The NIST Special Publication (SP) Risk Management Framework (RMF) 800-37 updated the previous RMF in a number of ways.
Broadly speaking, this update helps solve for a number of challenges IT and security professionals have faced in implementing cybersecurity controls across their organizations, primarily focusing on improving efficiency and cost-efficacy.
Making Better Use of Preexisting Cybersecurity Validations
Preexisting security artifacts, such as Risk Assessments or Penetration Testing Reports are often not incorporated into the process of organizational Risk Management over time, thought they provide key insights into how an organization can improve their security posture. Due to lack of support or internal resources, however, these documents are often simply performed to meet specific compliance requirements, instead. Including preexisting artifacts in the overall process for Risk Management supports the intent of audits as tools for designing next steps for strengthening one’s security posture.
Support Greater Collaboration Between C-Suites and System Owners, Technologies, and Users
When risk is evaluated at the governance level, and not just the system or individual user level, changes can often be made to system architecture that minimize risk downstream. For example, utilizing a “least capability” approach can limit some systems’ risk exposure by default, rather than requiring owners of those systems to implement additional controls to protect against those risks.
Incorporate Privacy Into Your Risk Management Strategy
Utilizing a more global approach to Risk Management and the overlap between privacy and cybersecurity, NIST 800-37 helps organizations incorporate data governance concepts from day one. Rather than looking for ways to secure and keep private certain datasets downstream, the more efficient way to handle personal information, or privacy-protected data, is to consider compliance, risk, security, and privacy concurrently from the beginning. This is why the most recent NIST update to the RMF includes Privacy as part of the whole strategy, not a separate initiative.
Reduce Overhead Associated With Implementing New Controls
In many organizations, cybersecurity initiatives may be split across multiple departments, with system owners’ taking on responsibility for securing their own technologies and users. By refocusing the Risk Management approach to be more global, including coordination across the C-Suite, system owners, technologies, and end users, efficiencies improve, reducing overhead and effort downstream.
An Important Step to Risk Management: Prepare
By adding preparation to the Risk Management Framework, NIST 800-37 helps organizations evaluate risk and implement security controls that are organizationally-specific. This means identifying common controls, which increases efficiency, as well as reducing each system’s functionality to what is required by that system to perform the tasks for which they are intended. This helps reduce system complexity, overall, and eliminates the need to tack on additional controls downstream. Additionally, preparation through identification of priority assets up-front allows IT Security leaders to focus their resources on protecting what is most important to the organization. With more up-front effort, organizations can build programs and control sets that make the most sense for their environments, rather than simply implementing a general set of controls.
TRUE’s Managed Compliance Services include an approach to GRC that will help you meet NIST 800-37 objectives year-over-year.
Contact Us Today!
Let us know your business needs and we will make sure to get back with you promptly!