Risk Management Final.pdfououbouboubobouboub

1
Diploma in IT – Cybersecurity
Risk Management
DCY 5B
Group Assignment
Submitted by: Submitted to:
1. Bhogeshwar Choytun
2. Darmila Appavoo
3. Laksmi Bucha
4. Ameer Sheik Amodine
Mr. Ziyaad Ramdianee

2
TABLE OF CONTENTS
LIST OF ABBREVIATIONS & ACRONYM....................................................................................................4
LIST OF TABLES........................................................................................................................................6
1. OVERVIEW OF RED30 TECH AEC .........................................................................................................7
1.1 KEY SERVICES PROVIDED...............................................................................................................7
1.2 AUTONOMY WITHIN RED30 TECH................................................................................................7
1.3 GEOGRAPHICAL PRESENCE ...........................................................................................................8
2. INTRODUCTION...................................................................................................................................9
2.1 BACKDROP OF RED30 TECH AEC...................................................................................................9
2.2 OPERATIONAL AUTONOMY AND KEY FOCUS ...............................................................................9
2.3 GEOGRAPHICAL PRESENCE AND IT ...............................................................................................9
2.4 DIVERSITY OF DATA AND TECHNOLOGICAL LANDSCAPE............................................................10
2.5 OPERATIONAL DYNAMICS AND KNOWN CHALLENGES ..............................................................10
2.6 STRATEGIC OUTSOURCING AND NETWORK SECURITY...............................................................10
2.7 PERSONNEL, POLICIES AND HISTORICAL AUDITS........................................................................10
2.8 COMPLIANCE MANDATE AND IMPERATIVE................................................................................11
3. SYSTEM CATEGORIZATION................................................................................................................12
4. SECURITY CONTROL ..........................................................................................................................14
4.1 SECURITY POLICY AND GOVERNANCE FRAMEWORK .................................................................14
4.2 INCIDENT RESPONSE PLAN (IRP).................................................................................................17
4.3 FLOWCHART FOR IRP ..................................................................................................................18
4.4 SET OF CONTROLS.......................................................................................................................19
5. SECURITY CONTROL IMPLEMENTATION...........................................................................................23
5.1 TIMELINE AND MILESTONES.......................................................................................................23
5.2 BUDGET.......................................................................................................................................24
6. RISK ASSESSMENT.............................................................................................................................26
6.1 THREAT SOURCES........................................................................................................................26
6.2 RISKS ASSESS...............................................................................................................................27
6.3 RISK ASSESSMENT PROCESS........................................................................................................29
6.3 TECHNIQUES ...............................................................................................................................30
6.4 TOOLS..........................................................................................................................................31
7. AUTHORIZATION...............................................................................................................................33
7.1 SYSTEM SECURITY PLAN EXAMPLE .............................................................................................33
7.2 PRIVACY PLAN.............................................................................................................................34
7.3 ASSESSMENT REPORT .................................................................................................................35

3
7.4 AUTHORIZATION MEMO.............................................................................................................36
8. AUTHORIZATION PACKAGES.............................................................................................................39
8.1 COMPILANCE OF AUTHORIZATION PACKAGES...........................................................................39
8.2 SYSTEM USED..............................................................................................................................41
8.3 DEVELOPMENT OF POAMs .........................................................................................................42
8.4 MAKING AUTHORIZATION RECOMMENDATIONS ......................................................................44
8.5 PROCESS FOR PERIODIC RE-ASSESSMENT ..................................................................................45
8.6 ACCESS CONTROL........................................................................................................................47
8.7 IMPROVEMENTS OF THE AUTHORIZATION PROCESS.................................................................49
9. CONTINOUS MONITORING ...............................................................................................................51
9.1 OBJECTIVES .................................................................................................................................52
9.2 MONITORING STRATEGY.............................................................................................................52
9.3 KEY METRICS AND REPORTING...................................................................................................52
9.4 ASSESSMENTS .............................................................................................................................52
9.5 DOCUMENTATION ......................................................................................................................53
10. CONCLUSION...................................................................................................................................54
11. REFERENCES....................................................................................................................................56

4
LIST OF ABBREVIATIONS & ACRONYM
• AC - Access Control.
• AD - Active Directory.
• AEC - Architecture, Engineering, and Construction
• ASA - Adaptive Security Appliance.
• ATO - Authorization to Operate.
• AU - Audit and Accountability.
• CAD - Computer-Aided Design
• CEO - Chief Executive Officer
• CFO - Chief Financial Officer.
• CIA - Confidentiality, Integrity, and Availability.
• CM - Configuration Management.
• CMMC - Cybersecurity Maturity Model Certification.
• CP - Contingency Planning.
• DDoS - Distributed Denial of Service.
• DFD - Data Flow Diagram.
• DNS - Domain Name System.
• DoS - Denial of Service.
• EPP - Endpoint Protection Platform.
• FIPS - Federal Information Processing Standards.
• GDPR - General Data Protection Regulation.
• GRC - Governance, Risk Management, and Compliance.
• HIPAA - Health Insurance Portability and Accountability Act.
• HR - Human Resources.
• IA - Identification and Authentication.
• IBM - International Business Machines Corporation.
• ID - Identity.
• IDS - Intrusion Detection System.
• IP - Internet Protocol.
• IPS - Intrusion Prevention System.
• IRP - Incident Response Plan.
• IT - Information Technology
• Mac - Macintosh.
• MFA - Multi-Factor Authentication.
• MS - Milestones.
• MUR - Mauritian Rupee.
• Next-Gen - Next Generation.
• NIST - National Institute of Standards and Technology
• OpenVAS - Open Vulnerability Assessment System.
• PC - Personal Computer.
• PCI DSS - Payment Card Industry Data Security Standard.
• POAMs - Plan of Action and Milestones.

5
• RBAC - Role-Based Access Control.
• RMF - Risk Management Framework.
• RSA - Rivest-Shamir-Adleman.
• RT - Remediation Time.
• SC - Security Controls.
• SecurID - Secure Identification.
• SI - System and Information Integrity.
• SIEM - Security Information and Event Management.
• SME - Subject Matter Expert.
• SP - Security Policy.
• SQLi - Structured Query Language Injection.
• SSID - Service Set Identifier.
• TDE - Transparent Data Encryption.
• Tech - Technology
• US - United States.
• USD - United States Dollar.
• VPN - Virtual Private Network.
• XSS - Cross-Site Scripting.

6
LIST OF TABLES
Table 1...................................................................................................................................................12
Table 2...................................................................................................................................................23
Table 3...................................................................................................................................................28

7
1. OVERVIEW OF RED30 TECH AEC
Red30 Tech AEC, an Architecture, Engineering, and Construction (AEC) entity, emerged as a strategic
subsidiary following Red30 Tech's milestone achievement of the tenth data center. This expansion
involved the acquisition of a firm integral to the design and construction of Red30 Tech's data
infrastructure. Motivated by a conviction that echoed CEO Oliver McNeil's sentiment, "We're already
a leader in technology. Why pay someone else to do what we're great at?" Red30 Tech AEC was
conceived to internalize and enhance the prowess of data center design and construction. The pivotal
decision to bring this capability in-house reflects a commitment to technical excellence and self-
reliance.
1.1 KEY SERVICES PROVIDED
Red30 Tech AEC distinguishes itself through a spectrum of services encompassing computer-aided
design CAD, architecture, construction program management, and engineering. The organization
extends its services not only to corporate entities but also to government agencies across the United
States. A distinct emphasis on sustainability and scalability underscores Red30 Tech AEC's approach
to delivering services that align with evolving industry needs. The clientele spans city, state, and
federal government agencies, energy sector entities, utility companies, and esteemed educational
institutions.
1.2 AUTONOMY WITHIN RED30 TECH
Central to Red30 Tech AEC's identity is its autonomy within the Red30 Tech ecosystem. Founded on
the vision of CEO Oliver McNeil, the AEC subsidiary operates as a self-directed unit, led by Chris
Meyers, McNeil's college associate. This autonomy provides Red30 Tech AEC with the agility to
respond to the unique demands of the AEC industry. By nurturing a culture of independence, Red30
Tech AEC can tailor its operations to meet the specific needs of clients in the architecture, engineering,
and construction domains.

8
1.3 GEOGRAPHICAL PRESENCE
With approximately 350 employees spread across five key cities, Red30 Tech AEC strategically
positions itself for effective service delivery. The main office, situated in Reston, Virginia, serves as the
primary hub housing a substantial portion of the workforce. Additional offices in Chicago, Austin, San
Jose, and Seattle, each supported by around 60 employees, augment the organization's geographical
reach. The distribution of offices is intricately linked to Red30 Tech's data centers, ensuring a symbiotic
relationship between operational hubs and technological infrastructure.
In the subsequent sections, a detailed exploration of Red30 Tech AEC's Information Technology
infrastructure will be undertaken. This examination will shed light on the organization's robust security
measures, data management protocols, and the technological framework supporting its daily
operations. The assessment aims to provide a comprehensive understanding of Red30 Tech AEC's
unique IT landscape, addressing existing challenges and opportunities for improvement.

9
2. INTRODUCTION
In the ever-evolving landscape of information technology, organizations grapple with the imperative
to fortify their cyber defenses against an array of threats. This assignment embarks on a journey
through the labyrinth of cybersecurity, focusing on implementing the National Institute of Standards
and Technology (NIST) Special Publication 800-37 Risk Management Framework (RMF) for Information
Systems and Organizations. At the center of this exploration lies Red30 Tech AEC, a wholly-owned
subsidiary of Red30 Tech, which stands as a microcosm of challenges and opportunities in information
security.
2.1 BACKDROP OF RED30 TECH AEC
The genesis of Red30 Tech AEC traces back to the strategic decision of Red30 Tech to internalize the
design and construction of their data centers and offices. This move, fuelled by the visionary
leadership of CEO Oliver McNeil, aimed at consolidating its position as a technological powerhouse.
Red30 Tech AEC was conceived following the acquisition of a firm integral to the design and
construction of their data centers. As articulated by McNeil, the underlying philosophy was clear: Why
outsource what you excel at?
2.2 OPERATIONAL AUTONOMY AND KEY FOCUS
Central to Red30 Tech AEC's ethos is operational autonomy, a principle ardently championed by CEO
McNeil. Under the autonomous leadership of Chris Meyers, Red30 Tech AEC stands as a beacon of
excellence in providing computer-aided design, architecture, construction program management, and
engineering services. The organization's clientele spans a spectrum, including government agencies at
city, state, and federal levels, energy sector entities, utility companies, and prestigious universities.
Emphasizing sustainability and scalability, Red30 Tech AEC positions itself at the forefront of
technological innovation.
2.3 GEOGRAPHICAL PRESENCE AND IT
With approximately 350 employees distributed across five strategic cities, Red30 Tech AEC's main
office in Reston, Virginia, serves as the nerve center, housing a significant portion of its workforce.
Additional offices in Chicago, Austin, San Jose, and Seattle are strategically tethered to Red30 Tech
data centers. The organization's IT infrastructure mirrors its commitment to security and efficiency.
State-of-the-art physical security measures are in place across all offices and data centers, forming the
bulwark against external threats.

10
2.4 DIVERSITY OF DATA AND TECHNOLOGICAL LANDSCAPE
Red30 Tech AEC operates in a milieu where diverse data types are the lifeblood of its operations. From
architectural and engineering diagrams to construction project management files, client demographic
and financial data, and company financial information, the organization deals with a vast and intricate
array of information. The technological landscape is primarily grounded in Microsoft servers and PCs,
complemented by MAC computers for specialized design work. The deployment of Active Directory, a
web server, architecture applications, and robust internal cloud architecture attests to the
organization's technological sophistication.
2.5 OPERATIONAL DYNAMICS AND KNOWN CHALLENGES
The operational dynamics of Red30 Tech AEC unfold against a backdrop of remote work, facilitated by
a robust IT framework. Employees, often working remotely, access corporate systems through a
secure VPN with multifactor authentication. However, the organization grapples with known
challenges, ranging from the theft of laptops and office equipment to cybersecurity incidents such as
Crypto Locker ransomware attacks. Vulnerability scanning, while conducted monthly by the parent
company, only shares high-risk items with the AEC IT director, indicative of potential blind spots.
2.6 STRATEGIC OUTSOURCING AND NETWORK SECURITY
Strategically, Red30 Tech AEC has outsourced its email spam filter and HR applications to third-party
companies. Network security is bolstered by gateway routers and firewalls, with Cisco ASA 5525
standing guard at each location. The decentralized wireless network, while providing flexibility,
introduces the challenge of a common default SSID and password, potentially exposing the
organization to unauthorized access.
2.7 PERSONNEL, POLICIES AND HISTORICAL AUDITS
The human element in the cybersecurity equation is manifested in Red30 Tech AEC's staff. With
Draymond Jackson at the helm as the Director of IT, supported by a dedicated team, the organization
is well-staffed to tackle its IT challenges. However, historical audits have unearthed dormant accounts,
raising concerns about the effectiveness of personnel management. Furthermore, the organization
grapples with outdated IT policies, last updated in 2012, and an adherence model reliant on a 30-
minute security awareness presentation upon hiring, lacking continuous reinforcement.

11
2.8 COMPLIANCE MANDATE AND IMPERATIVE
The looming necessity for NIST compliance arises from mandates communicated by state and federal
government clients. The driving force behind this urgency is the Cybersecurity Maturity Model
Certification (CMMC) compliance requisite for engagements with US defense industry clients. Julie
Livingston, the CFO and head of audit at Red30 Tech AEC, cognizant of the gravity of these compliance
mandates, has engaged an independent assessor to navigate the organization through a
comprehensive assessment. This assessment aims to illuminate compliance gaps and security risks
across the organization's entire IT infrastructure, organizational structure, and operational processes.
In the chapters that follow, this report delves into the intricacies of Red30 Tech AEC's information
systems, proposing a roadmap for categorization, security control selection and implementation, risk
assessment, authorization, continuous monitoring, and meticulous documentation. The intent is not
only to achieve compliance but to fortify Red30 Tech AEC's cybersecurity posture, ensuring resilience
in the face of emerging threats.

12
3. SYSTEM CATEGORIZATION
The first step in implementing the RMF is to categorize Red30 Tech AEC's information systems
according to the security objectives of confidentiality, integrity, and availability. System categorization
establishes the foundation for selecting appropriate controls. This process is conducted following NIST
SP 800-60 guidelines.
First, an inventory of Red30 Tech AEC's IT assets complies through interviews with leadership, a review
of network diagrams, and system discovery tools. Key systems identified include:
Table 1
System Type Description Data Types Data
Sensitivity
Users Location Security
Category
Active
Directory
Servers
Authentication
and access
control
User
credentials
and
permissions
High
confidentiality
All
Employees
Main data
Centre
High
Engineering
Design
Servers
Store CAD files
and design
documents
Proprietary
diagrams
and plans
High
confidentiality
/integrity
Engineers Design
Departments
High
Project
Managemen
t Servers
Track project
timelines and
tasks
Project
plans
Moderate
confidentiality
Project
Managers
Main Data
Centre
Moderate
Database
Servers
Backend data
storage
Varies by
database
Moderate to
high
Authorized
Users
Main Data
Centre
Moderate
to high
Cloud File
Sharing
Collaboration
on documents
Project files,
documents
Moderate
confidentiality
Employees Hosted
Provider
Moderate
Email
Servers
Corporate
email system
Emails and
contacts
Moderate
confidentiality
All
Employees
Main Data
Centre
Moderate
Web Servers Host public-
facing
websites
Public
information
Low
confidentiality
Public
internet
users
Demilitarized
Zone
Low
VPN Servers Remote access
to internal
network
Credentials Moderate
confidentiality
Remote
Employees
Demilitarized
Zone
Moderate
Employee
Workstations
Desktop
computing
Varies by
user
Low to
moderate
Individual
Users
Corporate
Offices
Low to
moderate
Network
Devices
Core network
infrastructure
Network
availability
High Network
Admins
Data Centres High

13
Next, Red30 Tech AEC data types are classified as:
Confidentiality, integrity, and availability requirements are assigned to each information type based
on potential impact levels should a breach occur. For example, customer data has high confidentiality
needs, while design files require high integrity. Email systems have overall high availability
requirements.
Each system is then categorized as high, moderate, or low impact using Federal Information Processing
Standard (FIPS) 199 security categories. High-impact systems process sensitive data with significant
confidentiality and integrity requirements. Moderate impact systems support important functions but
don't handle sensitive data. Low-impact systems have limited consequences for confidentiality,
integrity, or availability breaches.
Based on data sensitivity and criticality of systems to operations, the following impact levels were
defined:
Confidentiality:
High - Breach of sensitive customer/employee data.
Moderate - Breach of intellectual property or internal communications.
Low - Breach of publicly shared information.
Integrity:
High - Inaccurate employee personal data, and financial records.
Moderate - Inaccurate internal documents or project files.
Low - Inaccurate public information.
Availability:
High - Disruption of email systems, accounting systems and design systems.
Moderate - Disruption of web servers, file sharing systems.
Low - Disruption of public website.
In total, Red30 Tech AEC has 5 high-impact systems, 10 moderate-impact systems, and 3 low-impact
systems. The security categorization analysis provides the foundation for identifying the baseline set
of security controls from NIST SP 800-53 that each system should implement. This control analysis is
presented in the next section.
• Customer data, trade secrets, and employee personal information.
Highly Confidential
• Internal memos, design documents, project plans, and contracts.
Confidential
• Company directories, policies, and non-sensitive communications.
Restricted
• Marketing content, press releases.
Public

14
4. SECURITY CONTROL
With Red30 Tech AEC's systems categorized according to impact levels, the next phase is selecting
appropriate security controls to protect CIA needs.
NIST SP 800-53 provides a catalogue of validated controls mapped to low, moderate, and high
baselines. The starting point is identifying the baseline control set for each system based on its
category. For example, high-impact systems require high baseline controls.
The initial control selections are then refined through tailoring to better align with Red30 Tech AEC’s
specific risks. Some enhancements are added to baseline controls for increased effectiveness. For
example:
• Enhanced authentication mechanisms (biometrics, fingerprints) for high-impact systems.
• More frequent security audits and stronger integrity-checking controls.
• Expanded logging and monitoring capabilities.
Certain controls are designated as priorities for near-term implementation considering Red30 Tech
AEC’s gaps and recent incidents. These included improved access control, vulnerability management,
and data protection controls.
In total, 180 controls are selected across the 18 identified systems. The mapping of controls to systems
along with tailoring and prioritization rationale are documented in detail as part of this process.
Resource requirements, costs, and responsibilities are also estimated to support implementation
planning.
4.1 SECURITY POLICY AND GOVERNANCE FRAMEWORK
The Security Policy and Governance Framework at Red30 Tech AEC encompasses the overarching
structure, policies, procedures, and mechanisms put in place to ensure the organization's
cybersecurity posture aligns with its strategic objectives, regulatory requirements, and best practices.
This framework integrates elements of Governance, Risk, and Compliance (GRC) to provide a holistic
approach to managing cybersecurity risks.

15
Governance
Governance refers to the framework of policies, processes, and decision-making structures that guide
and oversee the organization's cybersecurity efforts. It involves defining roles, responsibilities, and
accountability mechanisms to ensure effective cybersecurity governance.
• Roles and Responsibilities: Clearly define the roles and responsibilities of key personnel
involved in cybersecurity governance, including executives, IT leadership, and other
stakeholders.
• Board Oversight: Establish mechanisms for board-level oversight of cybersecurity, including
regular updates on cybersecurity performance, risk exposure, and compliance.
• Cybersecurity Committee: Form a dedicated cybersecurity committee composed of senior
leadership and subject matter experts to provide strategic guidance and oversight.
• Policy Development and Review: Implement a formal process for developing, reviewing, and
updating cybersecurity policies in alignment with industry standards and regulatory
requirements.
• Performance Metrics: Define key performance indicators (KPIs) and metrics to measure the
effectiveness of cybersecurity governance and identify areas for improvement.
Risk Management
Risk management involves identifying, assessing, prioritizing, and mitigating cybersecurity risks to the
organization's assets, operations, and reputation. It encompasses processes and methodologies for
managing risks effectively.
Good governance
practices, audit results,
industry practices.
Internal and external
risks, threats,
vulnerabilities.
Laws, regulations,
statutes, standards,
audit results, industry
practice.
Governance processes.
Risk management
processes.
Compliance processes.
Business operations.
goals, objectives,
policies, procedures,
staffing, technology.

16
• Risk Identification: Conduct comprehensive risk assessments to identify and prioritize
cybersecurity risks, considering internal and external threats, vulnerabilities, and potential
impacts.
• Risk Analysis: Analyze identified risks to understand their likelihood and potential impact on
the organization, taking into account business objectives, regulatory requirements, and
stakeholder expectations.
• Risk Mitigation: Develop and implement risk mitigation strategies and controls to reduce the
likelihood and impact of identified risks to an acceptable level, considering cost-benefit
analysis and resource constraints.
• Risk Monitoring and Reporting: Establish mechanisms for ongoing monitoring and reporting
of cybersecurity risks, including regular risk assessments, vulnerability scans, and incident
reporting.
• Incident Response Planning: Develop and maintain an incident response plan to ensure timely
and effective response to cybersecurity incidents, minimizing disruption to operations and
mitigating potential damages.
Compliance
Compliance involves ensuring adherence to relevant laws, regulations, standards, and internal policies
governing cybersecurity and data protection. It encompasses processes for assessing compliance,
remediation of non-compliance issues, and reporting to regulatory authorities.
• Regulatory Compliance: Identify applicable regulatory requirements and industry standards
relevant to cybersecurity, such as GDPR, HIPAA, and NIST SP 800-53, ensuring alignment with
organizational goals and objectives.
• Policy Enforcement: Implement mechanisms for enforcing compliance with cybersecurity
policies, procedures, and controls, including regular audits, reviews, and assessments.
• Training and Awareness: Provide ongoing training and awareness programs to educate
employees about cybersecurity best practices, regulatory requirements, and their roles in
compliance.
• Third-Party Risk Management: Establish processes for assessing and managing cybersecurity
risks associated with third-party vendors, contractors, and business partners, ensuring they
meet the organization's security standards and requirements.
• Documentation and Reporting: Maintain thorough documentation of compliance efforts,
including policies, procedures, assessments, and remediation activities, and report
compliance status to relevant stakeholders and regulatory authorities as required.
Overall, the Security Policy and Governance Framework at Red30 Tech AEC integrates governance,
risk management, and compliance principles to establish a robust and effective approach to
cybersecurity governance. By defining clear roles and responsibilities, implementing risk-based
strategies, and ensuring compliance with relevant regulations and standards, the organization can
enhance its cybersecurity posture and mitigate potential risks effectively.

17
4.2 INCIDENT RESPONSE PLAN (IRP)
Description
The following flowchart outlines the steps involved in Red30 Tech AEC's incident response plan, from
initial detection to resolution.
Incident Detection
An incident is detected through various means, such as automated monitoring systems, employee
reports, or third-party alerts.
Initial Assessment
• The IT team conducts an initial assessment of the incident to determine its severity, impact,
and scope.
• If necessary, the Incident Response Team (IRT) is activated.
Containment
• Immediate actions are taken to contain the incident and prevent further damage or
unauthorized access.
• This may involve isolating affected systems, disabling compromised accounts, or blocking
malicious network traffic.
Eradication
• The IT team works to eradicate the root cause of the incident and remove any malicious
components from the network or systems.
• This may involve deploying patches, restoring from backups, or conducting malware removal
procedures.
Recovery
• Systems and data affected by the incident are restored to their pre-incident state.
• This may involve restoring from backups, rebuilding compromised systems, or reconfiguring
network settings.
Post-Incident Review
• A thorough post-incident review is conducted to analyze the incident response process and
identify areas for improvement.
• Lessons learned are documented, and recommendations are made to enhance future incident
response efforts.
Communication and Reporting
• Throughout the incident response process, communication with stakeholders is maintained
to provide updates on the incident's status and resolution.
• Incident reports are generated and shared with relevant parties, including executive
leadership, IT staff, and external stakeholders as necessary.

18
Documentation and Follow-Up
• All actions taken during the incident response process are documented for compliance, audit,
and future reference purposes.
• Follow-up activities, such as security posture assessments and additional security measures,
are implemented to prevent similar incidents in the future.
4.3 FLOWCHART FOR IRP
The flowchart above provides a high-level overview of the incident response process and can be
customized further based on the specific incident response procedures and protocols established by
Red30 Tech. It also outlines the basic steps of incident response tailored to Red30 Tech's environment:
Cybersecurity Incident Detected/Reported
The incident is identified through various means, such as automated alerts, employee reports, or
system monitoring.

19
Assess Incident Severity
The severity of the incident is evaluated to determine its potential impact on the organization's
operations, data, and systems. This step is crucial for prioritizing the response efforts appropriately.
By evaluating the severity of the incident, Red30 Tech can allocate resources effectively and ensure
that the most critical issues are addressed promptly. High-impact incidents may require immediate
action to prevent significant disruption to operations, while low-impact incidents can be addressed
with less urgency.
Incident Response Actions Based on Severity
Different response actions are initiated based on the severity of the incident. High-impact incidents
require immediate and comprehensive response measures, while low-impact incidents may involve
more moderate actions.
Incident Resolved
Once the incident is resolved, follow-up actions are essential to ensure that the organization learns
from the incident and strengthens its defenses against future threats. This may involve conducting
post-incident reviews to identify areas for improvement, updating security policies and procedures
based on lessons learned, and providing additional training to employees to enhance awareness of
cybersecurity risks. By taking proactive measures after an incident, Red30 Tech can better protect
against similar incidents in the future and minimize the impact of potential breaches or attacks.
4.4 SET OF CONTROLS
It documents the set of controls selected from NIST 800-53 catalogue for implementation across
Red30 Tech AEC systems and includes tailoring rationale.
1. AC Account Management.
Description: Manage user accounts via workflows.
Selection/Enhancement: Selected.
Rationale: Standardize account creation, modification, disabling.
Status: Implemented.
Priority: Medium.
Owner: IT team.
Resources: AD tools, staff time.
2. AC Automated System Notification.
Description: Notify when accounts created/changed.
Selection/Enhancement: Enhanced.
Rationale: Auditing and visibility of changes.
Status: In progress.
Priority: Medium.
Owner: IT team.
Resources: SIEM, staff time.

20
3. Remote AC.
Description: Manage remote access methods.
Rationale: Secure VPN, MFA for remote users.
Status: Pending.
Priority: High.
Owner: IT team.
Resources: VPN, MFA tools.
4. AU Audit Review, Analysis and Reporting.
Description: Review and act on audit logs.
Rationale: Monitoring for suspicious activities.
Priority: High.
Owner: Security team.
Resources: SIEM, staff time.
5. CM Least Functionality.
Description: Configure systems for essential capabilities only.
Rationale: Reduce attack surface.
Priority: Medium.
Owner: IT team.
Resources: SME knowledge.
6. CP Information System Backup.
Description: Perform regular system backups.
Rationale: Prevent permanent data loss.
Priority: High.
Owner: IT team.
Resources: Backup tools, storage.

21
7. IA Policy.
Description: Establish organizational I&A policies.
Rationale: Set security standards for access control.
Status: Pending.
Priority: Medium.
Resources: Staff time.
8. Identification and Authentication.
Description: Manage identification and authentication of users.
Rationale: Enforce individual unique IDs.
Priority: High.
Owner: IT team.
Resources: Active directory, staff time.
9. IA for non-organizational users.
Description: Uniquely identify non-org users.
Rationale: Control third-party/public access.
Priority: Medium.
Owner: IT team.
Resources: MFA tools, staff time.
10. SC Boundary Protection.
Description: Manage system boundary protections.
Rationale: Secure network perimeter.
Status: Pending.
Priority: High.
Owner: Network team.
Resources: Firewalls, routers, staff time.

22
11. SI Malicious Code Protection.
Description: Implement anti-virus and anti-malware capabilities.
Rationale: Block viruses, worms, trojans.
Priority: High.
Owner: Endpoint team.
Resources: Anti-virus tools.
12. Information System Monitoring.
Description: Monitor events and activities on systems.
Rationale: Detection of attacks and indicators.
Priority: Medium.
Resources: IDS/IPS, SIEM, staff time.

23
5. SECURITY CONTROL IMPLEMENTATION
Once the set of 180 security controls are selected from NIST SP 800-53 catalogue for Red30 Tech AEC's
systems, a project plan are developed to implement the controls over a 1 year timeframe.
Table 2
Roles Responsibilities
CISO Oversees entire project, provides strategic direction.
Security Analysts Perform control implementation, configuration, testing.
System Admins Provide system access, coordinate change management.
PM and Engineers Implement controls embedded in software systems.
Department Heads Enforce access restrictions, data protection.
5.1 TIMELINE AND MILESTONES
Month 1
Finalize implementation plans and begin buildout of higher priority controls.
Deploy 50 core controls for high-impact systems.
Conduct training on new access management policies.
Month 3
Complete rollout of enhanced access control mechanisms.
Complete organization-wide security awareness training program.
Update information security policies.
Month 6
Deploy data protection controls including encryption and key management.
Establish secure configuration baselines for servers and workstations.
Deploy additional 70 controls for moderate-impact systems.
Month 9
Finalize control implementation for all moderate impact systems.
Remaining control deployment and testing finalized.
Ongoing training and awareness programs in place.
Month 12
Complete deployment of the remaining controls for high-impact systems.
Continuous monitoring program initiated.

24
5.2 BUDGET
Software/Hardware
Next-Gen Antivirus
Select CrowdStrike, Cybereason, or SentinelOne to enhance malware prevention beyond traditional
signature-based tools to counter advanced threats.
Budget: Around 4 Million MUR
Encryption Tools
Deploy native encryption modules on databases via Oracle TDE and Microsoft TDE to protect sensitive
data at rest. Compliance requirement.
SIEM Solutions
Procure Splunk, MS, and Rapid7 to collect, and analyze logs for threat monitoring. Lack of centralized
view of security data currently.
Multi-Factor Authentication
Upgrade VPN and network perimeter from single-factor authentication to RSA SecurID / Duo Security
tokens for enhanced identity assurance.
Budget: Around 2.4 Million MUR
Endpoint Detection & Response
Invest in advanced EPP like Carbon Black Cloud to improve monitoring and response capabilities for
devices and endpoint security.
Budget: Around 3.6 Million MUR
Next-Gen Firewalls
Replace existing firewalls with Palo Alto firewalls supporting intrusion detection/prevention. Critical
network upgrade.
External consulting
For specialized security expertise for the awareness of training content design and implementation.
Budget: 4 Million MUR
Internal personnel costs
4 additional security engineers for 12 months at 800,000 MUR annual salary.

25
Gaps and Constraints
• Legacy systems lacking APIs for modern tools Integration.
• Proprietary platforms complicating centralized logging.
• Bring-Your-Own-Devices policies complicating endpoint control.
• Lack of funded projects to replace outdated infrastructure.
• Reliance on manual processes and lack of automation.
To address these, compensating controls would be utilized where possible, and higher risk gaps
directly remediated through point solutions, and roadmaps crafted for large modernization efforts.
To be noted that the original US dollar budget figures to Mauritian rupees using an exchange rate of
approximately 1 USD = 40 MUR. The budget given is an estimated value of money.

26
6. RISK ASSESSMENT
With the foundational controls selected, a comprehensive risk assessment is conducted on each
system to identify threats, vulnerabilities, likelihoods, and impacts. This follows the NIST SP 800-30
methodology which guides conducting risk assessments in the context of information security. The
methodology outlined in SP 800-30 helps organizations identify, assess, and prioritize risks to their
information systems. It gives a structured and systematic approach to help organizations manage and
mitigate risks effectively. It is part of the broader framework of NIST Special Publications that guide
organizations in developing and implementing information security programs.
6.1 THREAT SOURCES
A threat source refers to any person, group, or force that has the potential to cause harm to an
information system or organization through destruction, disclosure, modification of data, or denial of
service. They are motivated and capable adversaries that seek to exploit vulnerabilities in systems,
processes or controls for financial, ideological or other gains. Threat sources analysed included
hackers, malicious insiders, untrained employees, and third-party partners.
External
Hackers
High motivation
and
sophistication.
Malicious
Insiders
Access to
sensitive data.
Untrained
Employees
Lack of security
knowledge.
Third-Party
Vendors
Connections to
systems.
Environmental
Disasters
Power outages,
fires, floods.

27
6.2 RISKS ASSESS
Existing controls and safeguards are evaluated to determine vulnerability likelihood and potential
impacts. Risk matrices showing likelihood scores from 1 to 5 and impact scores from 1 to 100 were
developed for each system. An overall risk score is calculated based on the matrix to categorize risks
as very high, high, moderate, or low priorities.
A quantitative risk matrix is developed for each system categorized. The 5x5 matrix assesses the
likelihood on a scale of 1 to 5 and impact on a scale of 1 to 100. Let’s assume that:
Likelihood Rating Criteria
1 - Very Low - Exploitation highly unlikely
2 - Low - Some potential but unlikely
3 - Moderate - Possible incentive and capability
4 - High - Exploitation likely
5 - Very High - Exploitation almost certain
Impact Rating Criteria
A 100-point scale was used with the following thresholds:
1-25 - Low impact
26-50 - Moderate impact
51-75 - Significant impact
76-100 - Severe impact
Malware attacks on endpoints.
Unauthorized access to sensitive data.
Disruption of business-critical applications.
Loss or corruption of engineering design files.
Email and network attacks on IT infrastructure.

28
Overall Risk Ratings
The likelihood and impact scores are multiplied to derive an overall risk score from 1 to 500. The scores
are mapped as:
1-50 - Low risk
51-150 - Moderate risk
151-350 - High risk
351-500 - Very high risk
Table 3
Threat/Vulnerability Likelihood Impact Risk Score Controls/Mitigations
Malware infection of
workstations.
4 50 200 Anti-malware controls, patch
management, user training.
Phishing attacks compromise
user credentials.
3 75 225 Email filtering, MFA, awareness
training.
Insider theft of sensitive
data.
2 100 200 Data loss prevention controls,
access controls.
Unpatched exploitable
vulnerabilities.
3 50 150 Vulnerability scanning,
centralized patch management.
DNS poisoning redirecting
traffic.
2 25 50 DNS security controls.
Unauthorized access to
confidential data.
4 75 300 Access management controls,
and activity monitoring.
DoS attack disrupting
operations.
3 100 300 Network protection controls,
and traffic monitoring.

29
6.3 RISK ASSESSMENT PROCESS
The risk assessments reveal several critical areas needing improvement in Red30 Tech AEC's security
posture. Implementing the identified security controls and mitigating the high-priority risks will greatly
strengthen protections for the company's sensitive data, systems, and business operations. Ongoing
assessments will be required to continuously monitor information risk.
Identify Assets
• Inventory all information systems, data, hardware, software, facilities, people
etc.
Identify Threats
• Analyze potential threat sources including hackers, insiders, 3rd parties,
environmental factors. Consider threat agents' capabilities and motivations.
Identify Vulnerabilities
• Examine systems and processes for weaknesses that could be exploited. Review
configuration issues, gaps in controls, human errors etc.
Analyze Impacts
• Estimate the adverse impacts from loss of confidentiality, integrity and/or
availability for each asset. Consider impacts like operational disruption, financial
costs, reputational harm.
Determine Likelihoods
• Evaluate the probability that a vulnerability could be exploited by a given
threat-source.
Calculate Risk Ratings
• Derive overall risk scores by combining likelihood and impact ratings based on a
risk matrix. This helps prioritize the highest risks.
Identify Controls
• Document existing controls. Determine if additional controls are needed to
mitigate unacceptable risks.

30
6.3 TECHNIQUES
Asset-Focused Risk Assessment
• Develop a comprehensive inventory of information systems, hardware, data stores,
applications, networks, etc. This was completed in the system categorization section
previously.
• Analyze the sensitivity levels, business criticality, and security objectives for each asset -
confidentiality, integrity, and availability requirements.
• Identify potential threats that could impact those security objectives for each asset.
• Assess the vulnerabilities, predisposing conditions, or control gaps that could be exploited by
the threats.
• Estimate overall asset exposure based on the likelihood of threats exploiting vulnerabilities
and impact if they occurred.
Example: Email servers have high availability requirements. Potential DDoS threats could exploit
bandwidth limitations and disrupt operations.
Threat-Focused Risk Assessment
• Identify key threats like malicious external hackers, malicious insiders, errors by authorized
users, etc.
• Inventory assets that may be targets for each threat - e.g. external hackers would target
public-facing systems and VPN access.
• Analyze vulnerabilities per asset that could be leveraged by each threat type.
• Assess risk exposure of each asset-threat pairing based on ease of exploitation and impact.
Example: External hackers' threat profile has high motivation and sophistication. Web apps are targets
with known vulnerabilities. Significant risk of compromise.

31
Hybrid Approach
• Develop asset inventory and classify sensitivity/criticality in an asset-focused method.
• Profile key threat actors and scenarios as in the threat-focused method.
• Conduct vulnerability scans, reviews, and audits to reveal technical and process weaknesses.
• Cross-reference threats and assets to identify exposure, considering predisposing conditions.
• Calculate risk likelihood and impact scores based on vulnerabilities and threats respectively.
6.4 TOOLS
Vulnerability Scanners
• Run network vulnerability scanners like Nessus and OpenVAS against IP ranges and assets to
uncover common misconfigurations like missing patches, weak passwords, insecure
protocols, etc.
• Scan web applications with app scanners like Burp Suite and Acunetix to identify XSS, SQLi,
and business logic flaws.
• Assess endpoint security hygiene via agent scanners like Nexpose and Core Impact for
malware, missing disk encryption, and firewall policy gaps.
Risk Registers
• Document risk scenarios, likelihoods, impacts, ratings, and mitigation status in a centralized
risk register. This was started in a previous section.
• Update the register throughout the assessment process as additional risks are uncovered.
• Track progress on risk mitigation efforts like installing controls. Mark risks accepted versus
remediated.

32
Threat Modelling
• Create DFDs mapping data flows and touch points between users, systems, databases,
networks, etc.
• Overlay known threat types like hackers, insiders, and third parties onto DFD and analyze
potential attacks.
• Decompose high-value assets into components to assess risks at a granular level based on
threats.
Risk Matrices
• Develop a 5x5 qualitative matrix with likelihood levels from Very Low to Very High.
• Define impact scale from 1-100 based on disruption to confidentiality, integrity, and
availability.
• Map risks on matrix and colour code high, moderate, and low priority risks based on
quadrants.
GRC Platform
• Implement RSA Archer, ServiceNow, or equivalent platform to centralize risk data.
• Load risk registers, control assessments, and vulnerability scan results into the database for
unified reporting.

33
7. AUTHORIZATION
The final step of the RMF implementation is the formal authorization process for Red30 Tech AEC's
information systems to operate and process sensitive data. Authorization means granting access or
permission to systems or resources within an organization and decisions are based on the outputs of
the previous RMF activities including system categorizations, control selections, implementations, and
risk assessments.
7.1 SYSTEM SECURITY PLAN EXAMPLE
System Name
Red30 Tech AEC IT Infrastructure
System Identifier
RT-AEC-ITS
System Categorization
Moderate (based on system inventory and categorization analysis)
System Owner
Chris Myers, CEO of Red30 Tech AEC
Authorizing Official
Oliver McNeil, CEO of Red30 Tech parent company
Operational Status
Operational
General Description
The Red30 Tech AEC IT infrastructure supports business systems for core architecture, engineering,
and construction operations. It encompasses servers, workstations, networks, and cloud-based
services.
System Environment
The IT infrastructure spans facilities in 5 cities, including Reston VA, Chicago, Austin, San Jose, and
Seattle. It consists of Windows and macOS workstations, Windows servers, Cisco networking devices,
and Microsoft and AutoDesk applications. Physical access controls are implemented at all sites.
System Interconnections
The AEC systems connect to parent Red30 Tech environments for services like authentication, DNS,
and internet access. Cloud services like Office 365 are leveraged. Vendors access isolated development
environments.

34
Data and Information
The system processes proprietary engineering diagrams, financial data, customer information,
employee personal data, strategic plans, and email communications. Data sensitivity varies from high
to low.
User Roles and Responsibilities
Users include all AEC employees and contractors. Roles include technical staff, engineers, project
managers, and administrative staff. All personnel require security training.
System Architecture
The architecture consists of internal workstations and servers, DMZ infrastructure, and external cloud
services. Network protections like firewalls, IPS/IDS, proxies, and encryption are implemented.
Security Controls
Controls selected for the AEC system based on NIST SP 800-53 moderate baseline. Tailored for
enhanced logging, encryption, access management.
This covers the key details from the report that can be adapted to populate the System Security Plan
for the AEC IT infrastructure system. Details should be adjusted for other specific systems.
7.2 PRIVACY PLAN
Purpose and Applicability
The purpose of this Privacy Plan is to outline the policies and procedures related to privacy within the
Red30 Tech AEC IT infrastructure. This plan is applicable to all systems, processes, and activities that
involve the collection, use, and management of personal and sensitive information.
System Overview:
The Red30 Tech AEC IT infrastructure supports core architecture, engineering, and construction
operations. It includes servers, workstations, networks, and cloud-based services across multiple
cities. The system processes various types of data, including proprietary engineering diagrams,
financial data, customer information, employee personal data, strategic plans, and email
communications.
Information Collection
Data collected by the system includes proprietary engineering diagrams, financial data, customer
information, employee personal data, strategic plans, and email communications. The sensitivity of
the data varies from high to low.
Data Use Limitations
The use of collected data is subject to limitations. The system ensures that data is used only for the
intended purposes, and access is restricted based on user roles and responsibilities.

35
Data Retention and Disposition
The system follows specific data retention and disposition policies to ensure that data is retained only
for the necessary duration and is disposed of securely when it is no longer required.
Accountability and Auditing
The system maintains accountability by defining user roles and responsibilities. Regular audits are
conducted to monitor user activities, ensuring compliance with privacy policies. The authorization
process is in place to hold individuals accountable for the systems they manage.
Privacy Risk Management
Privacy risk management involves identifying, analyzing, and mitigating potential threats and
vulnerabilities that could compromise the security of personal and sensitive information. This process
includes assessing threats, vulnerabilities, and potential impacts, as well as implementing strategies
to minimize risks.
Privacy Control Tailoring
Privacy controls are tailored based on the NIST SP 800-53 moderate baseline. The controls are selected
and enhanced for improved logging, encryption, and access management. The Privacy Plan ensures
that controls are aligned with the specific needs of the AEC IT infrastructure system.
This Privacy Plan provides a comprehensive framework for managing privacy within the Red30 Tech
AEC IT infrastructure. It aligns with industry best practices, regulatory requirements, and
organizational policies, promoting a robust and accountable approach to privacy management.
7.3 ASSESSMENT REPORT
Executive Summary
The executive summary provides a concise overview of the assessment, highlighting key findings,
recommendations, and the overall risk posture of Red30 Tech AEC's IT infrastructure. It serves as a
quick reference for stakeholders who may not have the time to delve into the full report.
Scope
The scope section defines the boundaries and objectives of the assessment. It outlines the systems,
processes, and areas of the IT infrastructure that are evaluated. In the case of Red30 Tech AEC, the
scope covers critical information systems, networks, and associated security controls.
Methodology
This section outlines the approach and methods used during the assessment. It includes details on the
tools, techniques, and procedures employed to evaluate the security controls, vulnerabilities, and
overall risk posture. The methodology ensures transparency and replicability of the assessment
process.

36
Findings and Recommendations
Control Deficiencies
Identify and detail deficiencies in the implemented security controls. This includes weaknesses in
access controls, encryption, monitoring systems, and any other areas where the infrastructure falls
short of established standards.
Vulnerabilities
Provide a comprehensive list of identified vulnerabilities in the IT infrastructure. These could include
software vulnerabilities, misconfigurations, or other weaknesses that could be exploited by potential
attackers.
Risks Requiring Mitigation
Assess and categorize risks based on their severity and potential impact. Provide recommendations
for mitigating these risks, including the implementation of specific security controls, patches, or
procedural changes.
Conclusions
The conclusion section summarizes the overall findings, emphasizing the most critical aspects of the
assessment. It reiterates the key risks, vulnerabilities, and control deficiencies. It may also highlight
the urgency of certain recommendations and the potential consequences if they are not addressed
promptly.
This assessment report serves as a critical document for Red30 Tech AEC, offering insights into the
current state of their IT infrastructure security. It provides a roadmap for remediation and
improvement, ensuring that the organization can strengthen its security posture and effectively
manage identified risks.
7.4 AUTHORIZATION MEMO
System Identifiers
This section includes specific information to uniquely identify the system for which the authorization
is being considered. It may contain details such as system name, version, unique identifiers, and
relevant metadata.
Example
System Name: Red30 Tech AEC Security Management System
Version: 2.1
Unique Identifier: RTAEC-SMS-2023
Metadata:
- Organization: Red30 Tech AEC
- Project Lead: [Name]
- Deployment Date: [Date]
- Criticality: High
- Location: [City, Country]

37
Background
The background section provides context for the authorization request. It outlines the purpose,
significance, and role of the system within the organization. This could include a brief history of the
system, its development, and its intended use.
Example
The Red30 Tech AEC Security Management System plays a crucial role in Red30 Tech AEC's operations,
serving as a comprehensive framework for managing information security. It was developed to
establish a robust and systematic approach to addressing cybersecurity risks within the organization.
The system's secure operation is integral to Red30 Tech AEC's overall mission of delivering cutting-
edge technology solutions to clients across sectors while ensuring the confidentiality, integrity, and
availability of sensitive information.
Summary of Findings
Summarize the key findings from the security assessment, risk analysis, and any other relevant
evaluations. This section provides a snapshot of the current state of the system's security posture,
highlighting critical areas that need attention or commendation.
Example
The security assessment of the Red30 Tech AEC Security Management System revealed both positive
and negative aspects. Key findings highlight areas of strength and areas that require attention to
enhance the overall security posture. Some of the critical findings include:
• Positive Aspects:
Implementation of robust access controls and encryption measures.
Effective security awareness training programs for employees.
• Negative Aspects:
Identified vulnerabilities in certain workstations with pending control enhancements.
Significant security deficiencies in a high-risk employee workstation.
Recommendation
Authorization to Operate
Clearly state the recommendation for granting authorization to operate. This recommendation is
based on the positive findings from security assessments, compliance with policies, and an overall
acceptable risk posture.
Example
Based on the positive security assessments and compliance with industry standards, it is strongly
recommended to grant full authorization to operate the Red30 Tech AEC Security Management
System. The system has demonstrated robust security controls, effective risk management, and
adherence to relevant regulations.

38
Denial
If applicable, provide a recommendation for denial of authorization. Clearly outline the reasons for
denial, such as severe security vulnerabilities, non-compliance with regulations, or other factors that
pose unacceptable risks.
Example
Unfortunately, due to identified vulnerabilities in a high-risk employee workstation and pending
control enhancements in certain workstations, it is recommended to deny authorization for the Red30
Tech AEC Security Management System until these issues are adequately addressed. This decision
aims to ensure that all security concerns are resolved before granting operational approval.
Interim Authorization
In cases where the system has identified issues but can operate temporarily with certain conditions,
recommend granting an interim authorization. Specify the conditions, controls, and time frame for
which the interim authorization is applicable.
Example
Considering the critical role of the system in supporting [organization's] operations and the ongoing
efforts to address identified issues, an interim authorization is recommended for the Red30 Tech AEC
Security Management System. This authorization comes with the condition that the specified control
enhancements are implemented within the next [specified time frame]. This temporary authorization
allows essential operations to continue while ensuring a focused and timely resolution to the
identified security issues.
This Authorization Memo serves as a formal document that communicates the authorization decision
for the specified system based on the findings of the security assessments and risk analysis.

39
8. AUTHORIZATION PACKAGES
An authorization package is compiled for each of the 18 identified Red30 Tech AEC systems. The key
components included:
• System security plan detailing the system type, scope, data classification levels, and operating
environment.
• Privacy plan outlining how personal information is protected.
• Inventory of selected security controls identified in the Security Control Selection process.
• Implementation status of controls along with plans to remediate control deficiencies.
• Results and recommendations from the Risk Assessment activity.
• Plan of action and milestones (POAM) to track remediation of weaknesses.
• Continuous monitoring strategy outlining frequency of future assessments.
8.1 COMPILANCE OF AUTHORIZATION PACKAGES
Authorization packages are foundational documents that provide a comprehensive overview of the
security posture of each system within an organization. These packages serve as a reference point for
evaluating the adequacy of security measures, identifying potential risks, and making informed
authorization decisions. Below are components of the authorization package entails:
Security Plans
Security plans outline the strategies, policies, and procedures implemented to safeguard the
confidentiality, integrity, and availability of system resources. These plans typically include:
• Access Control Mechanisms: Description of authentication methods, authorization protocols,
and access controls employed to regulate user access to system resources.
• Data Protection Measures: Explanation of encryption techniques, data masking, and other
measures used to protect sensitive information from unauthorized disclosure or modification.
• Incident Response Procedures: Protocol for responding to security incidents, including
incident detection, notification procedures, containment measures, and post-incident
analysis.
Security Awareness Training: Overview of training programs designed to educate employees about
security best practices, data handling procedures, and their roles in maintaining a secure environment.

40
Risk Assessment Results
Risk assessment is a systematic process of identifying, analyzing, and evaluating potential threats and
vulnerabilities that could compromise the security of a system. The risk assessment results included
in the authorization package typically encompass:
• Threat Identification: Identification of potential threats, including malicious actors, natural
disasters, system failures, and human errors, that could adversely affect the confidentiality,
integrity, or availability of system resources.
• Vulnerability Assessment: Evaluation of system vulnerabilities, including software flaws,
misconfigurations, weak authentication mechanisms, and inadequate access controls that
could be exploited by threat actors to gain unauthorized access or disrupt system operations.
• Risk Analysis: Assessment of the likelihood and potential impact of identified threats
exploiting system vulnerabilities, leading to the determination of the overall risk level
associated with the system.
• Risk Mitigation Strategies: Recommendations for mitigating identified risks, including the
implementation of security controls, remediation of vulnerabilities, and contingency planning
to minimize the impact of security incidents.
Implementation Status
The implementation status section of the authorization package provides an overview of the current
state of security controls and measures within the system. It includes:
• Status of Security Controls: Assessment of the implementation status of security controls
outlined in the security plan, including access control mechanisms, encryption protocols,
intrusion detection systems, and monitoring tools.
• Patch Management: Status of software patching and update procedures to address known
vulnerabilities and security vulnerabilities promptly.
• Compliance Status: Evaluation of the system's compliance with relevant regulatory
requirements, industry standards, and organizational policies governing information security.
• Ongoing Security Activities: Overview of ongoing security activities, such as security
assessments, penetration testing, security audits, and security awareness training programs.

41
8.2 SYSTEM USED
The authorization packages contained detailed information about each system's security posture,
controls, risks, and monitoring needs. This provides the authorizing officials with the necessary data
to make informed authorization decisions. Having separate authorization packages for each of the 18
systems allows for tailored assessments of the risks and controls specific to that system, rather than
a one-size-fits-all approach.
The inclusion of items like the system security plan, privacy plan, control inventory, risk assessment
results, and continuous monitoring strategy in the packages provides comprehensive evidence for
authorization decisions as per NIST guidelines. The packages are submitted to the designated Red30
Tech AEC senior leadership team serving as the authorizing officials for their review and decision-
making.
The senior leadership team serving as authorizing officials indicates executive ownership and
accountability in the authorization process. Having authorizing officials scrutinize and authorize each
system enforces security discipline across the organization's IT portfolio. Their evaluation of the
authorization packages, especially the risk assessments and control statuses, enables risk-based
decisions on system authorizations.
Of the 18 systems, 15 are granted an Authority to Operate (ATO) approval by the authorizing officials.
These systems are determined to have adequate security controls in place and an acceptable risk
posture.
For 2 systems, an Interim Authorization to Operate is issued due to some pending enhancements that
required additional time for implementation. Compensating controls are established to temporarily
mitigate any residual risks.
One system is denied an ATO due to significant deficiencies identified in its security controls and
extremely high-risk posture. Operation of this system is halted until necessary controls can be
implemented to reduce risks to an acceptable level.

42
This breakdown demonstrates that authorization decisions aligned closely with the initial system
categorization and risk ratings. Critical high-impact systems are validated as having appropriate
controls and acceptable risks. Standard moderate systems are also approved. Only the most high-risk
system is denied authorization, enforcing security standards.
8.3 DEVELOPMENT OF POAMs
Plan of Action and Milestones (POAMs) is a structured document that outlines specific actions,
milestones, and timelines for addressing identified deficiencies, vulnerabilities, and risks within a
system. POAMs are instrumental in tracking the remediation progress and ensuring timely
implementation of risk mitigation measures.
How POAMs are developed and utilised?
Deficiency Identification
POAMs begin with a thorough assessment of deficiencies, vulnerabilities, and weaknesses identified
during risk assessments, security audits, or compliance evaluations. Deficiencies may include:
• Unpatched Software: Identification of software vulnerabilities for which patches or updates
are not yet applied.
• Configuration Weaknesses: Discovery of misconfigured system settings, default passwords,
open ports, or unnecessary services that pose security risks.
System Receiving
ATO
• Active Directort Server.
• Engineering Design Server.
• Project Management Server.
• Database Server.
• Cloud File Sharing.
• Email Server.
• Web Server.
• VPN server.
• 6 Employee Workstations.
• Network Devices.
System Receiving
Interim ATO
• 2 Employee Workstations with pending control
enhancements.
Systems Denied
ATO
• 1 High Risk Employee Workstation with significant
security deficiencies.

43
• Access Control Issues: Identification of unauthorized access privileges, inadequate
authentication mechanisms, or excessive user permissions that could lead to unauthorized
access to sensitive data.
• Lack of Security Controls: Identification of missing or ineffective security controls, such as
firewalls, intrusion detection systems, encryption protocols, or antivirus software.
Remediation Steps
Once deficiencies are identified, POAMs delineate specific remediation steps and corrective actions
required to mitigate risks and strengthen the security posture of the system. Remediation steps may
include:
• Patch Deployment: Scheduled deployment of security patches and updates to address known
vulnerabilities and software flaws.
• Configuration Changes: Implementation of recommended configuration changes or security
enhancements to eliminate identified weaknesses and harden the system against potential
attacks.
• Access Control Review: Review and adjustment of user access privileges, roles, and
permissions to ensure the principle of least privilege is enforced and unauthorized access is
mitigated.
• Security Control Implementation: Deployment of additional security controls, such as
intrusion detection systems, data encryption, multi-factor authentication, or security
monitoring solutions, to bolster the system's defenses against cyber threats.
• Employee Training: Provision of security awareness training and education programs to
enhance employees' understanding of security risks, best practices, and their roles in
safeguarding sensitive information.
Milestones
POAMs establish clear milestones and timelines for implementing remediation activities, monitoring
progress, and tracking completion. Milestones provide a roadmap for stakeholders to gauge the
effectiveness of remediation efforts and ensure accountability. Milestones may include:
• Patch Deployment Deadlines: Specific dates by which security patches and updates must be
deployed to address critical vulnerabilities and mitigate associated risks.
• Configuration Change Implementation Dates: Scheduled timelines for implementing
recommended configuration changes or security enhancements to address identified
weaknesses.

44
• Training Session Schedules: Timetables for conducting security awareness training sessions
and educational workshops to educate employees about security risks and best practices.
• Compliance Deadlines: Target dates for achieving compliance with relevant regulatory
8.4 MAKING AUTHORIZATION RECOMMENDATIONS
Authorization recommendations are informed decisions based on the evaluation of security plans, risk
assessment results, implementation status, and POAMs. These recommendations are aimed at
ensuring that the residual risk associated with the system remains acceptable and aligns with
organizational risk tolerance thresholds.
How authorization recommendations are made?
Acceptable Residual Risk
Authorization recommendations take into account the acceptable residual risk level determined by
the organization's risk management framework, policies, and risk appetite. Residual risk refers to the
level of risk that remains after implementing security controls and mitigation measures. Authorization
decisions are based on whether the residual risk falls within acceptable parameters and is consistent
with organizational objectives.
Compliance Considerations
Authorization recommendations also consider the system's compliance with relevant regulatory
Compliance assessments ensure that the system adheres to legal and regulatory mandates, such as
GDPR, HIPAA, PCI DSS, or NIST guidelines, to protect sensitive data and mitigate legal and financial
risks.
Security Posture Evaluation
Authorization recommendations involve a holistic evaluation of the system's security posture,
including the effectiveness of implemented security controls, the progress of remediation efforts
outlined in POAMs, and the overall readiness to withstand cyber threats and security incidents.
Security posture assessments provide insights into the system's resilience, vulnerabilities, and areas
for improvement.

45
Risk Treatment Options
Authorization recommendations may include risk treatment options to address identified risks and
vulnerabilities effectively. Risk treatment options may include:
• Risk Mitigation: Implementation of security controls, safeguards, and countermeasures to
reduce the likelihood and impact of identified risks to an acceptable level.
• Risk Avoidance: Elimination or avoidance of high-risk activities, systems, or processes that
pose significant security threats and cannot be adequately mitigated.
• Risk Transfer: Transfer of residual risks to third-party service providers, insurers, or
contractual partners through risk-sharing agreements, insurance policies, or outsourcing
arrangements.
• Risk Acceptance: Acceptance of residual risks when the cost of mitigation outweighs the
potential impact or when residual risks fall within acceptable risk tolerance thresholds
established by the organization.
8.5 PROCESS FOR PERIODIC RE-ASSESSMENT
Periodic reassessment is essential to ensure that authorization decisions remain relevant, effective,
and aligned with evolving threats, vulnerabilities, and organizational requirements. The process for
periodic re-assessment involves:
Review of Authorization Decisions
Periodic reviews are conducted to evaluate the effectiveness and appropriateness of existing
authorization decisions in light of changes in the threat landscape, technology environment, or
organizational priorities. Reviews may include:
• Evaluation of Security Controls: Assessment of the effectiveness of implemented security
controls, monitoring mechanisms, and incident response procedures to determine their ability
to mitigate emerging threats and vulnerabilities.
• Incident Analysis: Analysis of security incidents, breaches, and near-misses to identify
patterns, trends, and systemic weaknesses that may necessitate changes to authorization
decisions or risk treatment strategies.
• Compliance Audits: Conducting periodic compliance audits and assessments to verify
adherence to regulatory requirements, industry standards, and organizational policies
governing information security.

46
Identification of New Risks
Periodic reassessment involves identifying and analyzing new risks, threats, and vulnerabilities that
may have emerged since the last authorization decision was made. New risks may arise due to changes
in technology, business processes, regulatory requirements, or threat actor tactics. Identification of
new risks requires:
• Threat Intelligence Analysis: Monitoring and analysis of threat intelligence feeds, security
advisories, vulnerability disclosures, and cyber-attack reports to stay abreast of emerging
threats and trends.
• Risk Assessment Updates: Updating risk assessments to incorporate newly identified risks,
assess their potential impact, and prioritize mitigation efforts based on their severity and
likelihood of exploitation.
• Gap Analysis: Conducting gap analysis to identify deficiencies or weaknesses in existing
security controls, processes, or procedures that may expose the organization to new risks or
vulnerabilities.
Updating Authorization Decisions
Based on the results of the periodic reassessment process, authorization decisions may be updated,
modified, or revoked to reflect changes in the threat landscape, risk profile, or organizational
priorities. Updating authorization decisions involves:
• Re-evaluation of Residual Risk: Re-assessing the residual risk associated with the system in
light of newly identified risks, vulnerabilities, or changes in risk tolerance thresholds.
• Adjustment of Risk Treatment Strategies: Modifying risk treatment strategies, controls, or
safeguards to address newly identified risks or vulnerabilities effectively.
• Revision of POAMs: Updating POAMs to incorporate new remediation activities, milestones,
and timelines based on the latest risk assessment findings and security requirements.
• Documentation Updates: Updating authorization packages, security plans, and compliance
documentation to reflect changes in authorization decisions, risk treatment strategies, and
security posture.

47
8.6 ACCESS CONTROL
Access control refers to the selective restriction of access to a place or other resource. It regulates
who is allowed to access something, what they are allowed to do, and when they are allowed to do it.
It lets people access through identification, authentication, authorization, and accountability
mechanisms. It is a fundamental security technique for protecting physical and digital assets from
unauthorized access while enabling access for legitimate users. The proper implementation of access
control mitigates security risks and enables governance.
Some key types and examples of access control include:
Physical Access Control
Controlling physical access to buildings, rooms, facilities etc. Examples include locks, security guards,
badges, biometric scans.
Logical Access Control
Controlling access to digital systems, resources and information. Examples include usernames,
passwords, multi-factor authentication, access control lists.
Administrative Access Control
Controlling access to features, functions and settings of systems and devices. Examples include user
privileges, file permissions, root/admin rights.
Network Access Control
Controlling access to networks and network resources. Examples include firewall rules, VPNs, network
segmentation.
Operating System Access Control
Controlling access to OS resources like files/folders. Examples include permissions, encryption, group
policies.
Application Access Control
Controlling access to application features and data. Examples include role-based access control,
function-level access control.
Content Access Control
Controlling access to and use of copyrighted or sensitive content. Examples include DRM,
watermarking, digital certificates.
Time-Based Access Control
Controlling access based on time schedules or validity periods. Examples include time-bound tokens,
availability windows.
Nevertheless, access controls can help mitigate several of the key risks faced by Red30 Tech AEC's
systems and data:

48
• Unauthorized access to confidential data: Strong access controls like role-based access,
multi-factor authentication, and privileged access management would limit access to only
authorized personnel.
• Malware infections: Restricting workstations from installing unauthorized software using
application whitelisting policies helps prevent malware.
• Insider theft: Separation of duties, least privilege access, and monitoring user activities
enables early detection of unauthorized actions.
• Phishing credential compromise: Requiring additional identity verification like MFA for
external logins protects against phishing.
• Unpatched vulnerabilities: Access controls preventing regular users from installing updates
enforces change management processes.
• DNS poisoning: Restricting DNS server and firewall access prevents unauthorized changes to
DNS records.
• DoS disruptions: Limiting external traffic to only designated IP ranges before reaching internal
servers helps filter volume-based DoS attacks.
The specific access control techniques that could be used to mitigate key risks:
• Implement role-based access control (RBAC) or attribute-based access control (ABAC) to
restrict access to only required data/systems.
• Deploy multi-factor authentication (MFA) for VPN, email, workstations, and admin logins to
raise identity assurance.
• Configure firewalls and security groups to allow traffic only from either designated IP ranges,
ports or protocols.
• Implement database access controls and encryption to limit and protect sensitive data.
• Utilize application whitelisting and software restriction policies on workstations.
• Monitor user activities for unauthorized access attempts and policy violations.
• Follow least privilege and separation of duties principles to limit unilateral control.
However, advanced access controls tuned to Red30 Tech AEC's risks would significantly improve the
organization's security posture across multiple threat vectors.

49
8.7 IMPROVEMENTS OF THE AUTHORIZATION PROCESS
Some ways of which the authorization process could be improved for Red30 Tech AEC:
• Implement continuous monitoring of security controls after authorization to maintain
updated understanding of risks.
• Utilize automation to streamline compiling authorization packages from various sources like
vulnerability scans, risk registers, control dashboards etc.
• Establish formal criteria for evaluating risks and control gaps during authorization decisions to
reduce subjectivity.
• Implement formal processes for issuing interim authorizations and denials, including
compulsory compensating controls and remediation timelines.
• Require periodic reauthorization of systems, not just annual reviews, to validate controls and
risks.
• Maintain a knowledge base of previous authorization packages, decisions, and supporting
data as reference material.
• Allow authorizing officials to specify expiration periods for ATOs to prompt re-evaluation after
set periods vs open-ended.
• Update authorization documents in a centralized repository for easy access by stakeholders
vs maintaining separate packages.
• Provide training and guidance to authorizing officials on making data-driven authorization
decisions based on provided evidence.
• Involve legal/compliance teams in authorization process to ensure regulatory requirements
are consistently evaluated.
• Conduct post-assessment workshops to identify process improvement opportunities in
developing authorization packages.
• Implement formal change management procedures for systems after authorization to ensure
controls remain effective when changes are implemented.
Therefore, enhancing automation, centralization, formality, and continuous monitoring of the
authorization process will help improve oversight, efficiency, consistency and overall maturity of the
program at Red30 Tech AEC.

50
Moving forward, the authorizations are subject to continue monitoring to validate that security
controls remain effective and risks are adequately managed. Annual security reviews and ongoing
assessments should be conducted to support this continued authorization process. Authorization
documentation should be updated accordingly.

51
9. CONTINOUS MONITORING
Continuous monitoring at Red30 Tech AEC will provide ongoing assurance that security controls
remain effective and risks are adequately managed after systems are authorized. It will help identify
changes to systems, environments, threats, and regulatory mandates necessitating updates to
security controls, risk assessments, and ultimately authorization decisions. This enables Red30 Tech
AEC to maintain clear visibility into information risks on a continuous basis. A comprehensive
continuous monitoring strategy is developed for Red30 Tech AEC based on guidelines in NIST SP 800-
137. It consists of the following components:
Configuration management and control
Regularly inventory and track changes to hardware and software assets and configurations. Identify
unauthorized changes.
Vulnerability management
Schedule network, system, application, and database vulnerability scans. Prioritize and track
remediation of identified vulnerabilities based on severity.
Security control assessments
Annually assess security controls for each system using standards like NIST SP 800-53A to validate
control effectiveness.
Security impact analysis
Analyze the security impact of proposed changes like new systems, upgrades, workflows.
Log analysis and correlation
Centralize logging from multiple sources. Establish log retention policies. Perform log analysis to
identify anomalies.
Compliance management
Validate adherence to security policies and procedures. Perform gap analyses.
Security reporting
Develop key metrics tied to security controls like patch percentages, vulnerability trends, intrusion
detection events etc. Report to key stakeholders.
Both automated and manual processes have been defined to execute monitoring activities at the
appropriate frequencies for each system based on impact levels.

52
9.1 OBJECTIVES
• Maintain up-to-date understanding of security control effectiveness and risk posture.
• Identify control failures, incidents, vulnerabilities needing mitigation.
• Verify compliance with policies, standards, and regulations.
• Inform ongoing authorization decisions and system updates.
• Promote near real-time risk management vs periodic assessments.
9.2 MONITORING STRATEGY
• Leverage automated tools for centralized data collection, analysis and reporting.
• Align monitoring frequencies to system criticality and risks.
• Monitor high-value systems more frequently vs low-impact ones.
• Focus on significant control failures warranting priority mitigation.
9.3 KEY METRICS AND REPORTING
• Vulnerability scan results showing severity levels and compliance gaps.
• Patch installation status across hosts to track outdated software.
• Antivirus and malware detection events signalling endpoints at risk.
• Unauthorized access attempts and insider threat indicators.
• Performance and availability metrics for critical systems and services.
• Audit log analysis results revealing suspicious activities or access anomalies.
Automated dashboards should be provided for the visibility into key metrics for different audiences -
system owners, security teams, leadership. Email/SMS alerts will notify on significant events or
threshold breaches.
9.4 ASSESSMENTS
• Monthly vulnerability scanning across servers, workstations, networks.
• Annual penetration testing to validate exploitability of findings.
• Quarterly compliance audits verifying adherence to policies and regulations.
• Post-incident assessments following major breaches or outages.

53
9.5 DOCUMENTATION
• Maintain centralized repository of monitoring results and assessments.
• Update authorization packages and security plans periodically.
• Track changes to environments, controls, risks to support reauthorization.
Implementing robust continuous monitoring improves visibility into threats and vulnerabilities,
verifies security control effectiveness, and facilitates ongoing authorization. This proactive approach
is essential for Red30 Tech AEC to remain secure and resilient against evolving cyber risks.

54
10. CONCLUSION
The implementation of NIST's Risk Management Framework enabled Red30 Tech AEC to establish a
robust cybersecurity program aligned with industry best practices. The categorization of 18 critical
information systems provides the foundation for tailored security control selection from NIST 800-53
catalogues. Controls are chosen based on impact levels and supplemented by additional
enhancements to address known risks. The comprehensive risk assessment illuminates high-priority
vulnerabilities like insufficient access control, unpatched software, and inadequate data protection.
This droves the prioritization of control implementations to mitigate the most severe risks first.
Working through the formal authorization process enforced accountability, with 15 systems granted
ATOs after review of security plans and risk evaluations by senior leadership. Two systems receive
interim authorizations pending control upgrades, while one high-risk system is denied an ATO until
deficiencies are remediated. Continuous monitoring through automated tools should provide ongoing
assurance that risks remain at acceptable levels after authorization. Any control degradation or new
vulnerability identify during assessments should inform updates to security plans and authorization
decisions.
Overall, the project is significantly strengthened Red30 Tech AEC's risk management capabilities,
security posture, and resilience against threats. Applying the NIST RMF methodology instituted a
model for managing information risks base on impact, assessments, protections, and ongoing
monitoring. The program provides the foundation for Red30 Tech AEC to maintain strong security
hygiene, make risk-based decisions, adapt to new threats, and uphold its reputation as a trusted
provider of technology solutions to clients across sectors. This assessment and planning engagement
established a foundation to evolve the security program in alignment with leading practices.
Several crucial next steps for Red30 Tech AEC are identified through the RMF process, including:
Finalizing implementation of priority security controls, especially for high-risk systems.
Ensuring all systems have adequate protections will reduce the likelihood of successful attacks.
Remediating vulnerabilities and risks highlighted in the assessments.
Proactively mitigating or safeguarding against known weaknesses is essential.
Strengthening policies and training around data protection and access controls.
Many issues stem from human errors and lack of security awareness.
Enhancing monitoring and response capabilities.
Quickly detecting and responding to incidents can limit damages.
Maintaining and refreshing system authorizations annually.
This sustains visibility into changes that may alter risk profiles.

55
Continuing periodic risk assessments
New threats and vulnerabilities arise and should be evaluated.
Adopting the RMF promotes a more proactive stance to security by requiring constant assessment
and authorization of systems based on effectiveness of controls. Sustaining focus on the core tenets
of identifying assets, selecting controls, assessing risk, and monitoring effectiveness will lead to
continual security maturation.
While meeting compliance demands is a key driver, the ultimate benefits are reducing business
disruption, safeguarding Red30 Tech AEC’s reputation, and protecting sensitive client data. With
executive buy-in, adequate resourcing, and ongoing commitment, the RMF implementation will
position Red30 Tech AEC as an industry leader in cyber risk management. This project established a
foundation, but information security must remain a priority integral to daily operations.

56
11. REFERENCES
Force, J.T. (2018). Risk Management Framework for Information Systems and Organizations: A System
Life Cycle Approach for Security and Privacy. [online] csrc.nist.gov. Available at:
https://csrc.nist.gov/pubs/sp/800/37/r2/final.
Initiative, J.T.F.T. (2012). Guide for Conducting Risk Assessments. [online] csrc.nist.gov. Available at:
https://csrc.nist.gov/pubs/sp/800/30/r1/final.
NIST (2020). Security and Privacy Controls for Information Systems and Organizations. [online]
csrc.nist.gov. Available at: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final.
Initiative, J.T.F.T. (2014). Assessing Security and Privacy Controls in Federal Information Systems and
Organizations: Building Effective Assessment Plans. [online] csrc.nist.gov. Available at:
https://csrc.nist.gov/pubs/sp/800/53/a/r4/upd1/final.
Stine, K., Kissel, R., Barker, W., Fahlsing, J. and Gulick, J. (2008). Guide for Mapping Types of
Information and Information Systems to Security Categories. [online] csrc.nist.gov. Available at:
https://csrc.nist.gov/pubs/sp/800/60/v1/r1/final.
Dempsey, K., Chawla, N., Johnson, L., Johnston, R., Jones, A., Orebaugh, A., Scholl, M. and Stine, K.
(2011). Information Security Continuous Monitoring (ISCM) for Federal Information Systems and
Organizations. [online] csrc.nist.gov. Available at: https://csrc.nist.gov/pubs/sp/800/137/final.
ISO - International Organization for Standardization (2019). ISO/IEC 27000:2018. [online] ISO.
Available at: https://www.iso.org/standard/73906.html.
Center for Internet Security (2023). CIS Critical Security Controls. [online] CIS. Available at:
https://www.cisecurity.org/controls.
Isaca (2019). COBIT | Control Objectives for Information Technologies | ISACA. [online] Isaca.org.
Available at: https://www.isaca.org/resources/cobit.
Office for Civil Rights (OCR) (2022). The Security Rule. [online] HHS.gov. Available at:
https://www.hhs.gov/hipaa/for-professionals/security/index.html.
Wilson, M. and Hash, J. (2003). Building an Information Technology Security Awareness and Training
Program. [online] csrc.nist.gov. Available at: https://csrc.nist.gov/pubs/sp/800/50/final.

Risk Management Final.pdfououbouboubobouboub

Recommended

Recommended

More Related Content

Similar to Risk Management Final.pdfououbouboubobouboub

Similar to Risk Management Final.pdfououbouboubobouboub (20)

Recently uploaded

Recently uploaded (20)

Risk Management Final.pdfououbouboubobouboub