1

Risk Management – Final Project

Russell A. Findley 

Masters of Science in Cyber Security Operations and Leadership, University of San Diego 

 CSOL-530-02-SP21 – Cyber Security Risk Management

Professor Dorian Pappas 

March 1, 2021
 2

Contents
Introduction............................................................................................................................................................3
Elements of Confidentiality, Integrity, Availablity (CIA) Triad.......................................................................3
Categorization........................................................................................................................................................4
Select Controls.......................................................................................................................................................4
Implementation......................................................................................................................................................5
Assessment..............................................................................................................................................................5
Authorization.........................................................................................................................................................6
Monitoring..............................................................................................................................................................7
Appendix.................................................................................................................................................................9
Table 1.................................................................................................................................................................9
Table 2...............................................................................................................................................................10
Table 3...............................................................................................................................................................11
Table 4...............................................................................................................................................................12
Table 5...............................................................................................................................................................14
Table 6...............................................................................................................................................................14
References.............................................................................................................................................................15
 3

Introduction

The purpose of creating this white paper is to inform our senior leadership, partners, and board about the risk

management program we created to protect our messaging platform, which maintains all of our customer's

communications. As a communication platform leader, we know customers have lots of choices, but we must

maintain a secure environment to stay ahead of our competitors. Creating a risk management program gives us

the ability to evaluate physical and non-physical security controls, assess the controls to identify weaknesses,

and provide a risk rating on where we need to focus our efforts. A risk management program must be at the

center of an organization's Information Security program, protecting sensitive and critical data (Lang, 2019).

The National Institute of Standards and Technology (NIST) created a risk management framework whereby

organizations can following a set of processes to identify and track a company's cybersecurity risk. NIST's risk

management framework consists of six major categories.

 Categorize – categorize information

transmitted or stored based on impact level.

 Select – Tailoring security controls for the

system.

 Implement – Deployment of controls.

 Assess – Determine if controls are working correctly.

Figure 1 - (Hester, 2016)

 Authorize – Determine if the organization is willing to accept the risks.

 Monitor – Ensuring controls work correctly over time.

Elements of Confidentiality, Integrity, Availablity (CIA) Triad

Security and privacy are a byproduct of Confidentiality, Integrity, and Availability (CIA) measures. "The need

for the CIA triad is essential in cybersecurity as it helps in avoiding compliance issues, ensures business
 4

continuity, provides vital security features, and prevents reputational damage to the organization" (Desai, 2020,

paras. 3). It is essential to use all three CIA elements when considering securing an organization.

 CONFIDENTIALITY – ensures access to data for authorized individuals, processes, and those who

require it.

 INTEGRITY – Integrity ensures the reliability of data and that it hasn't been tampered with

illegitimately.

 AVAILABILITY – Availability ensures reliable access to data for authorized users.

(Buckbee, 2020)

Categorization

Our company takes messaging and privacy of our customer data seriously. Our platform stores and transmits

Personally Identifiable Information (PII) records for our customers. The information is stored in the platform

resides in databases, servers, backups, and data centers. We understand that a data breach would compromise

the firm's image and result in the loss of customers. The first step in the National Institute of Standards and

Technology's Risk Management Framework is categorizing the threats and vulnerabilities to the type of

information stored or transmitted. Next, we identify the impact of the threats on the organization. According to

FIPS Publication 199, Security Categorization identifies the potential impact a threat has on an organization

should an event occur. The following is a categorization of two information types, Information Management

and Customer Sensitive Data. Impact levels are referenced in Table 1 of the appendix.

SC Information Management= {(confidentiality, MODERATE), (integrity, MODERATE), (availability,

MODERATE)

SC Customer Sensitive Data= {(confidentiality, HIGH), (integrity, HIGH), (availability, MODERATE)

 5

Select Controls

The second step in the Risk Management Framework is selecting the appropriate controls to match the

Categorize phase's impact levels. Using the National Institute of Standards and Technology's 800-53

publication on security and privacy controls, we can select appropriate controls that match our impact levels

(MODERATE & HIGH). There are 256 controls in the NIST 800-53 publication and even more subcontrols,

which means organizations should select controls that provide the most significant impact. I recommend the

following when selecting a control. 1. Understand your organization's business objectives. 2. Select the controls

which provide the most significant impact to the threats and vulnerabilities. 3. Identify which Cybersecurity

function best addresses the threat (Identity, Protect, Detect, Respond, Recover).

Reference Table 2 for a list of controls selected to protect our communication platform and customer's data.

Implementation

The Implementation Phase of the Risk Management Framework uses the controls selected in the previous step

to implement and create a baseline for security and privacy (CITE). Our organization's communication

platform is hosted in a data center, managed by our technology team(s). The information stored on disks is

accessed through a Privileged Access Management tool, and Active Directory is used to create, update, and

maintain account permissions. Security events from our database platform are stored locally, then log shipped

to external systems regularly. Due to our organization's sensitive information, we are subject to compliance

regulations, such as California Consumer Privacy Act (CCPA). The Security Operations teams prefer additional

penetration testing to stay abreast of potential vulnerabilities and risks. Refer to Table 3 for further details on

the implementation of the controls.

Assessment

The fourth step in the NIST Risk Management Framework is performing an Assessment. The Assessment

phase is essential to our organization's Cybersecurity programs because it validates the work performed in
 6

previous steps is working correctly. There are two steps in the Assessment phase; Identification and

Determination. The identification of threats to the organization and determining the likelihood of the threats

negatively impacting our company. The National Institute of Standard and Technology SP 800-30 publication

recommends using a Security Assessment Report to assess the controls. The following are the topics that the

risk assessment should contain (Gallagher, 2012).

•Identify the threats to the organization.

•Identify exploitable vulnerabilities that the identified threats can expose.

•Determine the likelihood the threat will be successfully executed.

•Determine the level of adverse impacts to the organization.

•Determine information security risks rating to the organization.

Reference Table 4 in the Appendix to view the Security Assessment Report.

Authorization

The fifth step in the National Institute of Standards and Technology (NIST) Risk Management Framework is an

authorization. In this step, we hold senior management accountable for the Security Assessment Report's

findings (SAR). An authorization package is created and presented to the Authorization Officer (AO) for

approval in the form of a Plan of Action and Milestone (POA&M). See Table 5.

The authorization package helps to determine the decision to authorize. The package includes the type of

information, risk to operations and the enterprise, vulnerabilities, and mitigation steps. There are three types of

authorizations considered for the labor planning and Time Management systems (USD, 2019).

1. Authorization to Operate (ATO) – An ATO means there are no high or very high risks, and there is a

determined mitigation strategy with acceptable timelines.

2. Interim Approval to Test – means the permission is granted to test in an environment with live data.
 7

3. Denial of Authorization to Operate – If the risk is unacceptable, a deny request will be made.

Monitoring

The continuous monitoring of controls is the last step in the Risk Management Framework and perhaps the most

important to ensure a cybersecurity program's long-term success. The implementation of controls is a static

activity and doesn't consider the dynamic nature of our environment. We perform upgrades, replace software,

hardware, changes within the organization, changes to cybersecurity best practices, etc. To protect our

infrastructure and our customer's sensitive data, we must implement continuous monitoring of our

environment's differences and their impact on the selected controls.

There are different methods to ensure the success of Continous Monitoring. Due to our organization's dynamic

nature, we will rely on a combination of automation and checklists. Both ways can be successful if

implemented correctly. I recommend using Secure Content Automation Protocol (SCAP) and a configuration

management solution, which will automatically validate an asset's "installation of patches, checking system

security configuration settings, and examining systems for signs of compromise" (Johnson et al., 2011).

Changes to Personnel

Our communications platform's infrastructure consists of servers running both Windows and Linux and

commercially and internally developed software. This also means more than one team is responsible for the

day-to-day administration of the environment. i.e., Front-end developers, database and platform administrators,

and backup operators. Having multiple teams also means changes to our personnel due to promotions,

terminations, and staffing augmentation. It is imperative to ensure that with all the teams having access to both

the environment that houses our customer data and actual access to the data, we need to provide ongoing

monitoring for account access and management controls. Reference Table 6.

Changes to Hardware and Software

 8

Due to our organization's expansive growth, we add both hardware and software to our environment to meet

demand. We will use our Hardware Asset Management (HAM), Software Asset Solution (SAM),

vulnerabilities scans, and period spot check audit to validate new assets. The combination of all these

techniques will ensure rogue software and machine are not present on the network. Reference Table 6.

Changes to the Environment

Company growth is strong, and in order to be prudent, we will build new offices with shared work spaces, to

save on money and offere flexible options for employees. A new type of environment like this comes with

security challenges. In this type of work setting, it is important to segment the network, issue ID cards with

pictures, enable Network Access Control to block unapproved devices from accessing our network, and

allowing short-term contingent labor to access resources in a controls manner. Monitoring for ongoing changes

and compliance can be reviewed in Reference Table 6.

 9

Appendix

Impact Matrix
Low Moderate High
The loss of integrity, The loss of integrity,
confidentiality, and The loss of integrity, confidentiality, and
availability will have a confidentiality, and availability will have a
minimal impact on the availability will seriously catastrophic impact on the
information, assets, and impact the information, information, assets, and
organization. assets, and organization. organization.
Example: Customer's data is Example: Customer's
Example: Customer's hit with Distributed Denial sensitive data is exfiltrated,
environment has a software of Service (DDoS) attack, encrypted with
vulnerability that requires and slows down service ransomware, or poisoned
developers to modify code. delivery. with fake information.
Table 1

Selected Controls Table

Impact

Control
ID Control Name Control Description Low Moderate High

Specifying
Accounts, groups,
users, and authorized
AC-2 Account Management users for the system.   X X

Enforcing access to
approved accounts to
have logical access
AC-3 Access Enforcement to the system.     X

Specifying the event

types which identify
critical events in the
AU-2 Event Logging system.   X X

Using the system

clock to time-stamp
AU-8 Time Stamps audit logs   X  

Continuously
CA-7 Continuous Monitoring monitor selected     X
controls for ongoing
 10

effectiveness

Attempting to
exploit
vulnerabilities like
an attacker and
provide detailed
analysis on
weaknesses or
CA-8 Penetration Testing vulnerabilities.     X

Establish
documentation on
the settings and
configuration of the
CM-6 Configuration Settings system.   X X

Table 2

Implementation of Controls
Control Update Control
ID Control Name Control Implementation Implementation
Servers and database software are stored on
Linux and Windows servers and use Changes to the account
Windows Active Directory to maintain user management process can occur
account permissions. Managing a source of quarterly due to findings in
a proper account management system is audits, patching, and new hires.
crucial to maintain the confidentiality of Documenting the updates to the
accounts, the integrity of the account login account management system is
process, and the system's availability access done using a Wiki and Risk
AC-2 Account Management to users. Management Platform.
Our organization has many employees, and
the most effective way to ensure the
system's confidentiality is by enforcing
which users have access to the system.
Access enforcement is performed using a
Privileged Access Management tool, Every six months, patches to the
allowing users to proxy their connection to Privileged Access Management
AC-3 Access Enforcement their respective systems. tool are performed.
Event logging is essential to define because
we are using both Linux and Windows As new systems are added to the
Operating systems. Additionally, the resource pool, it is critical to
Microsoft SQL database events will be ensure event logging is updated
AU-2 Event Logging configured to send security events. and documented.
 11

Accurate time stamps are critical to

understanding the sequence of events.
There will be a single source of truth for
time inside our infrastructure, which will
AU-8 Time Stamps synchronize with an external time source. N/A
Continuously monitoring selected controls
for ongoing effectiveness will ensure
account management is occurring, nobody Additional monitoring requires
is circumventing access to systems, and implementation when new
Continuous event logs generate with the correct time controls are added, or existing
CA-7 Monitoring stamps. controls are modified.
They are attempting to exploit
vulnerabilities like an attacker and provide
detailed analysis on weaknesses or
vulnerabilities. Vulnerability scans are
essential, but performing penetration
testing takes the tests to a new level to As new software and hardware is
validate infrastructure and code deployed, further penetration
CA-8 Penetration Testing environments are tested equally. testing should be conducted.
Establish documentation on the system's
Configuration settings and configuration to include
CM-6 Settings upgrades, sprint releases, and patches. N/A
Table 3

Security Assessment Report

Contro Control Name Threat Vulnerabilit Likelihoo Impact Risk
l ID y d
Attackers
create local
accounts or
circumvent the
account
management Privileged
process to accounts
authorize used to
Account access to a access
AC-2 Management system. databases High High High
Unauthorized
access to
communicatio Access to
n application database and
and database sensitive
AC-3 Access Enforcement server. data. High High High
 12

Event logs are Monitoring

stopped or for access to Moderat Moderat
AU-2 Event Logging cleared. sensitive data Low e e
Event logs
aren't
reporting
correct times;
therefore,
conducting a
timeline and
correlation Correlation
review is of event logs Moderat Moderat
AU-8 Time Stamps impossible. is at risk Low e e
Changes to
the
environment
can alter the
effectiveness
Continuous of the Moderat Moderat
CA-7 Monitoring   controls Moderate e e

Publically or
Attackers organizationa
identify and l introduced
exploit vulnerabilitie
vulnerabilities s expose
in the system sensitive
CA-8 Penetration Testing to compromise data. High High High
A lack of
documented
configuration Inconsistent
setttings configuration
results in s allows for
inconsistencie configuration
s with mistakes and
environments access to
Configuration that attackers customer
CM-6 Settings can exploit. data. High High High
Table 4

Plan of Action and Milestone

Non- Scheduled Status

Item Control Compliant Remediation Date of Authorization Risk
Compliant Completio Open/
Number ID Control Plans Detection Decision Level
Control n Date Closed
 13

Specifying
Accounts,
groups, users, Authorization
1 AC-2 N/A N/A N/A 1-Jul-21 Closed Moderate
and authorized to Operate
users for the
system.

Create
Enforce firewall
approved ACL's to
authorizations prevent users
Interim
for logical from
2 AC-3 N/A 1-Jan-21 1-Dec-21 Approval to Open High
access to circumventing
Test
information Privileged
and system Access
resources. Management
Solution

Specifying Document
the event and assign
types which designs to Authorization
3 AU-2 N/A 1-Feb-21 1-Jul-21 Open Moderate
identify receive event to Operate
critical events logs for all
in the system. systems

Event logs
aren't reporting
correct times,
therefore
Authorization
4 AU-8 conducting a N/A N/A N/A 1-Dec-21 Closed Moderate
to Operate
timeline and
correlation
review is not
possible.

5 CA-7 Continuously N/A N/A N/A 1-Dec-21 Authorization Closed Moderate

monitor to Operate
selected
controls for
ongoing
effectiveness
will ensure
account
management is
occuring,
nobody is
 14

circumventing
access to
systems, and
event logs are
generating with
the correct time
stamps.

Attackers
identify and
exploit Authorization
6 CA-8 N/A N/A N/A 1-Dec-21 Closed Moderate
vulnerabilities to Operate
in the system
to compromise

A lack of
documented
configuration
setttings results
in Authorization
7 CM-6 N/A N/A N/A 1-Dec-21 Closed Moderate
inconsistencies to Operate
with
environments
that attackers
can exploit.

Table 5

Continuous Monitoring of Controls and Processes

Date of
Configuration Date of Date of last Process for
Checklist Implementation Validation Change validation Interval
Accounts use an
Identify Access
Management
solution to
automate the
Accounts are created creation of
& disabled using a Nov-20 Dec-20 Nov-20 accounts from
single source of truth Human Resource
system. Accounts
are also disabled
in HR System and
flow to all various
systems. Quarterly
Accounts are provided Sample new
Nov-20 Dec-20 Nov-20
privileges based on accounts and Quarterly
 15

permissions
least privilege model
quarterly.
Sample new
Accounts are using
accounts and
Role Based Access Nov-20 Dec-20 Dec-20
permissions
Controls
quarterly. Quarterly
Use Hardware Asset Run monthly
Managmement Jan-21 Jan-21 N/A scans to detect Monthly
solution for tracking new hardware
Use Software Asset Run monthly
Managmement Jan-21 Jan-21 N/A scans to detect Monthly
solution for tracking new software
Run monthly
Run network scans to detect
Jan-21 Jan-21 N/A Quarterly
vulnerability scans new hardware
and software
Test whether
Use Network Access authorized and
Contols to only permit non-authorized
Nov-20 1-Jan N/A Quarterly
authorized users on machines are able
network to access the
network.
Visual check if
people are
Issue ID Badges with
Nov-20 1-Jan N/A wearing badges Monthly
Pictures
visible to other
users.
Create network Monitor network
segments for different Nov-20 1-Jan N/A security zones for Monthly
security levels anomalous traffic
Log data to a Security
Review security
Information Event Nov-20 1-Jan N/A Daily
logs
Monitoring tool

Table 6
 16

References

Buckbee, M. (2020, March 30). What is the CIA Triad? Retrieved January 16, 2021, from
https://www.varonis.com/blog/cia-triad/

Desai, R. (2020, July 11). What is a CIA Triad in Cybersecurity? Retrieved January 16, 2021, from
https://www.tech-wonders.com/2020/07/what-is-a-cia-triad-in-cybersecurity.html

Evans, D. L., Bond, P. J., & Bement, A. L. (2004, February). Standards for Security Categorization of Federal
Information and Information Systems. Gaithersburg; National Institute of Standards and Technology.

Gallagher, P. (2012). Guide for Conducting Risk Assessments - NIST Special Publication 800-30.
Gaithersburg; National Institute of Standards and Technology.

Hester, D. (2016). The Six Steps in the Rmf. Understanding the Risk Management Framework & (ISC)2 CAP
Module 7: Select Controls . https://image.slidesharecdn.com/ryjv5pwsqrsv2ncsxeka-signature-
56aa0815cc122fa550c7c8ed25cace056d61eab58d0ada52c888b090ba8e3bff-poli-160630163538/95/
understanding-the-risk-management-framework-isc2-cap-module-7-select-controls-2-638.jpg?
cb=1467305838.

Johnson, A., Dempsey, K., Ross, R., Gupta, S., & Bailey, D. (2011). Guide for Security-Focused Configuration
Management of Information Systems. Gaithersburg; National Institute of Standards and Technology.

Lang, C. (2019, May 17). Understanding the NIST Risk Management Framework (RMF). CyberSheath.
https://cybersheath.com/understanding-the-nist-risk-management-framework-rmf/#:~:text=Understanding
%20the%20NIST%20Risk%20Management%20Framework%20(RMF)%20By,(DoD)%20contractors
%20that%20process%20highly%20sensitive,%20critical%20data.

USD. 1 University of San Diego © 2019. All Rights Reserved. CSOL 530 Cyber Security Risk Management.
San Diego: University of San Diego, 2019. DOC.