Healthy Body Wellness Center: RMF To-Do List and Framework Comparison
VerifiedAdded on 2022/12/03
|21
|3616
|278
Practical Assignment
AI Summary
This assignment presents an analysis of an RMF (Risk Management Framework) To-Do List for the Healthy Body Wellness Center, encompassing tasks related to security categorization, control selection, implementation, assessment, and authorization. The assignment evaluates the completion status of each RMF task, providing recommendations for incomplete tasks based on industry standards like ISO 27002, COBIT, NIST, and ITIL. It also compares these frameworks, detailing their purpose, strengths, weaknesses, and application in the context of information security. The document includes a risk assessment, outlines necessary remediation actions, and discusses the importance of ongoing monitoring and security status reporting. Furthermore, it addresses the categorization of information systems, common control identification, security plan approvals, and the impact of changes to the information system environment. The student provides a comprehensive overview of the security controls within the Healthy Body Wellness Center and compares the security frameworks.

TASK 4
TASK 4
Name of the student
Name of the university
TASK 4
Name of the student
Name of the university
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1Error: Reference source not foundError: Reference source not founddocument
Table of Contents
A. RMF To-Do List.......................................................................................................................................................................... 2
Security Categorization.......................................................................................................................................................................2
Information System Description......................................................................................................................................................... 3
Information System Registration........................................................................................................................................................ 3
Common Control Identification.......................................................................................................................................................... 4
Security Control Selection.................................................................................................................................................................. 4
Monitoring Strategy............................................................................................................................................................................ 5
Security Plan Approval....................................................................................................................................................................... 5
Security Control Implementation........................................................................................................................................................6
Security Control Documentation........................................................................................................................................................6
Assessment Preparation...................................................................................................................................................................... 7
Security Control Assessment.............................................................................................................................................................. 7
Security Assessment Report................................................................................................................................................................7
Remediation Actions...........................................................................................................................................................................8
Plan of Action and Milestones............................................................................................................................................................ 8
Security Authorization Package..........................................................................................................................................................9
Risk Determination............................................................................................................................................................................. 9
Risk Acceptance................................................................................................................................................................................10
Information System and.................................................................................................................................................................... 11
Environment Changes....................................................................................................................................................................... 11
Ongoing Security Control................................................................................................................................................................. 11
Table of Contents
A. RMF To-Do List.......................................................................................................................................................................... 2
Security Categorization.......................................................................................................................................................................2
Information System Description......................................................................................................................................................... 3
Information System Registration........................................................................................................................................................ 3
Common Control Identification.......................................................................................................................................................... 4
Security Control Selection.................................................................................................................................................................. 4
Monitoring Strategy............................................................................................................................................................................ 5
Security Plan Approval....................................................................................................................................................................... 5
Security Control Implementation........................................................................................................................................................6
Security Control Documentation........................................................................................................................................................6
Assessment Preparation...................................................................................................................................................................... 7
Security Control Assessment.............................................................................................................................................................. 7
Security Assessment Report................................................................................................................................................................7
Remediation Actions...........................................................................................................................................................................8
Plan of Action and Milestones............................................................................................................................................................ 8
Security Authorization Package..........................................................................................................................................................9
Risk Determination............................................................................................................................................................................. 9
Risk Acceptance................................................................................................................................................................................10
Information System and.................................................................................................................................................................... 11
Environment Changes....................................................................................................................................................................... 11
Ongoing Security Control................................................................................................................................................................. 11

2Error: Reference source not foundError: Reference source not founddocument
Ongoing Remediation Actions..........................................................................................................................................................12
Key Updates...................................................................................................................................................................................... 12
Security Status Reporting..................................................................................................................................................................13
B. Comparing of ISO 27002, COBIT, NIST, and ITIL frameworks with the creation of a document where the following is done:. 14
B1. FRAMEWORK USE................................................................................................................................................................. 15
B2. FRAMEWORK PURPOSE.......................................................................................................................................................15
The main purpose of ISO 27002 is providing a standard of international which can be referred by the ISO complaints while
creating of any security control. The purpose is also to supplement that standard of framework which is generally used for
creating an assessment of risk........................................................................................................................................................... 15
B3. FRAMEWORK STRENGTH.................................................................................................................................................... 16
B4. FRAMEWORK WEAKNESS................................................................................................................................................... 17
ACCREDITATION.......................................................................................................................................................................... 17
B6. FRAMEWORK CHOICE.......................................................................................................................................................... 19
Ongoing Remediation Actions..........................................................................................................................................................12
Key Updates...................................................................................................................................................................................... 12
Security Status Reporting..................................................................................................................................................................13
B. Comparing of ISO 27002, COBIT, NIST, and ITIL frameworks with the creation of a document where the following is done:. 14
B1. FRAMEWORK USE................................................................................................................................................................. 15
B2. FRAMEWORK PURPOSE.......................................................................................................................................................15
The main purpose of ISO 27002 is providing a standard of international which can be referred by the ISO complaints while
creating of any security control. The purpose is also to supplement that standard of framework which is generally used for
creating an assessment of risk........................................................................................................................................................... 15
B3. FRAMEWORK STRENGTH.................................................................................................................................................... 16
B4. FRAMEWORK WEAKNESS................................................................................................................................................... 17
ACCREDITATION.......................................................................................................................................................................... 17
B6. FRAMEWORK CHOICE.......................................................................................................................................................... 19
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.

Trusted by 1+ million students worldwide

3Error: Reference source not foundError: Reference source not founddocument
A. RMF To-Do List
RMF Tasks Status
(done/not
done)
Discuss how you determined the status
of each task.
Answer the following questions: If
done, is it complete? What page
number is it referenced in?
If not done, what are the
recommendations for completing the
task with respect to ISO 27002,
COBIT, NIST, or ITIL? Where the
results should be saved?
External documents needed for task
RMF Step 1: Categorize Information Systems
1.1
Security
Categorization
Using either FIPS 199 or
CNSS 1253, categorize
the information system.
The completed
categorization should be
included in the security
plan.
Not done As highlighted in the risk assessment,
there is no security plan done (p.18). Add
the security categorization information to
the security plan.
The security categorization that was
completed in the risk assessment can be
included in the security plan. The full
categorization can be found on pp. 14-16.
The categorization done in the risk
analysis is based on FIPS 199.
FIPS 199 for non-national security
systems, CNSS 1253 for national
security systems
1.2
Information System
Description
Done Included in section 3. On page 14 in
SYSTEM CHARACTERIZATION. This
is the area which is developed further in
case of including a description I detail on
the system of information which is
NIST Special Publication 800-53
Revision 1
A. RMF To-Do List
RMF Tasks Status
(done/not
done)
Discuss how you determined the status
of each task.
Answer the following questions: If
done, is it complete? What page
number is it referenced in?
If not done, what are the
recommendations for completing the
task with respect to ISO 27002,
COBIT, NIST, or ITIL? Where the
results should be saved?
External documents needed for task
RMF Step 1: Categorize Information Systems
1.1
Security
Categorization
Using either FIPS 199 or
CNSS 1253, categorize
the information system.
The completed
categorization should be
included in the security
plan.
Not done As highlighted in the risk assessment,
there is no security plan done (p.18). Add
the security categorization information to
the security plan.
The security categorization that was
completed in the risk assessment can be
included in the security plan. The full
categorization can be found on pp. 14-16.
The categorization done in the risk
analysis is based on FIPS 199.
FIPS 199 for non-national security
systems, CNSS 1253 for national
security systems
1.2
Information System
Description
Done Included in section 3. On page 14 in
SYSTEM CHARACTERIZATION. This
is the area which is developed further in
case of including a description I detail on
the system of information which is
NIST Special Publication 800-53
Revision 1
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4Error: Reference source not foundError: Reference source not founddocument
Is a description of the
information system
included in the security
plan?
included into the plan of security.
1.3
Information System
Registration
Identify offices that the
information system
should be registered
with. These can be
organizational or
management offices.
Not Done In the risk assessment there is no
discussion about the registration of
information system according to the
guidelines of the NIST. In the security
plan there is added the information for
the system registration of information
system.
NIST Special Publication 800-37
Revision 1
RMF Step 2: Select Security Controls
2.1
Common Control
Identification
Describe common
security controls in place
in the organization. Are
the controls included in
the security plan?
Not Done As mentioned in the special publication
of 800-37 of Revision 1, all the used
common controls are identified. This are
the information that are included in
security plan.
NIST Special 800-37 Revision 1
2.2 Not Done The special publication of 800-53 that
provide the selection guidance for
security control in case of the security
systems that are not national. The
NIST Special publication 800-37
Revision 1
Is a description of the
information system
included in the security
plan?
included into the plan of security.
1.3
Information System
Registration
Identify offices that the
information system
should be registered
with. These can be
organizational or
management offices.
Not Done In the risk assessment there is no
discussion about the registration of
information system according to the
guidelines of the NIST. In the security
plan there is added the information for
the system registration of information
system.
NIST Special Publication 800-37
Revision 1
RMF Step 2: Select Security Controls
2.1
Common Control
Identification
Describe common
security controls in place
in the organization. Are
the controls included in
the security plan?
Not Done As mentioned in the special publication
of 800-37 of Revision 1, all the used
common controls are identified. This are
the information that are included in
security plan.
NIST Special 800-37 Revision 1
2.2 Not Done The special publication of 800-53 that
provide the selection guidance for
security control in case of the security
systems that are not national. The
NIST Special publication 800-37
Revision 1

TASK 4
Security Control
Selection
Are selected security
controls for the
information system
documented in the
security plan?
documentation also says to add more
security controls which must be added in
the plan of security.
2.3
Monitoring Strategy
What security control
monitoring strategies
should be used to protect
the information system
and its environment of
operation?
Not Done At the time of the selection process
during security controls this are the
organization that begins to plan for the
process of the process of continuous
monitoring. This is the strategy which
also includes the criteria of monitoring
includes proper control of security and
the frequency which is perfect to monitor
the specific controls of security and also
the specific controls for monitoring.
NIST Special Publication 800-37
Revision 1
2.4
Security Plan
Approval
Has the security plan
been reviewed and
approved?
Not Done The plan for security must be reviewed
and should be approved by Authorizing
official or by the designated
representatives as mentioned in the
publication 800-53, in Revision 1. After
approval it will be added in the plan of
security.
NIST Special Publication 800-53
Revision 1
RMF Step 3: Implement Security Controls
Security Control
Selection
Are selected security
controls for the
information system
documented in the
security plan?
documentation also says to add more
security controls which must be added in
the plan of security.
2.3
Monitoring Strategy
What security control
monitoring strategies
should be used to protect
the information system
and its environment of
operation?
Not Done At the time of the selection process
during security controls this are the
organization that begins to plan for the
process of the process of continuous
monitoring. This is the strategy which
also includes the criteria of monitoring
includes proper control of security and
the frequency which is perfect to monitor
the specific controls of security and also
the specific controls for monitoring.
NIST Special Publication 800-37
Revision 1
2.4
Security Plan
Approval
Has the security plan
been reviewed and
approved?
Not Done The plan for security must be reviewed
and should be approved by Authorizing
official or by the designated
representatives as mentioned in the
publication 800-53, in Revision 1. After
approval it will be added in the plan of
security.
NIST Special Publication 800-53
Revision 1
RMF Step 3: Implement Security Controls
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.

Trusted by 1+ million students worldwide

TASK 4
3.1
Security Control
Implementation
Have the security
controls specified in the
security plan been
implemented?
Not Done By the document of 800-37, Revision 1
the owner of the Information System
must implement the controls of security
which is specified in the plan of security.
After the implementation it must be
documented into the plan of security.
NIST Special Publication 800-37
Revision 1
3.2
Security Control
Documentation
Has the security control
implementation been
documented?
Not Done By the document of 800-37 Revision 1
the organization must document the
implementation of the security control
which is appropriate in the plan of
security which also provides functional
description on the basis of control
implementation that includes expected
outputs, planned inputs and also the
expected behavior. After the commotion
it must be included in the plan of the
security.
NIST Special Publication 800-37
Revision 1
RMF Step 4: Assess Security Controls
3.1
Security Control
Implementation
Have the security
controls specified in the
security plan been
implemented?
Not Done By the document of 800-37, Revision 1
the owner of the Information System
must implement the controls of security
which is specified in the plan of security.
After the implementation it must be
documented into the plan of security.
NIST Special Publication 800-37
Revision 1
3.2
Security Control
Documentation
Has the security control
implementation been
documented?
Not Done By the document of 800-37 Revision 1
the organization must document the
implementation of the security control
which is appropriate in the plan of
security which also provides functional
description on the basis of control
implementation that includes expected
outputs, planned inputs and also the
expected behavior. After the commotion
it must be included in the plan of the
security.
NIST Special Publication 800-37
Revision 1
RMF Step 4: Assess Security Controls
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

TASK 4
4.1
Assessment
Preparation
Has a plan to assess the
security controls been
developed?
Not Done As mentioned in the document of 800-37,
Revision 1 the Assessor of Security
control must approve, develop and also
review the controls of security
NIST Special Publication 37 Revision
1
4.2
Security Control
Assessment
Have the security
controls defined in the
security assessment plan
been assessed?
Not Done As mentioned in the document of 800-37,
revision 1 the Assessor of security
control must develop, approve and also
review any plan for assessing the controls
of security. After the completion it must
be included into the plan of the security.
NIST Special Publication 800-37
Revision 1
4.3
Security Assessment
Report
Has the security
assessment report from
the security control
assessment been
completed?
Not Done As mentioned in the document of 800-37
Revision 1, the assessor of security
control must generate the assessment
report of security that documents the
issues, recommendation and also the
findings from the assessment of security
control. After the completion it is added
in the plan for security.
NIST Special Publication 800-37
Revision 1
4.1
Assessment
Preparation
Has a plan to assess the
security controls been
developed?
Not Done As mentioned in the document of 800-37,
Revision 1 the Assessor of Security
control must approve, develop and also
review the controls of security
NIST Special Publication 37 Revision
1
4.2
Security Control
Assessment
Have the security
controls defined in the
security assessment plan
been assessed?
Not Done As mentioned in the document of 800-37,
revision 1 the Assessor of security
control must develop, approve and also
review any plan for assessing the controls
of security. After the completion it must
be included into the plan of the security.
NIST Special Publication 800-37
Revision 1
4.3
Security Assessment
Report
Has the security
assessment report from
the security control
assessment been
completed?
Not Done As mentioned in the document of 800-37
Revision 1, the assessor of security
control must generate the assessment
report of security that documents the
issues, recommendation and also the
findings from the assessment of security
control. After the completion it is added
in the plan for security.
NIST Special Publication 800-37
Revision 1

TASK 4
4.4
Remediation Actions
What remediation actions
on security controls need
to be taken based on the
findings and
recommendations of the
security assessment
report?
Not Done As mentioned in the document of 800-37
Revision 1 , the assessor of security
control must prepare the security
assistance
NIST Special Publication mn800-37
as in revised
RMF Step 5: Authorize Information System
5.1
Plan of Action and
Milestones
Is there a completed plan
of action and milestones
based on the findings and
recommendations of the
security assessment
report excluding any
remediation actions
taken?
Not Done By the documented of NIST there are
special publications in 800-37, Revision
1. the owner of the Information system
and the provider prepares the plan which
is based on actions and also the
milestones that is based on the findings
that is based on the findings and also the
recommends for the report of assessment
of security
NIST Special Publications 800-37,
revision 1
5.2 Not Done As the publication 800-37 of revision 1,
in this case the owner of the Information
System and even the control provider
who assembles the package and also
NIST Special Publication 800-37,
Revision 1.
4.4
Remediation Actions
What remediation actions
on security controls need
to be taken based on the
findings and
recommendations of the
security assessment
report?
Not Done As mentioned in the document of 800-37
Revision 1 , the assessor of security
control must prepare the security
assistance
NIST Special Publication mn800-37
as in revised
RMF Step 5: Authorize Information System
5.1
Plan of Action and
Milestones
Is there a completed plan
of action and milestones
based on the findings and
recommendations of the
security assessment
report excluding any
remediation actions
taken?
Not Done By the documented of NIST there are
special publications in 800-37, Revision
1. the owner of the Information system
and the provider prepares the plan which
is based on actions and also the
milestones that is based on the findings
that is based on the findings and also the
recommends for the report of assessment
of security
NIST Special Publications 800-37,
revision 1
5.2 Not Done As the publication 800-37 of revision 1,
in this case the owner of the Information
System and even the control provider
who assembles the package and also
NIST Special Publication 800-37,
Revision 1.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.

Trusted by 1+ million students worldwide

TASK 4
Security
Authorization
Package
Has the security package
been authorized and
submitted to the
authorizing official?
submits the particular package in the
authorizing official in case of any
judicial. After the completion it must be
under the security plan.
5.3
Risk Determination
What is the risk to
organizational
operations,
organizational assets,
individuals, and other
organizations?
Done This is the risk assessment which is
completed and the details is present in the
document. This is a matrix of risk
assessment present in the section.
NIST Special Publication 800-37
Revision 1
5.4
Risk Acceptance
Is the risk to
organizational
operations,
organizational assets,
individuals, and other
organizations acceptable
with regard to avoidance,
Not Done As mentioned in 800-37 Revision 1 there
is Authorizing official must find the risk
in case of the operations in the
organization, assets of organization,
individuals and any other organizations
and even the nation is also accepted.
After the completion it is added in
security plan.
NIST Special Publication 800-37
Revision 1
Security
Authorization
Package
Has the security package
been authorized and
submitted to the
authorizing official?
submits the particular package in the
authorizing official in case of any
judicial. After the completion it must be
under the security plan.
5.3
Risk Determination
What is the risk to
organizational
operations,
organizational assets,
individuals, and other
organizations?
Done This is the risk assessment which is
completed and the details is present in the
document. This is a matrix of risk
assessment present in the section.
NIST Special Publication 800-37
Revision 1
5.4
Risk Acceptance
Is the risk to
organizational
operations,
organizational assets,
individuals, and other
organizations acceptable
with regard to avoidance,
Not Done As mentioned in 800-37 Revision 1 there
is Authorizing official must find the risk
in case of the operations in the
organization, assets of organization,
individuals and any other organizations
and even the nation is also accepted.
After the completion it is added in
security plan.
NIST Special Publication 800-37
Revision 1
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

TASK 4
transference, and
acceptance?
RMF Step 6: Monitor Security Controls
6.1
Information System
and
Environment
Changes
What is the security
impact of changes to the
information system and
its environment of
operation?
Not Done As mentioned in 800-37 Revision 1, the
owners of the information center or else
the provider of common control must
find out the security which impact due to
the changes in information system and in
case of any operations in the
environment. After the completion it
must be added in the plan of security.
Special Publication 800-37 Revision 1
6.2
Ongoing Security
Control
Assessments
Which security controls
from the subset of the
technical, management,
and operational security
Not Done As mentioned in 800-37 Revision 1 the
accessory of the security control must
assess the operational, technical and also
management are employed and which s
inherited with the help of information
system with respect to the organization.
After the completion it will be included
in the plan of security.
NIST Special 800-37 Revision 1
transference, and
acceptance?
RMF Step 6: Monitor Security Controls
6.1
Information System
and
Environment
Changes
What is the security
impact of changes to the
information system and
its environment of
operation?
Not Done As mentioned in 800-37 Revision 1, the
owners of the information center or else
the provider of common control must
find out the security which impact due to
the changes in information system and in
case of any operations in the
environment. After the completion it
must be added in the plan of security.
Special Publication 800-37 Revision 1
6.2
Ongoing Security
Control
Assessments
Which security controls
from the subset of the
technical, management,
and operational security
Not Done As mentioned in 800-37 Revision 1 the
accessory of the security control must
assess the operational, technical and also
management are employed and which s
inherited with the help of information
system with respect to the organization.
After the completion it will be included
in the plan of security.
NIST Special 800-37 Revision 1

TASK 4
controls should be
assessed?
6.3
Ongoing Remediation
Actions
What remediation actions
need to be taken based
on results of monitoring
activities?
Not Done As mentioned in 800-37 Revision 1 the
owner of the information system or else
the provider of the common control must
conduct actions of remediation which is
based on any of the results of any
monitoring activities which is going, the
risk assessment and also the items that
are outstanding.
NIST Special Publication 800-37
Revision 1
6.4
Key Updates
Has the security plan,
assessment report, and
plan of action been
updated based on the
continuous monitoring
process?
Not Done As mentioned in 800-37 Revision 1 the
owner of the information system or else
the provider of common control must
update the plans for the security, the
reports on the assessment and even the
action plans and the milestones that is
upon the results for any monitoring
process. This are to be added in the plans
of security. NIST Special Publication 1.
NIST Special
6.5
Security Status
Reporting
Has a security status
Not Done According to the document NIST Special
Publication 800-37 Revision 1, the owner
of the Information system or the provider
of Common control must report the status
of the security in case of information
system for authorizing the official
NIST
Special Publication 800-37 Revision 1
controls should be
assessed?
6.3
Ongoing Remediation
Actions
What remediation actions
need to be taken based
on results of monitoring
activities?
Not Done As mentioned in 800-37 Revision 1 the
owner of the information system or else
the provider of the common control must
conduct actions of remediation which is
based on any of the results of any
monitoring activities which is going, the
risk assessment and also the items that
are outstanding.
NIST Special Publication 800-37
Revision 1
6.4
Key Updates
Has the security plan,
assessment report, and
plan of action been
updated based on the
continuous monitoring
process?
Not Done As mentioned in 800-37 Revision 1 the
owner of the information system or else
the provider of common control must
update the plans for the security, the
reports on the assessment and even the
action plans and the milestones that is
upon the results for any monitoring
process. This are to be added in the plans
of security. NIST Special Publication 1.
NIST Special
6.5
Security Status
Reporting
Has a security status
Not Done According to the document NIST Special
Publication 800-37 Revision 1, the owner
of the Information system or the provider
of Common control must report the status
of the security in case of information
system for authorizing the official
NIST
Special Publication 800-37 Revision 1
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.

Trusted by 1+ million students worldwide
1 out of 21
Related Documents

Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.