1 1 00:00:00,120 --> 00:00:02,250 In this section of the course, we're going to learn more 2 2 00:00:02,250 --> 00:00:04,950 about the risk management framework from a higher level 3 3 00:00:04,950 --> 00:00:07,770 so that we can get a good overview of the entire process 4 4 00:00:07,770 --> 00:00:11,400 before we dive individually into each step in more depth. 5 5 00:00:11,400 --> 00:00:12,990 As we move through this section, 6 6 00:00:12,990 --> 00:00:15,510 we're going to first take a look at the reasons that RMF exists 7 7 00:00:15,510 --> 00:00:18,060 in the first place, what it was designed for, 8 8 00:00:18,060 --> 00:00:20,790 and how it's implemented inside of an organization. 9 9 00:00:20,790 --> 00:00:22,770 Then we're going to move into a quick overview 10 10 00:00:22,770 --> 00:00:24,330 of the seven-step process 11 11 00:00:24,330 --> 00:00:26,670 as we move from prepare, to categorize, 12 12 00:00:26,670 --> 00:00:30,150 to select, to implement, to assess, to authorize, 13 13 00:00:30,150 --> 00:00:33,810 and finally to monitoring our controls for a given system. 14 14 00:00:33,810 --> 00:00:35,730 After that, we're going to take a quick look 15 15 00:00:35,730 --> 00:00:39,000 at Special Publication 800-37 from NIST, 16 16 00:00:39,000 --> 00:00:40,110 which is the heart and soul 17 17 00:00:40,110 --> 00:00:42,000 of the Risk Management Framework. 18 18 00:00:42,000 --> 00:00:43,800 Next, we're going to discuss the changes 19 19 00:00:43,800 --> 00:00:46,320 in the Risk Management Framework, moving from version one 20 20 00:00:46,320 --> 00:00:48,480 into the latest version, version two, 21 21 00:00:48,480 --> 00:00:50,340 which is going to be the version that we're going to focus on 22 22 00:00:50,340 --> 00:00:52,470 during our time together in this course. 23 23 00:00:52,470 --> 00:00:55,290 Then we're going to expand our coverage from just risk 24 24 00:00:55,290 --> 00:00:58,410 and look at how we can look at information security, privacy 25 25 00:00:58,410 --> 00:01:02,040 and risk as all one consolidated and integrated effort 26 26 00:01:02,040 --> 00:01:04,020 inside of our Risk Management Framework 27 27 00:01:04,020 --> 00:01:05,970 to give us a better and more complete picture 28 28 00:01:05,970 --> 00:01:08,010 of our overall risk posture. 29 29 00:01:08,010 --> 00:01:10,980 After that, we're going to talk about authorization boundaries 30 30 00:01:10,980 --> 00:01:12,900 and how to set up and configure them. 31 31 00:01:12,900 --> 00:01:14,820 Authorization boundaries are going to be used 32 32 00:01:14,820 --> 00:01:16,830 to define which elements of a given system 33 33 00:01:16,830 --> 00:01:18,300 are going to be considered in scope 34 34 00:01:18,300 --> 00:01:19,680 for our different assessments 35 35 00:01:19,680 --> 00:01:22,440 and which parts are we going to be seeking authorization 36 36 00:01:22,440 --> 00:01:24,240 for use in our networks. 37 37 00:01:24,240 --> 00:01:26,310 Next, we're going to cover the concepts surrounding 38 38 00:01:26,310 --> 00:01:29,850 supply chain risk management, known as SCRM. 39 39 00:01:29,850 --> 00:01:32,100 In the latest version of the Risk Management Framework, 40 40 00:01:32,100 --> 00:01:34,350 the supply chain has been added because it's critical 41 41 00:01:34,350 --> 00:01:37,320 to the underlying security of your networks and systems, 42 42 00:01:37,320 --> 00:01:39,240 and therefore it has to be considered 43 43 00:01:39,240 --> 00:01:41,700 when you're working through the RMF process. 44 44 00:01:41,700 --> 00:01:45,270 Then we're going to look at two very important concepts in RMF, 45 45 00:01:45,270 --> 00:01:47,250 requirements and controls. 46 46 00:01:47,250 --> 00:01:49,710 Often people will treat requirements and controls 47 47 00:01:49,710 --> 00:01:52,800 as being used interchangeably and meaning the same thing, 48 48 00:01:52,800 --> 00:01:54,270 but they really are different things 49 49 00:01:54,270 --> 00:01:55,980 and they're used for different purposes. 50 50 00:01:55,980 --> 00:01:58,740 So we're going to take some time to untangle these two concepts 51 51 00:01:58,740 --> 00:02:00,060 and ensure that you understand 52 52 00:02:00,060 --> 00:02:03,030 when each one is going to be used inside of RMF. 53 53 00:02:03,030 --> 00:02:05,520 After that, we're going to look at the flexibility provided 54 54 00:02:05,520 --> 00:02:08,880 by RMF, because it's able to be scaled upward and downwards 55 55 00:02:08,880 --> 00:02:11,250 based on the size and scope of your organization 56 56 00:02:11,250 --> 00:02:12,570 and its systems. 57 57 00:02:12,570 --> 00:02:15,060 Finally, we're going to take a quick look at the timelines 58 58 00:02:15,060 --> 00:02:17,610 that are involved when you're going through the RMF process, 59 59 00:02:17,610 --> 00:02:19,950 because this can be a really lengthy process 60 60 00:02:19,950 --> 00:02:21,840 in a lot of different organizations, 61 61 00:02:21,840 --> 00:02:23,670 and it's important to have a good understanding 62 62 00:02:23,670 --> 00:02:26,010 of how much time and effort is going to be involved 63 63 00:02:26,010 --> 00:02:28,680 before you try to begin pushing a new RMF package 64 64 00:02:28,680 --> 00:02:31,230 through that system in order to gain authorization 65 65 00:02:31,230 --> 00:02:33,330 for your new system or network. 66 66 00:02:33,330 --> 00:02:36,000 So, if you're ready, let's dive into our coverage 67 67 00:02:36,000 --> 00:02:37,290 of the Risk Management Framework 68 68 00:02:37,290 --> 00:02:39,790 in this section of the course.