Documente Academic
Documente Profesional
Documente Cultură
Inc.
Enterprise Risk
Management Process
Table of Contents
Abstract........................................................................................................................................................ 2
Keywords ..................................................................................................................................................... 2
Risk Management Framework .................................................................................................................. 3
i. Tier 1 (Primetime HealthCare Servicesal level)............................................................................... 4
ii. Tier 2 (mission and business process level) ..................................................................................... 4
iii. Tier 3 (information system level) ................................................................................................. 4
Step 1: Information System Categorization ............................................................................................. 5
Step 2: Information System Security Controls Selection ........................................................................ 5
Step 3: Implementing System Security Controls ..................................................................................... 6
Step 4: Asses System Security Controls .................................................................................................... 7
Step 5: Information System Authorization ............................................................................................... 8
Step 6: Information System Continuous Monitoring .............................................................................. 8
Conclusion ................................................................................................................................................... 9
Bibliography ................................................................................................................................................ 9
Abstract
This document will provide guidelines for applying the Risk Management Framework (RMF) to
Primetime HealthCare Systems Inc. There are six-steps in the RMF process; this includes
control assessment, information system authorization, and security continuous monitoring. The
main function of RMF is to promote the concept of near real-time risk management and ongoing
Moreover, support senior leadership core missions and business functions, while integrating
sound information security practices into the secure enterprise systems architecture development
Applying the RMF within Primetime HealthCare Services Inc links risk management
processes at the information system level to risk management processes. Consequently, helps to
establishes lines of responsibility and accountability for security controls deployed within the
Primetime HealthCare Services production environment and inherited by those systems (i.e.,
common controls).
Keywords
Risk management, risk assessment, security authorization, system development life cycle,
categorization, security control selection, security plan, security assessment report, authorization
to operate, information system owner (ISO), Authorizing officer (AO), security control assessor
(SCA), Information owner (IO), information system owner (ISO), Information system security
manager (ISSM), Information system security officer (ISSO) common control provider,
authorizing official
Managing information systems related security risks is an intricate, multilayered undertaking that
requires the involvement of the entire Primetime HealthCare Services employees. This ranges
from executive leadership that provide the strategic vision and top-level goals and objectives for
the Primetime HealthCare Services, to mid-level leaders planning and managing projects, to
employees on the front lines developing, implementing, and operating the security systems and
supporting Primetime HealthCare Services core missions and business process (NIST F. P.,
2004). RMF can be viewed as a holistic activity that is fully integrated into every aspect of
Primetime Healthcare Services. There are three different tiers when it comes to enterprise risk
management. This are; Organizational level, mission and business process level and information
This tier deals with the development of a comprehensive governance structure and enterprise
This tier deals with mission and business processes and is guided by the risk decisions addressed
or mentioned in tier 1.
This tier deals with information system perspective and is guided by the risk decisions at tier 1
and tier 2.
Risk management framework (RMF) provides an organized and stream lined process that
incorporates security and risk management in the secure systems architecture. This helps to
ensure that security is baked into the system rather than added on. The RMF process has 6 steps
The security categorization of an information system is carried out by the system owner and the
Chief information security officer (CISO) in cooperation with various Primetime HealthCare
mission that the system will support (NIST F. P., 2004). During this categorization process,
leadership and involved Primetime HealthCare Services officers determine who will be a part of
the project, users who will use the system, the boundaries in which the system will operate, ports,
protocols and services to be configured on the system. Environmental concerns are also
addressed in this stage depending on the threat levels inherent in different environmental options
available.
authentication, besides system data types that the system will process and the system security
parameters and testing that will be performed as prescribed in the FIPS 199 security
Information system security manager selects the security controls baseline applicable to the
information system based upon results from the categorization stage and tailors the controls as
needed by implementing, modifying or tailoring out controls to effectively manage risk for any
unique system conditions. The ISSM and the system owner can begin planning for continuous
monitoring (NIST, Assesing Security and Privacy Controls in Federal Information Systems and
Organizations: Building effective Assesment plans, 2014). The selected security controls are
documented in the specific security plan which contains an overview of the security
requirements for that system. Conversely, the security requirements are matched with the
selected controls to ensure compliance to laws and regulations like HIPAA, GLBA, and SOX.
Security controls assessor confirms that the security requirements are matched with the selected
security controls and informs the ISSM (Stine, Kissel, Barker, Lee, & Fahlsing, 2008).
Security controls selected in the previous stage based on the threat assessment are hereby
implemented as described in the security plan acting as a functional description of the control
that includes planned inputs, expected behavior and outputs. All the security controls are
implemented as documented in the security plan. In this stage, threat assessment helps to
determine the cost, benefit and risk tradeoffs when selecting one technology over the other in
order to meet security control objective. In this stage also, the system owner and the information
system security manager ensure that mandatory configuration settings are established and
controls at the bare minimum should address the what, where, who, and how of the security
In this stage, equipment groups are defined depending on the location and scope of the
project through equipment inventory creation. Security plan document is a breathing document
that is always changing and needs reviewing, modification and plans of action and milestones for
implementing security controls. The security plan helps to address the security concerns that
arise due to changes in personnel, hardware and software upgrades or when operational factors
change. Information system security officer can ensure that system security plans are developed
and reviewed before any security certification and accreditation of a system takes place.
Contingency planning is also addressed in this stage by outlining specific controls for any
emergency situation based on the information system security categorization. Threat assessment
is an integral part of security planning and security controls implementation and calls for reviews
Implementation phases of the life cycle permits the identification of weaknesses and deficiencies
early and provides the most cost-effective method for initiating corrective action. Security
assessment plan reflects the types of assessment Primetime HealthCare Services will conduct e.g.
remediation actions (Rochford, 2017). Risk analysis is an integral part of this stage as it shows if
the security is implemented correctly, operating as intended and producing the desired outcome
Risk assessment conducts analysis on risk elements and documents the results as a report
of the tests performed on the system. All the risk assessment results are documented in the
security assessment report. Security assessment report contains recommendations for correcting
any weaknesses or deficiencies in the implemented security controls (Rochford, 2017). Security
assessment report is a very important document that determines if a system will be authorized to
operate or not. System owner in this case prepares a plan of action and milestones and combines
it with other necessary documents as part of the system authorization package for the designated
authorization officer.
System authorization is an important step and it is based on the recommendations of the security
assessment report conducted on the previous stage. The authorize phase of the risk management
framework (RMF) is where the DAO makes a decision whether or not to authorize the system for
operation based on the security plan, security assessment report, and the plan of actions and
milestones (POA&M) (Rochford, 2017). This provides the DAO, at a minimum, the necessary
information about risk impact. In the ATO Decision task, the Authorizing Official (AO) will
review the accreditation package and make the decision to grant or deny authorization to operate
(ATO). The Project Accreditation (with history) is used to indicate the authorization type granted
to projects based on the results of the assessment effort, as well as to maintain a project’s
authorization history. The ATO Letter provides authorization to deploy an information system.
Moore’s law says that processing power of computers will double every two years.
Consequently, Information systems are in a constant state of change with upgrades to hardware,
software, or firmware and modifications to the surrounding environments where the systems
reside and operate. A well-organized and structured approach to managing, controlling, and
element of an effective security control and continuous monitoring program. Strict configuration
management and control processes are established by Primetime HealthCare services to support
information about specific changes to hardware, software, or firmware such as version or release
operation for the information system, or changes to the Primetime Healthcare Services risk
management strategy or plan. The information system owner and common control provider use
this information in assessing the potential security impact of the changes (Piper, 2015). The
following table shows the purpose of continuous monitoring and subsequent benefits
Conclusion
Primetime HealthCare Services must now be information security conscious and must develop
and implement proper security controls based on the results of internal risk assessment and
Primetime HealthCare Services can uncover known weaknesses and vulnerabilities in its existing
IT infrastructure, prioritize the impact of these vulnerabilities based on the value and importance
of affected IT and data assets, and then implement the proper security controls and security
countermeasures to mitigate those identified weaknesses. The risk mitigation results will help
increase security and reduce the probability of a threat or vulnerability impacting Primetime
Bibliography
NIST. (2006). Minimum Security Requirements for Federal Information and Information Systems. NIST,
NIST. (2014). Assesing Security and Privacy Controls in Federal Information Systems and Primetime
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf
NIST, F. P. (2004). Standards for Security Categorization of. NIST, DEPARTMENT OF COMMERCE.
Gaithersburg, MD 20899-8900 : National Institute of St. Retrieved February 4TH, 2018, from
http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf
Piper, S. (2015). Definitive Guide To Continuous Network Monitoring. Annapolis, MD: CyberEdge
guide-to-continuous-network-monitoring.pdf
Rochford, K. (2017). Security and Privacy Controls for Information Systems and Primetime HealthCare
53/rev-5/draft/documents/sp800-53r5-draft.pdf
Stine, K., Kissel, R., Barker, W., Lee, A., & Fahlsing, J. (2008). VolumeII: Appendices to Guide for
mapping types of information and information systems to security categories. Computer Security
Division - Information Technology lab, Department of Commerce. NIST. Retrieved February 5th,