process. Risk monitoring is performed as part of technical reviews. Important question to ask: How has the risk changed? Paige 0 ofl3 I ~ Back Next

20 Lesson RM~ Relationship to.o.o.o s Risk, Issue and Opportunity Aligning the RIOM Guide with the DoD RM F The 6 steps within the RMF align to the 5 phases of Risk, Issue, and Opportunity Management (RIOM ) at various stages of DoD IT life cycle. Elements of Risk Identification are aligned with RMF Steps 1, 2, and 3 and elements of Risk Analysis are aligned with RMF Steps 4 and 5. Communication and feedback are critical throughout these iterative processes for successful integration of processes. The assessment of risks drives risk response and may influence security control implementation and adjustment, while highlighting a need to continuously monitor the security state of information systems. Risk Management is an iterative, cyclical process and supports the acquisition life cycle's incremental build model to align testing, production, and other similar and complimenting processes. Please select the image to enlarge the alignment process. ~... M()N!JOll s-..;ty ''"""' ~ ''""' ,._ \ MJlltOftlll... I Page 10of 13 I... Back Next

21 Lesson RM~ Relationship to_d_o_o s Risk, Issue and Opportunity Aligning the RJOM Guide with the DoD RMF Step6 MONITOR Security Controls Step s AUTHORIZE System Step4 ASSESS Security Controls Risk Monitoring Risk Planning What is tm How has the risk pr01fam's risk changed? man.agtmt-nt I \ Risk Handling process? Risk Should tht risk bit Identification accep1ed. avoided, t~.or mitigated? Whatungo,.,_? Step3 IMPLEMENT Security Controls Step2 SELECT Security Controls Risk Analysis What 1r lhe Stepl CATEGORIZE,, ttet1hood and System const<iuence of the tis.k?... I P ge10ofl3 I... Back Next

22 Lesson RM~ Relationship to.o.o.o s Risk, Issue and Opportunity Aligning the RIOM Guide with the DoD RMF T he 6 steps within the RMF align to the 5 phases of Risk, Issue, and Opportunity Management (RIOM ) at various stages of DoD IT life cycle. Elements of Risk Identification are aligned with RMF Steps 1, 2, and 3 and elements of Risk Analysis are aligned with RMF Steps 4 and 5. Communication and feedback are critical throughout these iterative processes for successful integration of processes. The assessment of risks drives risk response and may influence security control implementatio onitor the security state of info Long Description Risk Management is a The 6 steps within the RMF align to the 5 phases of Risk, incremental build mo Issue, and Opportunity Management (RIOM ) at various stages of DoD IT life cycle. Elements of Risk Identification Please select the ima and Risk Analysis for Acquisition Programs are included in RMF Step 1 and elements of Risk Analysis and Risk Handling are included in RMF Steps 2 through ''""'.,._ \ MJlltOftlll ycle's nting processes.... I Page10of 13 I... Back Next

23 Lesson RM~ Relationship to_d_o_o s Risk, Issue and Opportunity Knowledge Review 1 True or False. Like the Risk Management Framework {RMF), DoD Risk, Issue, and Opportunity Management {RIOM) Guide for Defense Acquisition Programs is a six step cyclical process. True ~ False Check Answ er The Risk Management Process for DoD Acquisition Programs is a five step cyclical process.... I P ge11ofl3 I... Back Next

24 Lesson RM~ Relationship to_d_o_d"s Risk, Issue and Opportunity Knowledge Review 2 Which processes are used to determine how to manage risk within the Department of Defense (DoD) Risk, Issue, and Opportunity Management {RIOM) Guide for Defense Acquisition Programs? Risk Planning LJ Risk Monitoring Risk Avoidance ~ All of the Above Check Answ er Risk Planning, Risk Monitoring, and Risk Avoidance are processes used to determine how to manage risk within the Department of Defense {DoD) Risk, Issue, and Opportunity Management {RIOM) Guide for Defense Acquisition Programs.... I P ge12ofl3 I... Back Next

25 Lesson RM~ Relationship to_d_o_o s Risk, Issue and Opportunity Lesson Completion You have completed the content for this lesson. To continue, select another lesson from the Table of Contents on the left. If you have closed or hidden the Table of Contents, click the Show TOC button at the top in the Atlas navigation bar.... I P ge13ofl3 I... Back Next