Page 188 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 188

analysis/risk assessment is a “point in time” metric. Threats and
               vulnerabilities constantly change, and the risk assessment needs to be

               redone periodically in order to support continuous improvement.

               Security is always changing. Thus any implemented security solution
               requires updates and changes over time. If a continuous improvement
               path is not provided by a selected countermeasure, then it should be
               replaced with one that offers scalable improvements to security.


               Risk Frameworks


               A risk framework is a guideline or recipe for how risk is to be
               assessed, resolved, and monitored. The primary example of a risk
               framework referenced by the CISSP exam is that defined by NIST in
               Special Publication 800-37
               (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
               37r1.pdf). We encourage you to review this publication in its entirety,

               but here are a few excerpts of relevance to CISSP:

                   This publication provides guidelines for applying the Risk
                   Management Framework (RMF) to federal information systems.
                   The six-step RMF includes security categorization, security control
                   selection, security control implementation, security control

                   assessment, information system authorization, and security control
                   monitoring. The RMF promotes the concept of near real-time risk
                   management and ongoing information system authorization
                   through the implementation of robust continuous monitoring
                   processes, provides senior leaders the necessary information to
                   make cost-effective, risk-based decisions with regard to the
                   organizational information systems supporting their core

                   missions and business functions, and integrates information
                   security into the enterprise architecture and systems development
                   lifecycle (SDLC). Applying the RMF within enterprises links risk
                   management processes at the information system level to risk
                   management processes at the organization level through a risk

                   executive (function) and establishes lines of responsibility and
                   accountability for security controls deployed within organizational
                   information systems and inherited by those systems (i.e., common
                   controls). The RMF has the following characteristics:
   183   184   185   186   187   188   189   190   191   192   193