Sie sind auf Seite 1von 5


Risk Management Framework\CIA

Paul Nelson




The Risk Management Framework (RMF) is a set of criteria that dictate how

United States government IT systems must be architected, secured, and monitored.

Originally developed by the Department of Defense (DoD), the RMF was adopted by the

rest of the US federal information systems in 2010. (Petters, 2018) The Risk Management

Framework provides a process that integrates security and risk management activities

into the system development life cycle. The risk-based approach to security control

selection and specification considers effectiveness, efficiency, and constraints due to

applicable laws, directives, Executive Orders, policies, standards, or regulations. The

selection and specification of security controls for a system is accomplished as part of an

organization-wide information security program that involves the management of

organizational risk---that is, the risk to the organization or to individuals associated with

the operation of a system.

The management of organizational risk is a key element in the organization's

information security program and provides an effective framework for selecting the

appropriate security controls for a system---the security controls necessary to protect

individuals and the operations and assets of the organization. There’s several companies

that will help you with protecting your data. Instead of using the term used by the CIA

triad, they use words like Identify which seems a lot like Confidentiality, your sensitive

and at risk data and systems (including users, permissions, folders, etc.); Protect, seems a

lot like Integrity, that data, manage access, and minimize the risk surface; While

Monitor seems a whole lot like Availability, to detect what’s happening on that data,

who’s accessing it, and identify when there is suspicious behavior or unusual file activity.

Sensitive business data is more vulnerable today than ever before. Corporate trade

secrets, national security information, personal medical records, Social Security and

credit card numbers are all stored, used, and transmitted online and through connected

devices. (Janacek, 2015). The threat is real, laptops are being stolen or lost giving access

to important data. That is a true statement if policies is not put into place to safeguard

these valuable assets. There are many ways to protect your data. Encrypting your hard

drive is a sure way to protect your data. Password protect your laptop from incidental

tampering. After reading the above article, I never thought about placing files in different

locations. That can be a learning tool. This will make things harder, for the would be

hacker, gaining access to your files example, My Documents folder.

EndPoint Protection is a good tool to protect sensitive files. This toll prevents files

from being accessed without proper controls and can be controlled remotely. Do not

forget your USB (Flash Drives), most forget to encrypt these as well. The flash drives can

be lost easily or even left in other computers as well as printers. When you work on

sensitive documents that you transferred to your flash drive and lets’ say you take the

flash drive to a friends’ house, even better, the library to do some touch up. You forget the

flash drive in a library computer. Maybe an hour later, you remember, you go back to the

library, but the flash drive is nowhere to be found. You have just committed a data breach.

Threat to Data-at-Rest Confidentiality Suggestion on Countering

the Threat
The threat that attackers are able to Confidentiality Data Encryption

compromise a cloud service and gain access

to their data that is processed by and/or
stored in the Cloud.
The “insider threat” where a malicious or Availability Data Encryption
rogue administrator steals a physical disk
drive or server that contains data the
customer has in the cloud service
The threat that a government uses a Availability Data Encryption
subpoena or warrant to get access to the
customer’s data in the cloud without their
(Rains, 2015)


Petters, J. (2018). What is the Risk Management Framework (RMF)? Retrieved from

Rains, T. (December 1, 2015). Cloud security controls series: Encrypting Data at Rest. Retrieved