1 1 00:00:00,150 --> 00:00:01,080 In this lesson, 2 2 00:00:01,080 --> 00:00:03,690 we'll continue onto the next steps 3 3 00:00:03,690 --> 00:00:06,690 of getting ready for the Risk Management Framework. 4 4 00:00:06,690 --> 00:00:07,860 This section of the framework 5 5 00:00:07,860 --> 00:00:11,460 is all about preparing at the system level. 6 6 00:00:11,460 --> 00:00:16,460 There are 11 tasks in this second part of step number 1. 7 7 00:00:16,890 --> 00:00:20,190 Let's look at each task in turn. 8 8 00:00:20,190 --> 00:00:22,770 When you finish Task P-8, 9 9 00:00:22,770 --> 00:00:25,770 you'll be able to identify your organization's missions, 10 10 00:00:25,770 --> 00:00:27,030 business functions, 11 11 00:00:27,030 --> 00:00:31,410 and the processes that your technology is meant to support. 12 12 00:00:31,410 --> 00:00:32,400 To do this, 13 13 00:00:32,400 --> 00:00:35,340 gather together your organization's mission statements, 14 14 00:00:35,340 --> 00:00:38,490 technology policies, cybersecurity policies, 15 15 00:00:38,490 --> 00:00:41,760 and any other similar documents that you might need, 16 16 00:00:41,760 --> 00:00:44,730 then review them and assemble the big picture 17 17 00:00:44,730 --> 00:00:47,100 of your organization's top goals 18 18 00:00:47,100 --> 00:00:49,110 and how your technology has been helping you 19 19 00:00:49,110 --> 00:00:50,253 to achieve them. 20 20 00:00:51,210 --> 00:00:54,870 Task P-9 turns your attention to your stakeholders. 21 21 00:00:54,870 --> 00:00:56,310 During Task P-9, 22 22 00:00:56,310 --> 00:00:59,130 you'll identify who your top stakeholders are 23 23 00:00:59,130 --> 00:01:01,560 and which ones would be most interested 24 24 00:01:01,560 --> 00:01:04,260 in this system that you're trying to obtain 25 25 00:01:04,260 --> 00:01:08,133 approval to operate, also known as ATO. 26 26 00:01:09,480 --> 00:01:12,150 These stakeholders could be members of your organization, 27 27 00:01:12,150 --> 00:01:14,400 or they could be on the outside. 28 28 00:01:14,400 --> 00:01:15,600 But no matter where they are, 29 29 00:01:15,600 --> 00:01:17,820 you need to make sure you're communicating with them 30 30 00:01:17,820 --> 00:01:20,940 throughout the RMF process. 31 31 00:01:20,940 --> 00:01:25,890 The next task in step 1, prepare your system, is P-10, 32 32 00:01:25,890 --> 00:01:27,390 which will allow you to know 33 33 00:01:27,390 --> 00:01:30,810 and then prioritize your system's assets 34 34 00:01:30,810 --> 00:01:32,610 so you can protect them. 35 35 00:01:32,610 --> 00:01:36,540 Some examples of assets are software, hardware, 36 36 00:01:36,540 --> 00:01:39,480 computer networks, business processes, 37 37 00:01:39,480 --> 00:01:43,890 business services, buildings, and of course data. 38 38 00:01:43,890 --> 00:01:47,220 Next, when you complete Task P-11, 39 39 00:01:47,220 --> 00:01:50,730 you'll know the security boundaries of your system, 40 40 00:01:50,730 --> 00:01:52,560 and knowing the security boundaries 41 41 00:01:52,560 --> 00:01:54,900 will let you answer important questions 42 42 00:01:54,900 --> 00:01:59,730 like who should have access to what parts of the system 43 43 00:01:59,730 --> 00:02:03,390 and what parts should be accessible by the internet. 44 44 00:02:03,390 --> 00:02:05,280 To do Task P-11, 45 45 00:02:05,280 --> 00:02:08,430 gather all the documentation about your systems, 46 46 00:02:08,430 --> 00:02:11,490 like network diagrams, organizational charts, 47 47 00:02:11,490 --> 00:02:13,920 and system design documents. 48 48 00:02:13,920 --> 00:02:15,480 Then I want you to write down your thoughts 49 49 00:02:15,480 --> 00:02:17,730 and note where the boundaries are now 50 50 00:02:17,730 --> 00:02:20,343 or where you'll need to put them. 51 51 00:02:21,840 --> 00:02:25,800 Task P-12 focuses on the data portion of your system. 52 52 00:02:25,800 --> 00:02:27,480 When you complete Task P-12, 53 53 00:02:27,480 --> 00:02:29,520 you'll know what kinds of information 54 54 00:02:29,520 --> 00:02:33,390 your system processes, stores, and transmits, 55 55 00:02:33,390 --> 00:02:36,573 knowing this will help you to figure out how to protect it. 56 56 00:02:37,470 --> 00:02:38,880 And when this task is completed, 57 57 00:02:38,880 --> 00:02:40,380 you should end up with a list 58 58 00:02:40,380 --> 00:02:43,890 of the information types in your system. 59 59 00:02:43,890 --> 00:02:45,720 Some important information types 60 60 00:02:45,720 --> 00:02:47,610 include financial information, 61 61 00:02:47,610 --> 00:02:50,460 personal information like health records, 62 62 00:02:50,460 --> 00:02:52,080 product specifications, 63 63 00:02:52,080 --> 00:02:54,363 and government and trade secrets. 64 64 00:02:55,560 --> 00:02:59,400 Let's move on to Task P-13. 65 65 00:02:59,400 --> 00:03:00,390 When you complete it, 66 66 00:03:00,390 --> 00:03:02,010 you'll have a better understanding 67 67 00:03:02,010 --> 00:03:05,730 of your organization's information life cycle, 68 68 00:03:05,730 --> 00:03:09,000 and information life cycle describes the stages 69 69 00:03:09,000 --> 00:03:12,300 that information goes through in an organization. 70 70 00:03:12,300 --> 00:03:15,150 Usually, it goes something like this. 71 71 00:03:15,150 --> 00:03:18,750 There's an initial creation or collection of data, 72 72 00:03:18,750 --> 00:03:22,560 then it's processed, then it's shared, 73 73 00:03:22,560 --> 00:03:25,830 somebody may use it, it's stored, 74 74 00:03:25,830 --> 00:03:29,010 and finally, when it's not needed any longer, 75 75 00:03:29,010 --> 00:03:31,113 it's destroyed or deleted. 76 76 00:03:32,040 --> 00:03:34,980 Some questions you need to answer in this task 77 77 00:03:34,980 --> 00:03:38,880 include how long are you required to safely store 78 78 00:03:38,880 --> 00:03:41,460 different types of information, 79 79 00:03:41,460 --> 00:03:45,000 how is this data processed in your environment, 80 80 00:03:45,000 --> 00:03:49,353 and what types of data do you have to delete and when. 81 81 00:03:50,880 --> 00:03:54,360 Looking now at Task P-14, I want you to know 82 82 00:03:54,360 --> 00:03:57,450 that it'll be a bit more costly to complete 83 83 00:03:57,450 --> 00:04:01,860 than the previous tasks that we've covered here in step 1. 84 84 00:04:01,860 --> 00:04:06,510 Task P-14 is all about conducting system level security 85 85 00:04:06,510 --> 00:04:09,300 and privacy risk assessments. 86 86 00:04:09,300 --> 00:04:11,430 This task should be taken up 87 87 00:04:11,430 --> 00:04:15,540 by your organization's security officer and technology team. 88 88 00:04:15,540 --> 00:04:18,270 Now, if you don't have those people in house, 89 89 00:04:18,270 --> 00:04:19,860 it's okay to contract 90 90 00:04:19,860 --> 00:04:22,893 with qualified outside service providers. 91 91 00:04:24,120 --> 00:04:26,730 Moving on to Task P-15. 92 92 00:04:26,730 --> 00:04:27,780 When you complete it, 93 93 00:04:27,780 --> 00:04:30,030 you'll end up with your documented security 94 94 00:04:30,030 --> 00:04:31,710 and privacy requirements, 95 95 00:04:31,710 --> 00:04:34,260 all of which will be based on 96 96 00:04:34,260 --> 00:04:36,510 what assets need to be protected 97 97 00:04:36,510 --> 00:04:40,260 against the specific risks that you've identified. 98 98 00:04:40,260 --> 00:04:42,090 These requirements will help you 99 99 00:04:42,090 --> 00:04:45,420 to select controls for your system, 100 100 00:04:45,420 --> 00:04:49,440 which you'll do in future tasks of RMF. 101 101 00:04:49,440 --> 00:04:52,200 When you complete Task P-16, 102 102 00:04:52,200 --> 00:04:54,990 you'll have a thoroughly documented architecture 103 103 00:04:54,990 --> 00:04:56,370 of your enterprise, 104 104 00:04:56,370 --> 00:05:00,180 including an updated security and privacy architecture. 105 105 00:05:00,180 --> 00:05:03,090 Enterprise architecture is a management practice 106 106 00:05:03,090 --> 00:05:07,350 that maximizes the effectiveness of your business processes. 107 107 00:05:07,350 --> 00:05:10,770 Additionally, a published system architecture 108 108 00:05:10,770 --> 00:05:12,900 makes systems more transparent, 109 109 00:05:12,900 --> 00:05:17,223 and therefore easier to understand and to protect. 110 110 00:05:18,750 --> 00:05:21,150 By the end of Task P-17, 111 111 00:05:21,150 --> 00:05:24,330 you'll have allocated security and privacy requirements 112 112 00:05:24,330 --> 00:05:27,630 to your system and physical environment. 113 113 00:05:27,630 --> 00:05:30,000 Allocation is deciding exactly 114 114 00:05:30,000 --> 00:05:32,790 where your requirements are going to be satisfied 115 115 00:05:32,790 --> 00:05:34,530 in the big picture. 116 116 00:05:34,530 --> 00:05:35,610 When doing this task, 117 117 00:05:35,610 --> 00:05:38,430 you can decide the most cost-effective ways 118 118 00:05:38,430 --> 00:05:41,550 to allocate who will satisfy each requirement 119 119 00:05:41,550 --> 00:05:43,470 throughout your organization, 120 120 00:05:43,470 --> 00:05:46,110 with the goal of satisfying them all. 121 121 00:05:46,110 --> 00:05:50,340 Finally, when your system has gone through all these tasks, 122 122 00:05:50,340 --> 00:05:53,250 P-1 through P-17, 123 123 00:05:53,250 --> 00:05:55,410 your last task in this step 124 124 00:05:55,410 --> 00:05:58,710 is to inform your organization that your system exists. 125 125 00:05:58,710 --> 00:06:03,360 RMF calls this system registration. 126 126 00:06:03,360 --> 00:06:06,540 Make sure that the key decision makers of your organization 127 127 00:06:06,540 --> 00:06:09,570 know about the system's creation and its role 128 128 00:06:09,570 --> 00:06:11,760 in your overall mission. 129 129 00:06:11,760 --> 00:06:15,480 Okay, that concludes our tour of step 1 130 130 00:06:15,480 --> 00:06:17,433 of the Risk Management Framework.