Professional Documents
Culture Documents
Csol 530 Biohuman-All Aspects of Risk Management Framework-Aris Nicholas-8-15-2022
Csol 530 Biohuman-All Aspects of Risk Management Framework-Aris Nicholas-8-15-2022
Csol 530 Biohuman-All Aspects of Risk Management Framework-Aris Nicholas-8-15-2022
Aris Nicholas
Department of Professional and Continuing Education, University of San Diego
CSOL 530: Cyber Security Risk Management
BioHuman-All Aspects of Risk Management Framework for Payroll Systems
Final Project
Prof. Nikolas Behar
August 15th, 2022
Table of Contents
Introduction 3
Risk Assessments 15
Continuous Monitoring 21
References 25
Introduction:
As we discussed the various phases of the Risk Management Framework (RMF) referenced
from NIST Special Publication (SP) 800-37, you as the stakeholders should now be aware that to
be effective in avoid risks you must utilize these phases and implement security controls within
the payroll systems at BioHuman. In addition, the goals, and objectives at BioHuman are to ensure
that information systems under BioHuman have authority to operate securely. The steps in the
information and information systems; control selection, tailoring, and implementation; assessment
of control effectiveness; information system and common control authorization; the continuous
monitoring of controls; and maintaining awareness of the security and privacy posture of
information systems and the organization at BioHuman. The RMF process should help ensure that
As we’ve established the groundwork of the specified phases within the Risk Management
Framework, you as stakeholders in the business should also be aware that BioHuman’s information
and information systems are subject to serious threats that can have adverse impacts on its
organizational operations. With this, we are to discuss how you will utilize the RMF process to
effectively assess the risks in the systems, particularly in the payroll systems? Also, how you will
authorize a system for operation and then continuously monitor the system once it's in full
operational mode. In addition, you’ll be able to ensure that the systems are effectively secured in
the environment despite the changes to personnel, changes to hardware/software and/or changes
Framework (RMF) which is to also include the activities to prepare Bio Human to execute a
framework to manage appropriate risk levels. The RMF will provide you, our senior leaders and
executives with the necessary information to make efficient, cost-effective, risk management
decisions about the systems supporting the missions and business functions; and incorporates
security and privacy into the system development life cycle The RMF emphasizes risk
systems throughout the systems development life cycle (SDLC). (NIST, 800-37 R2; 2018). In
addition, the strategy is that the RMF emphasizes building into the SDLC and building security
within the system. The RMF will be guided by a six-step information system life cycle.
The Risk Management Framework (RMF) provides an implementation guide through this (6) six-
In this RMF phase the “Prepare” step tasks are to be completed before the Categorize step
and support all subsequent RMF steps and tasks the intention of the Prepare step is to provide the
information and resources necessary to successfully manage information security and privacy risk
to the organization and its missions from the operation and use of systems. Preparation phase for
monitoring of security controls are vital in an effective RMF. The Prepare step should be
completed before the remaining steps or tasks are undertaken since its tasks support subsequent
tasks. Organizations such as BioHuman implementing the Risk Management Framework for the
first time typically carry out the steps in sequential order, starting with the Prepare step. (NIST SP-
800-37 rev2)
Security Categorization: Security Controls
As you recall, Security Categorization is the system and the information processed, stored, and
transmitted by the system based on an analysis of the impact of loss. Security Categorization is
also the “Starting Point,” the key first step in the Risk Management Framework because of its
effect on all other steps in the framework from selection of security controls to level of effort in
assessed potential impact to information confidentiality, integrity, and availability and in turn to
support your mission in a cost-effective manner. With this, an incorrect information system impact
analysis (i.e., incorrect FIPS 199 security categorization) can result in the organization either over
protecting the information system that you have in place thus wasting valuable security resources,
or under protecting the information system and placing important operations and assets at risk.
(Stine, K., Kissel R., Barker, William., Fahlsing J., and Gulick J.; 2008, August. NIST).
In addition, regarding security categorization, we’ve also discussed the importance of the
potential security impact level as listed in Table 1 listed below. The security impact level for a
system is determined by taking the maximum impact value of the system’s security category, that
is, the highest level (“high watermark”) of the three security objectives for each information type
operations that can occur when changes are made to personnel, changes to
level for each Confidentiality, Integrity, Authorization (CIA Triad) pillar and select that value. For
example, if BioHuman’s company's payroll system or any other system had been part of a
catastrophic disaster (natural disaster, fire, earthquake) and determined that there is no possible
recovery, no backup or business continuity plan in place, this would be on a high categorization.
With this, the information type at BioHuman had a CIA assessment of {Moderate, Moderate,
High} the security categorization for that data type would be High. Therefore, you as stakeholders
will need to set the categorization and impact levels in the organization to ensure which parts of
the information systems are survivable and which will require a recovery redundancy plan.
risk arising from the use of information and systems in the execution of mission and business
functions, the challenge for organizations such as BioHuman is to determine the appropriate set of
security and privacy controls, which – if implemented and determined to be effective – would most
cost-effectively mitigate risk while complying with the security and privacy requirements defined
by applicable federal laws, Executive Orders, directives, policies, standards, and regulations (e.g.,
FISMA, OMB Circular A-130 [OMB A130]). With this, the stakeholders at BioHuman should
also now be aware of the importance of the selection of security controls phase within the RMF,
this phase is an initial set of controls for the system and tailor the controls as needed to reduce risk
to an acceptable level based on an assessment of risk. As a reminder, Security controls are the
protect the confidentiality, integrity, and availability of the system and its information. Privacy
controls are administrative, technical, and physical safeguards employed within an organization to
protect an individual, ensure compliance with applicable privacy requirements, and manage
Also, when choosing security controls, you have also become aware that the factors to
choose will be determined in reference to the Confidentiality, Integrity and Availability of the
systems in a high-level view and recommendation based on potential real life scenarios. In this
case, real life security threats can occur when changes are made within personnel, changes to
then reference Table D2 in Appendix D and the RMF Step 2-Select Security Controls to reference
BioHuman, we are to implement the controls and describe how the controls are employed within
the system and its environment of operation. In addition, having a trustworthy system such as
BioHuman’s payroll systems involves the implementation of security controls which work
together to produce security rather than as individual elements.The controls are implemented after
they are selected in the Risk Management Framework “selection” step, which initially occurs
during the development or acquisition phase of the system development life cycle. Some of the
selected controls may already be in place, such as common controls implemented by the
organization. After the controls are selected and tailored (as a product of the Select step of the
Risk Management Framework), the next step is to implement the controls in accordance with the
system security and privacy plans. It is important that the controls are implemented correctly and
operate as expected to protect the system. The Implement step focuses on the implementation of
Also, as we discussed common controls, to implement this RMF, you must be aware of the
control structures. Security and privacy controls have a well-defined organization and structure.
Security and privacy control selection and specification process controls are organized into 20
As we previously discussed, each family contains controls that are related to the specific
topic of the family. For example, implementing security in the payroll systems, “Access Control”
is significant as it is important to “lock up” employee files and payroll records at all times when
they are not in use to prevent unauthorized access. The reason for this is attackers frequently
discover and exploit legitimate but inactive user accounts to impersonate legitimate users.
● Task 3.1: Implement the security controls specified in the security plan.
● Supporting Roles: Information Owner/Steward; Information System Security Officer; Information System
Security Engineer.
should be initiated. System Security Plan (SSP) is a foundational document for organizations that
adhere to the Risk Management Framework defined by the National Institute of Technology
(NIST), and Cybersecurity Framework (CSF). In addition, we discussed the importance of having
primary roles and responsibilities when creating a security plan should be in the Information
System Owner or Common Control Provider as examples. Additional examples of the supporting
Roles will be the Information Owner/Steward Information System Security Officer, Information
Also, to have an effective security controls system plan, BioHuman will have to be aware of the
various controls which are important in the implementation process especially when referencing
the CIA Triad, Confidentiality, Integrity, and availability. There are technical controls which uses
Duties where 2 (or more people) are required to perform critical functions in payroll systems as
Also, in the systems security plan (SSP), after a positive identification of scan findings or approval
POA&M, reported security team at BioHuman, and remediated/mitigated within the following
remediation timelines as an example.1. Mission Critical within 15 days; 2. High within 30 days;
Here are a few security controls to consider implementing especially, when changes to personnel
● Use preventive measures such as redundancy, failover. In addition, ensure systems and
applications are up to date.
● Use network or server monitoring systems.
● Ensure a data recovery and business continuity (BC) plan is in place in case of data
loss. Having a data loss prevention (DLP) plan in place too.
Assessment of Security Controls:
As we’ve discussed previously the importance of the Assessment Phase of the RMF for
the stakeholders of BioHuman, here we are to assess the controls to determine if the controls are
implemented correctly, operating as intended, and producing the desired outcomes with respect to
satisfying the security and privacy requirements. In addition, in this phase, assessment of the
Security Controls is the most critical step of a risk management program particularly as we
concentrate on the company’s payroll systems. Testing the payroll system thoroughly and then
performing ruthless configuration management to maintain the security are essential. If the payroll
system is tested properly, it will be fundamentally secure. If the enterprise maintains a secure
system configuration, the system basically stays at the same level of security. Often, companies
and organizations such as BioHuman do not adequately test its systems and the mechanisms to
verify accurate auditing of security assessments and other controls are lacking. There is no
substitute for assessing security controls and are effective in the risk management in any
Risk Assessments
organizational risk management process as described in NIST Special Publication 800-39. If you
recall, the purpose of risk assessments is to inform decision makers and support risk responses by
identifying: (i) relevant threats to organizations or threats directed through organizations against
other organizations; (ii) vulnerabilities both internal and external to organizations;(iii) impact (i.e.,
harm) to organizations that may occur given the potential for threats exploiting vulnerabilities; and
remediation actions that are conducted to correct compliant and non-compliant security controls
in the security families/categories that we had previously been mentioned. Also, we had discussed
specific actions taken based on the findings and recommendations and the tasks laid out in the Plan
of Actions & Milestones (POA&M) document specifically for BioHuman. See POA&M below.
Items in POA&M
A recap from our assessment in the tasks of the POA&M is to prepare the plan of action and
milestones based on the findings and recommendations of the security assessment report excluding
any remediation actions taken. The plan of action and milestones, prepared for the authorizing
official by the information system owner or the common control provider, is one of three key
documents in the security authorization package and describes the specific tasks that are planned:
(i) to correct any weaknesses or deficiencies in the security controls noted during the assessment;
and (ii) to address the residual vulnerabilities in the information system. The plan of action and
milestones identifies: (i) the tasks to be accomplished with a recommendation for completion either
We had also previously discussed several security families and controls to choose when conducting
To prepare for a full-fledged risk assessment, we will need to 1. Identify purpose for the
assessment.2. Identify scope of the assessment. 3. Identify assumptions and constraints to use. 4.
Identify sources of information (inputs). 5. Identify risk model and analytic approach to use. Here
we will discuss a few of the security controls in this assessment particularly in access controls
Before we authorize a system for operation, and monitor the system, you will need to assess the
risk and ensure that system will be secured when there are changes to personnel, changes to
payroll team is currently sharing an office with another organization or with contractors.
With this, there are several security control families to consider in the assessment. One that we
had discussed previously is the access control security family. This is very important especially
To avoid payroll fraud or errors such as duplicate expense transactions, access control is important
both to perpetrate and to conceal errors or fraud in the normal course of their duties. In general,
transactions.
To establish a proper assessment in payroll systems, confidentiality is of utmost importance
and there are several questions to consider particularly in access control. Such as are
procedures established to physically secure and protect master file information? Changes
should be restricted to properly authorized additions, deletions and changes which are
authorized personnel allowed access to the payroll department and its records? Also, we
have assessed that BioHuman should Limit access to the payroll office to authorized
environment.
Why is it significant? “Locking up employee files and payroll records at all times” when they are
not in use are critical to preventing unauthorized access. This can also minimize the risk when
impersonate legitimate users. Some of the attackers can be from former employees as well.
procedures. Here we assessed that BioHuman’s will be required to update employee passwords on
a regular basis, for example every 60-90 days. Or implementing at least a 2FA authentication
Why Significant? They are tools to determine common default passwords. Or former employees
still have access to default passwords. Default passwords are also published on the Internet and
frequently in every company, BioHuman must reference the NIST Cybersecurity Framework
regarding Payroll Profile. Here you can view the checklist of the control information and allows
further transparency into what’s happening not just on BioHuman’s network but also the whole
business. In the example listed below you reference the control information and view this as
Authorization:
Regarding the authorization phase of the RMF, the stakeholders of BioHuman are to
authorize the system or common controls based on a determination that the risk to organizational
operations and assets, individuals, and other organizations at BioHuman acceptable. After the
RMF, testing the payroll system thoroughly and then performing configuration management to
maintain the security controls of the payroll systems are essential to business at BioHuman. As we
discussed, this step of authorization within the RMF is also highly critical in determining whether
an authorized official (AO) is to authorize the system, deny its operation, or remediate the
deficiencies of the payroll systems. In addition, the (AO) has the ability to authorize security
decisions through an Authorization to Operate (ATO), an Interim Authorization to Test (IATT),
Package that contains, at a minimum, a System Security Plan (SSP), a Security Assessment Report
(SAR) and a Plan of Action & Milestones (POA&M) regarding the security controls, in this case
In BioHuman's Payroll systems, the stakeholders would follow the RMF and in the security
authorization phase, if approved, this would allow to implement proper protection of the payroll
systems specifically from cyberthreats and cyberattacks such as malware, phishing and etc In
addition, you as the stakeholders should also be aware that if the AO feels the system risk is
unacceptable for any reason, a Denial of Authorization to Operate is issued. DATO decision is
issued if the proposed operational risk is determined to be unacceptable to the business. DATO
will prevent a new system from going into operation. For an existing system, DATO requires
operation to be halted. In the case of payroll systems, if any process of operational management
such as vulnerabilities in Personally Identifiable Information (PII) data such as birth date, DoD ID
(SSN), work e-mail address, and Tax Identification Number (TIN) to produce useful, timely, and
accurate management and financial data are exposed, the Authorizing Official and those authorized
In the case that a system requires certain testing to be done in an operational environment, an
Interim Authorization to Test (IATT) can be sought. IATTs are typically given for a short period
of time to permit functional testing in a “live” environment. An IATT decision can be reached if
the system assessment requires live testing before an ATO. (Berman, Lon; 2016)
In BioHuman's payroll systems, here is to test the systems with protective measures. Here the IT
Team when conducting a proactive approach to testing system software or systems, this may
include hardening the network and system hardening particularly in technical controls such as
Firewalls, Encryption at Rest, RBAC, Public Key Certificates or User ID/Passwords to ensure that
these payroll controls are properly operational to avoid any potential cyber threats.
Continuous Monitoring
To have an effective continuous monitoring program we have discussed the several steps
and implementation; assessment of control effectiveness; information system and common control
authorization within the RMF process. In the continuous monitoring phase of the RMF, the
stakeholders of BioHuman and all the roles involved in the systems security plan the system must
continuously monitor all the associated controls on an ongoing basis to include assessing control
effectiveness, documenting changes to the system and environment of operation, conducting risk
assessments and impact analyses, and reporting the security and privacy posture of the system. A
over time in a highly dynamic operating environment where systems adapt to changing threats,
vulnerabilities, technologies, and mission and business processes. While the use of automated
support tools is not required, near real-time risk management can be achieved with automated
Continuous monitoring is the sixth step in the Risk Management Framework (RMF)
described in NIST SP 800‐37, Rev 1, Applying the Risk Management Framework to Federal
Information Systems (February 2010). See Figure 1 below. The objective of a continuous
monitoring program is to determine if the complete set of planned, required, and deployed security
controls within an information system or inherited by the system continue to be effective over time
in light of the inevitable changes that occur. Continuous monitoring is an important activity in
assessing the security impacts on an information system resulting from planned and unplanned
changes to the hardware, software, firmware, or environment of operation (including threat space).
Authorizing Officials’ risk‐ based decisions (i.e., security authorization decisions) should consider
the security life cycle represented by the RMF. The Federal Information Security Management
Act (FISMA) of 2002, OMB policy, and the implementing standards and guidelines developed by
As many organizations such as BioHuman are aware that the world of IT always changes;
it's not just one time. This field is evolving. The organization must keep up with new technologies
that can affect its payroll systems. For example, there is new malware, the threats change
to keep up with those changes to adjust to the new compliance, new laws, new protection, new
encryption.
As we implement these security controls at BioHuman, to ensure that the security controls
within the payroll system are effective and secure in the environment the security program and
system security plans at BioHuman must be able to adapt to change. As we are all aware that the
IT technologies and rules are constantly evolving especially when situations occur such as changes
BioHuman is staffed with both employees and with contractors. With change management, it is a
systematic approach which deals with the transition or the transformation of organizational
objectives, processes, core values or technologies. The project development process and all the
factors related to the project are not that stable and have to change every so often because of the
shifting requirements of the market. This is effective within the continuous monitoring phase and
Berman, Lon (2016, September). RMF.org. Risk Management Framework Understanding the
https://rmf.org/wp-content/uploads/2017/10/RMF-Today-2016-09.pdf
CSRC. NIST. (2022, June). NIST. Computer Security Resource Center. Risk Management Framework
(RMF) - Categorize Step. Retrieved From.
https://csrc.nist.gov/Projects/risk-management/about-rmf/categorize-step
Dubsky, Lance. 2016. ISACA.org. Assessing Security Controls: Keystone of the Risk Management
https://www.isaca.org/resources/isaca-journal/issues/2016/volume-6/assessing-security-controls-
keystone-of-the-risk-management-framework
FIPS Publication 200; NIST Special Publications 800-30, 800-53, 800-53A; CNSS Instruction 1253;
Web: SCAP.NIST.GOV.
Joint Task Force. (2018, December) NIST Special Publication 800-37 Revision 2. Risk Management
https://doi.org/10.6028/NIST.SP.800-37r2
NIST 800-60 r2
https://csrc.nist.gov/publications/detail/sp/800-60/vol-2-rev-1/final
CSRC.NIST.GOV. (2021, January). NIST-800-171. R2. Protecting Controlled Unclassified Information
<https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final>
Stine, K., Kissel R., Barker, William., Fahlsing J., and Gulick J. (2008, August). NIST Special
Publication 800-60 Volume I Revision 1. Volume I: Guide for Mapping Types of Information and
Information Systems to Security Categories.
Ferraiolo, Hildegard; Chandramouli, Ramaswamy; Ghadiali, Nabil; Mohler, Jason; Shorter, Scott (2015,
July) NIST Special Publication 800-79-2 Guidelines for the Authorization of Personal Identity Verification
Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). Retrieved From
http://dx.doi.org/10.6028/NIST.SP.800-79-2