PM-9

[gregelin]

BLUF

Team needs to produce a memo or other document that is the organization's official statement describing how the organization systematically manages cyber risk.

Effort

Initially developing the document is a one time activity performed by executives. The document is disseminated to everyone, especially managers and cyber. The document needs to be updated on defined schedule.

Good

The clearer the prioritization of risk, the easier the rest of org will make good trade-offs and direct resources to priorities.

Bad

A bad document is general and pushes prioritization downstream leading to security viewing all risks as equal.

Story

Story for development team to know location of document and read it

Examples

DoD is compliant because of memo DoDI 8510.01 stating how DoD uses NIST RMF as strategy. You need a memo declaring what you will use as a strategy. artifact is the memo.

CDM

• essential to be at URL
• essential to be located < 1 min
• better if can be read in 10 min
• better to be in opencontrol format
• better if independent memo or clearly labeled section and linkable of memo
• best if scheduled review

Make document public. Separate proprietary info to separate doc and make available enterprise wide.

Roles

• Executive - Update and communicate strategy
• Middle Managers - Communicate, implement, instrument adherence, mentor, and communicate problems
• Front Line - use/apply strategy, improve strategy, measure adherence
• Auditors - verify strategy; verify implementation
• System - inherit strategy, embody strategy, share relevant data

Reference

RISK MANAGEMENT STRATEGY

The organization: a. Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems; b. Implements the risk management strategy consistently across the organization; and c. Reviews and updates the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes.

[gregelin]

Links

• http://800-53.govready.com/control?id=PM-9
• Assessment (old) /codedata/code/compliancelib-python/compliancelib/data/800-53A-R1_Assessment-Cases_All-18-Families_ipd/
• Assessment (new) http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf
• https://github.com/GovReady/compliancelib-python

  >>> import compliancelib
  >>> c = compliancelib.NIST800_53("PM-9")
  >>> print(c.title, c.description, c.supplemental_guidance)

• https://github.com/GovReady/security-stories-nist800-53/issues/19
• DoD CCI - https://docs.google.com/spreadsheets/d/1W17eqNYLdoDMiUbMMBlvo8SGGMWo_Bp3YyVZAmpzgpc/edit?ts=58ba7958#gid=1657269414
• OWASP - n/a
• https://www.sans.org/critical-security-controls/
• https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf
• 800-53 document
• https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=PM-9
• u_cci_list/U_CCI_List.xml

[gregelin]

Story drafts

• As the CEO, I want to provide organization staff with unambiguous prioritization of cyber risks to our mission and our strategy for systematically managing those risks. (1x)
• As a developer, I want to read and understand the organization strategy for cyber risk management and map activities to strategy. (1x)

Quarterly

• As the CEO, I want to review the risk management strategy whenever I am evaluating risk in the organization. (Continuously)
• As a developer, I want to be alerted to changes in risk management strategy as they happen and review the risk management strategy periodically. (Continuously)

[gregelin]

Compelling evidence

• official organization-wide risk management strategy (stand-alone document or section in document describing organization's information security program)
• A comprehensive strategy for managing risk includes (for example) risk identification, assessment, response, and monitoring methodologies. (800-53A-R1_Assessment-Case_PM-09_ipd.docx)
• evidence document is maintained and distributed (800-53A-R1_Assessment-Case_PM-09_ipd.docx)
• interview appropriate staff in organization to validate strategy is being applied (800-53A-R1_Assessment-Case_PM-09_ipd.docx)

NOTE: For all documents:

• Do organizations staff use the document?
• Is the document updated regularly?
• Evidence activities are applied

Why:

Without clear prioritization from executives of the most import digital assets to protect and how much to invest protecting them, cyber security staff will not have enough information to make risk-based decisions.

Alternative: Without concise [formal?] executive guidance regarding what risks are tolerable and what risks are not, staff will be unable to prioritize and unable to balance security and innovation.

How:

• Is your organization part of a larger organization that already has a formal strategy to managing risk.
• Spend 30 minutes brainstorming worst case scenarios and most important digital assets (a formal risk analysis will come later)
• Summarize risk tolerance and budget for address assets
• Write an official memo describing organization approach to asecurity

Acceptance Criteria

• Document exists at a persistent URL within organization
• Record of last update
• Staff can access URL
• Evidence of who looks at it
• IDEA: put in tesseract or other vault and confirm people are viewing
• IDEA: document should be inside of GovReady (think BPIF)

[gregelin]

Continuous Monitoring Details

Enabling continuous monitoring requires:

• Document exists at a persistent URL within organization
• Automated process can access URL
• Hash of document established so subsequent views of document can determine if document has changed
• Logging if document not available
• Notifying appropriate parties if document not available
• Mechanism to request changes to document

Data for monitoring

• name - orgs have different naming conventions for documents, often a short name and a full name
• document location (e.g., url)
• who to notify if issue
• where to log check
• who "owns" changing document; who "owns" basic managing of document

Options

• wget or curl
• Python, something like

  fname="url or path to file"
  import os.path
  os.path.isfile(fname) 

  or

  # http://stackoverflow.com/questions/5074803/ddg#5075477
  import urlparse
  url = 'http://foo.appspot.com/abc?def=ghi'
  parsed = urlparse.urlparse(url)
  print urlparse.parse_qs(parsed.query)['def']

• Beautiful soup
• Store document in DocumentCloud in first place
• Model after Python PEP - https://www.python.org/dev/peps/

[gregelin]

I spent some time examining the Python PEP model then created a "Practices" repository for GovReady PBC inspired by PEP.

I discover that PEP model addresses important concerns:

• A place to publish official documents with web-compatible resource locators
• A place to author and editing new documents and update existing documents
• Processes for managing the documents
• A public index of documents
• Processes for discussing documents
• Simple categorization documents by type and status
• Communicating documents
• Quality control of documents
• Participation and management of the community around the documents
• Audited transactions (e.g., document modification, publishing, ownership change)

It appears to me a surprisingly robust model that can organizes an extensible repository of official decisions and practices, including meta processes (processes about the process). PEP is not machine readable, but the documents are friendly to web-based management, indexing, and discussion.

[gregelin]

Moving forward with "Practice" document management model based on PEP and RFC model.

Current version: https://github.com/GovReady/govready-pbc-practices/blob/master/practices/2-draft-accepted/p-0020.md