Healthy Body Wellness Center: RMF To-Do List and Framework Comparison

Verified

Added on  2022/12/03

|21
|3616
|278
Practical Assignment
AI Summary
This assignment presents an analysis of an RMF (Risk Management Framework) To-Do List for the Healthy Body Wellness Center, encompassing tasks related to security categorization, control selection, implementation, assessment, and authorization. The assignment evaluates the completion status of each RMF task, providing recommendations for incomplete tasks based on industry standards like ISO 27002, COBIT, NIST, and ITIL. It also compares these frameworks, detailing their purpose, strengths, weaknesses, and application in the context of information security. The document includes a risk assessment, outlines necessary remediation actions, and discusses the importance of ongoing monitoring and security status reporting. Furthermore, it addresses the categorization of information systems, common control identification, security plan approvals, and the impact of changes to the information system environment. The student provides a comprehensive overview of the security controls within the Healthy Body Wellness Center and compares the security frameworks.
Document Page
TASK 4
TASK 4

Name of the student

Name of the university
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
1Error: Reference source not foundError: Reference source not founddocument
Table of Contents

A.
RMF To-Do List.......................................................................................................................................................................... 2
Security Categorization
.......................................................................................................................................................................2
Information System Description
......................................................................................................................................................... 3
Information System Registration
........................................................................................................................................................ 3
Common Control Identification
.......................................................................................................................................................... 4
Security Control Selection
.................................................................................................................................................................. 4
Monitoring Strategy
............................................................................................................................................................................ 5
Security Plan Approval
....................................................................................................................................................................... 5
Security Control Implementation
........................................................................................................................................................6
Security Control Documentation
........................................................................................................................................................6
Assessment Preparation
...................................................................................................................................................................... 7
Security Control Assessment
.............................................................................................................................................................. 7
Security Assessment Report
................................................................................................................................................................7
Remediation Actions
...........................................................................................................................................................................8
Plan of Action and Milestones
............................................................................................................................................................ 8
Security Authorization Package
..........................................................................................................................................................9
Risk Determination
............................................................................................................................................................................. 9
Risk Acceptance
................................................................................................................................................................................10
Information System and
.................................................................................................................................................................... 11
Environment Changes
....................................................................................................................................................................... 11
Ongoing Security Control
................................................................................................................................................................. 11
Document Page
2Error: Reference source not foundError: Reference source not founddocument
Ongoing Remediation Actions
..........................................................................................................................................................12
Key Updates
...................................................................................................................................................................................... 12
Security Status Reporting
..................................................................................................................................................................13
B. Comparing of ISO 27002, COBIT, NIST, and ITIL frameworks with the creation of a document where the following is done:
. 14
B1. FRAMEWORK USE
................................................................................................................................................................. 15
B2. FRAMEWORK PURPOSE
.......................................................................................................................................................15
The main purpose of ISO 27002 is providing a standard of international which can be referred by the ISO complaints while

creating of any security control. The purpose is also to supplement that standard of framework which is generally used for

creating an assessment of risk.
.......................................................................................................................................................... 15
B3. FRAMEWORK STRENGTH
.................................................................................................................................................... 16
B4. FRAMEWORK WEAKNESS
................................................................................................................................................... 17
ACCREDITATION
.......................................................................................................................................................................... 17
B6. FRAMEWORK CHOICE
.......................................................................................................................................................... 19
Document Page
3Error: Reference source not foundError: Reference source not founddocument
A.
RMF To-Do List
RMF Tasks
Status
(done/not

done)

Discuss how you determined the status

of each task.

Answer the following questions: If

done, is it complete? What page

number is it referenced in?

If not done, what are the

recommendations for completing the

task with respect to
ISO 27002,
COBIT, NIST, or ITIL
? Where the
results should be saved?

External documents needed for task

RMF Step 1: Categorize Information Systems

1.1

Security

Categorization

Using either FIPS 199 or

CNSS 1253, categorize

the information system.

The completed

categorization should be

included in the security

plan.

Not done
As highlighted in the risk assessment,
there is no security plan done (p.18). Add

the security categorization information to

the security plan.

The security categorization that was

completed in the risk assessment can be

included in the security plan. The full

categorization can be found on pp. 14-16.

The categorization done in the risk

analysis is based on FIPS 199.

FIPS 199 for non-national security

systems, CNSS 1253 for national

security systems

1.2

Information System

Description

Done
Included in section 3. On page 14 in
SYSTEM CHARACTERIZATION. This

is the area which is developed further in

case of including a description I detail on

the system of information which is

NIST Special Publication 800-53

Revision 1
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
4Error: Reference source not foundError: Reference source not founddocument
Is a description of the

information system

included in the security

plan?

included into the plan of security.

1.3

Information System

Registration

Identify offices that the

information system

should be registered

with. These can be

organizational or

management offices.

Not Done
In the risk assessment there is no
discussion about the registration of

information system according to the

guidelines of the NIST. In the security

plan there is added the information for

the system registration of information

system.

NIST Special Publication 800-37

Revision 1

RMF Step 2: Select Security Controls

2.1

Common Control

Identification

Describe common

security controls in place

in the organization. Are

the controls included in

the security plan?

Not Done
As mentioned in the special publication
of 800-37 of Revision 1, all the used

common controls are identified. This are

the information that are included in

security plan.

NIST Special 800-37 Revision 1

2.2
Not Done The special publication of 800-53 that
provide the selection guidance for

security control in case of the security

systems that are not national. The

NIST Special publication 800-37

Revision 1
Document Page
TASK 4
Security Control

Selection

Are selected security

controls for the

information system

documented in the

security plan?

documentation also says to add more

security controls which must be added in

the plan of security.

2.3

Monitoring Strategy

What security control

monitoring strategies

should be used to protect

the information system

and its environment of

operation?

Not Done
At the time of the selection process
during security controls this are the

organization that begins to plan for the

process of the process of continuous

monitoring. This is the strategy which

also includes the criteria of monitoring

includes proper control of security and

the frequency which is perfect to monitor

the specific controls of security and also

the specific controls for monitoring.

NIST Special Publication 800-37

Revision 1

2.4

Security Plan

Approval

Has the security plan

been reviewed and

approved?

Not Done
The plan for security must be reviewed
and should be approved by Authorizing

official or by the designated

representatives as mentioned in the

publication 800-53, in Revision 1. After

approval it will be added in the plan of

security.

NIST Special Publication 800-53

Revision 1

RMF Step 3: Implement Security Controls
Document Page
TASK 4
3.1

Security Control

Implementation

Have the security

controls specified in the

security plan been

implemented?

Not Done
By the document of 800-37, Revision 1
the owner of the Information System

must implement the controls of security

which is specified in the plan of security.

After the implementation it must be

documented into the plan of security.

NIST Special Publication 800-37

Revision 1

3.2

Security Control

Documentation

Has the security control

implementation been

documented?

Not Done
By the document of 800-37 Revision 1
the organization must document the

implementation of the security control

which is appropriate in the plan of

security which also provides functional

description on the basis of control

implementation that includes expected

outputs, planned inputs and also the

expected behavior. After the commotion

it must be included in the plan of the

security.

NIST Special Publication 800-37

Revision 1

RMF Step 4: Assess Security Controls
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
TASK 4
4.1

Assessment

Preparation

Has a plan to assess the

security controls been

developed?

Not Done
As mentioned in the document of 800-37,
Revision 1 the Assessor of Security

control must approve, develop and also

review the controls of security

NIST Special Publication 37 Revision

1

4.2

Security Control

Assessment

Have the security

controls defined in the

security assessment plan

been assessed?

Not Done
As mentioned in the document of 800-37,
revision 1 the Assessor of security

control must develop, approve and also

review any plan for assessing the controls

of security. After the completion it must

be included into the plan of the security.

NIST Special Publication 800-37

Revision 1

4.3

Security Assessment

Report

Has the security

assessment report from

the security control

assessment been

completed?

Not Done
As mentioned in the document of 800-37
Revision 1, the assessor of security

control must generate the assessment

report of security that documents the

issues, recommendation and also the

findings from the assessment of security

control. After the completion it is added

in the plan for security.

NIST Special Publication 800-37

Revision 1
Document Page
TASK 4
4.4

Remediation Actions

What remediation actions

on security controls need

to be taken based on the

findings and

recommendations of the

security assessment

report?

Not Done
As mentioned in the document of 800-37
Revision 1 , the assessor of security

control must prepare the security

assistance

NIST Special Publication mn800-37

as in revised

RMF Step 5: Authorize Information System

5.1

Plan of Action and

Milestones

Is there a completed plan

of action and milestones

based on the findings and

recommendations of the

security assessment

report excluding any

remediation actions

taken?

Not Done
By the documented of NIST there are
special publications in 800-37, Revision

1. the owner of the Information system

and the provider prepares the plan which

is based on actions and also the

milestones that is based on the findings

that is based on the findings and also the

recommends for the report of assessment

of security

NIST Special Publications 800-37,

revision 1

5.2
Not Done As the publication 800-37 of revision 1,
in this case the owner of the Information

System and even the control provider

who assembles the package and also

NIST Special Publication 800-37,

Revision 1.
Document Page
TASK 4
Security

Authorization

Package

Has the security package

been authorized and

submitted to the

authorizing official?

submits the particular package in the

authorizing official in case of any

judicial. After the completion it must be

under the security plan.

5.3

Risk Determination

What is the risk to

organizational

operations,

organizational assets,

individuals, and other

organizations?

Done
This is the risk assessment which is
completed and the details is present in the

document. This is a matrix of risk

assessment present in the section.

NIST Special Publication 800-37

Revision 1

5.4

Risk Acceptance

Is the risk to

organizational

operations,

organizational assets,

individuals, and other

organizations acceptable

with regard to avoidance,

Not Done
As mentioned in 800-37 Revision 1 there
is Authorizing official must find the risk

in case of the operations in the

organization, assets of organization,

individuals and any other organizations

and even the nation is also accepted.

After the completion it is added in

security plan.

NIST Special Publication 800-37

Revision 1
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
TASK 4
transference, and

acceptance?

RMF Step 6: Monitor Security Controls

6.1

Information System

and

Environment

Changes

What is the security

impact of changes to the

information system and

its environment of

operation?

Not Done
As mentioned in 800-37 Revision 1, the
owners of the information center or else

the provider of common control must

find out the security which impact due to

the changes in information system and in

case of any operations in the

environment. After the completion it

must be added in the plan of security.

Special Publication 800-37 Revision 1

6.2

Ongoing Security

Control

Assessments

Which security controls

from the subset of the

technical, management,

and operational security

Not Done
As mentioned in 800-37 Revision 1 the
accessory of the security control must

assess the operational, technical and also

management are employed and which s

inherited with the help of information

system with respect to the organization.

After the completion it will be included

in the plan of security.

NIST Special 800-37 Revision 1
Document Page
TASK 4
controls should be

assessed?

6.3

Ongoing Remediation

Actions

What remediation actions

need to be taken based

on results of monitoring

activities?

Not Done
As mentioned in 800-37 Revision 1 the
owner of the information system or else

the provider of the common control must

conduct actions of remediation which is

based on any of the results of any

monitoring activities which is going, the

risk assessment and also the items that

are outstanding.

NIST Special Publication 800-37

Revision 1

6.4

Key Updates

Has the security plan,

assessment report, and

plan of action been

updated based on the

continuous monitoring

process?

Not Done
As mentioned in 800-37 Revision 1 the
owner of the information system or else

the provider of common control must

update the plans for the security, the

reports on the assessment and even the

action plans and the milestones that is

upon the results for any monitoring

process. This are to be added in the plans

of security. NIST Special Publication 1.

NIST Special

6.5

Security Status

Reporting

Has a security status

Not Done
According to the document NIST Special
Publication 800-37 Revision 1, the owner

of the Information system or the provider

of Common control must report the status

of the security in case of information

system for authorizing the official

NIST

Special Publication 800-37 Revision 1
chevron_up_icon
1 out of 21
circle_padding
hide_on_mobile
zoom_out_icon
[object Object]