info@aerstone.com (301) 760-7604

Risk Management Roadmap for Enterprise Security

Navigate Cybersecurity Risks with this Comprehensive Step-by-Step Risk Management Roadmap

Cybersecurity is a process, not a destination.

Develop better risk assurance in this day of modern cybersecurity in four phases.

Aerstone Risk Management Roadmap Process Graphic

This four-phase risk management roadmap represents a comprehensive and ongoing path to security assurance, designed to be executed over a period of years (not days or months). The value of a robust cybersecurity program is immeasurable, but the process to get there has been tried, tested, and now recorded here for you by Aerstone’s NSA-Certified cybersecurity experts for over 20 years.

Phase I: Scoping

These steps by themselves represent significant security enhancements to the environment, and collectively prepare your organization to achieve an optimized level of risk assurance.
R

1. Appoint CISO and Designated Authorizing Official (DAO) roles

Provides a single corporate point of leadership for cybersecurity as a whole, and the risk management process specifically.

Milestones

R

Job descriptions written

R

Staff identified or hired to fill roles

R

People formally appointed in writing (can be contracted)

Reference: NIST 800-37

R

2. Familiarize yourself with the Risk Management Framework (RMF)

The RMF provides an excellent approach for evaluating and managing risk.

Milestones

R

CISO and DAO complete read-through of NIST 800-37

R

Written policy memo signed by CISO, delegating RMF management process to DAO

Reference: NIST 800-37

R

3. Do a thorough data meta-analysis to determine what kinds and quantities of data are processed and stored by the enterprise

Determines risk associated with data loss, data corruption, or unintended data exposure.

Milestones

R

Data types categorized and documented, including PII, PHI, etc.

Reference: NIST 800-37

R

4. Determine legal and practical compliance requirements

Determines the cybersecurity standards against which the organization will be assessed, taking 5-year business strategy into account.

Milestones

R

List of compliance requirements created

Reference: Various

R

5. Implement formal system authorization process

Allows the appointed DAO to accept system-specific risk on behalf of the organization.

Milestones

R

Written policy memo signed by DAO

R

Department and project leads briefed on process

Reference: NIST 800-37

Phase II: Planning & Preparation

These steps by themselves represent significant security enhancements to the environment, and collectively prepare your organization to achieve an optimized level of risk assurance.
R

6. Complete a full inventory of IT hardware

Facilitates drawing security boundaries.

Milestones

R

Inventory of all networked hardware

Reference: NIST 800-37

R

7. Complete a full inventory of IT software

Provides a single corporate point of leadership for cybersecurity as a whole, and the risk management process specifically.

Milestones

R

Inventory of all software, by geographic location, including COTS, free, and shadow IT

Reference: CIS-18

R

8. Write policy documents

Creates a set of documents that provide proper guidance to the organization for cybersecurity maintenance.

Milestones

R

Control family policy documents created for each of the control families.

Reference: NIST 800-53

R

9. Assess and implement core enterprise security services

Ensures that solutions for key security capabilities (e.g., event management, malware protection, vulnerability scanning, etc.) are all available.

Milestones

R

Enterprise systems available for malware detection, vulnerability scanning, enterprise logging, etc.

Reference: CIS-18

R

10. Group all hardware and software into authorization packages

Divides the entire IT infrastructure into mission-specific bundles based on risk, and allows identification of core packages that will be inherited by other packages downstream.

Milestones

R

All systems documented with package owners assigned

R

Categorize each package based on the impact of a loss in C-I- A

R

Complete system security plans (SSPs) for all packages

Reference: FIPS-199

Phase III: System Assessment based on RMF

Following the Risk Management Framework (RMF), at the end of this phase your organization will gain an excellent understanding of the residual risk you’re accepting, with responsible parties identified and assigned for all critical systems.
R

11. Assign security controls based on package categorization

Ensures an appropriate set of security controls are chosen for each package.

Milestones

R

Security control set documented for each system

Reference: NIST 800-53

R

12. Implement the assigned security controls for each package

Ensures an appropriate set of security controls are chosen for each package.

Milestones

R

Security control set implemented for each system

Reference: NIST 800-53

R

13. Test the assigned security controls for each package, and document the results

Ensures that an appropriate set of security controls are validated for each package.

Milestones

R

Security control set confirmed for each system

R

Test artifacts collected and stored

Reference: NIST 800-53

R

14. Authorize each system

Ensures that the DAO signs off on residual risk.

Milestones

R

ATO granted for each system

R

Plan of Action & Milestones (POA&Ms) created for each system

Reference: NIST 800-53

Phase IV: Implement security enhancements based on best practices

These steps by themselves represent significant security enhancements to the environment, and collectively prepare your organization to achieve an optimized level of risk assurance.
R

15. Implement continuous monitoring (conmon) mechanism

Supports continuous authorization of enterprise systems.

Milestones

R

Automated conmon solution online and available

R

cATO process defined and communicated

R

Systems transitioned to cATO

Reference: NIST 800-137

R

16. Implement workforce training as defined by policy documents

Ensures that an appropriate set of security controls are implemented for each package.

Milestones

R

Training courses implemented

R

Training scheduled defined

Reference: NIST 800-53

R

17. Implement a change management mechanism

Mitigates the risk of unanticipated impacts to confidentiality, integrity, and especially availability.

Milestones

R

Change management process implemented

Reference: NIST 800-137

R

18. Develop an automated risk assessment mechanism

Mitigates the risk of unanticipated impacts to confidentiality, integrity, and especially availability.

Milestones

R

Risk-based escalation process implemented

Reference: NIST 800-137

R

19. Schedule penetration tests for a subset of Internet-facing and high-impact systems

Mitigates the risk of unanticipated impacts to confidentiality, integrity, and especially availability.

Milestones

R

Penetration testing resources identified (internal/external)

R

Pentests conducted on critical systems on a regular cadence

Reference: CIS-18

R

20. Revisit standards-based compliance on the required cadence

Ensures ongoing compliance with required statutes.

Milestones

R

Test/audit calendar developed

Reference: Various

Free Download: Risk Management Roadmap

Cybersecurity is not for the faint of heart. Use this guide to elevate, maximize, and maintain a high level of risk assurance at your organization, starting today.