Risk Frameworks

Risk Frameworks

A risk framework is a guideline or recipe for how risk is to be asessed, resolved, and monitored. NIST established the Risk Management Framework (RMF) and the Cybersecurity Framework (CSF). These are both U.S. government guides for establishing and maintaining security, but the CSF is designed for critical infrastructure and commercial organizations, whereas the RMF establishes mandatory requirements for federal agencies. RMF was established in 2010, and the CSF was established in 2014.

风险框架是如何评估、解决和监控风险的指南或秘诀。NIST 制定了风险管理框架 (RMF) 和网络安全框架 (CSF)。它们都是美国政府建立和维护安全的指南，但 CSF 是为关键基础设施和商业组织设计的，而 RMF 则为联邦机构制定了强制性要求。RMF 于 2010 年制定，CSF 于 2014 年制定。

The CSF is based on a framework core that consists of five functions: Identify, Protect, Detect, Respond, and Recover. The CSF is not a checklist or procedure—it is a prescription of operational activities that are to be performed on an ongoing basis for the support and improvement of security over time. The CSF is more of an improvement system rather than its own specific risk management process or security infrastructure.

CSF 基于由五项功能组成的框架核心：识别、保护、检测、响应和恢复。CSF 并不是一个清单或程序，而是为支持和改进安全而持续开展的操作活动的规定。CSF 更像是一个改进系统，而不是其自身特定的风险管理流程或安全基础设施。

The RMF, defined by NIST in SP 800-37 Rev. 2 (https://csrc.nist.gov/pubs/sp/800/37/r2/final), establishes mandatory security requirements for federal agencies. This is the primary risk framework referenced by the CISSP exam. The RMF has six cyclical phases (see Figure 2.5):

NIST 在 SP 800-37 Rev. 2 (https://csrc.nist.gov/pubs/sp/800/37/r2/final) 中定义的 RMF 为联邦机构制定了强制性安全要求。这是 CISSP 考试所参考的主要风险框架。RMF 有六个循环阶段（见图 2.5）：

•  Prepare to execute the RMF from an organization and system level perspective by establishing a context and priorities for managing security and privacy risk.

• 通过确定管理安全和隐私风险的背景和优先事项，为从组织和系统层面执行 RMF 做好准备。

  
  

•  Categorize the system and the information processed, stored, and transmitted by the system based on an analysis of the impact of loss. 

• 根据对损失影响的分析，对系统以及系统处理、存储和传输的信息进行分类。

• Selectan initial set of controls for the system and tailor the controls as needed to reduce risk to an acceptable level based on an assessment of risk.

• 根据风险评估结果，为系统选择一套初始控制措施，并根据需要调整控制措施，将风险降低到可接受的水平。

•  Implement the controls and describe how the controls are employed within the system and its environment of operation实施控制措施，并说明如何在系统及其运行环境中使用控制措施。

  
  

•  Assess the controls to determine if the controls are implemented correctly, operating as intended, and producing the desired outcomes with respect to satisfying the security and privacy requirements. 

• 评估控制措施，以确定控制措施是否正确实施，是否按预期运行，是否在满足安全和隐私要求方面产生预期结果。

  
  

• Authorize the system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the nation is acceptable. 

• 在确定对组织业务和资产、个人、其他组织和国家造成的风险是可接受的基础上，对系统或共同控制进行授权。

  
  

• Monitor the system and the associated controls on an ongoing basis to include assessing control effectiveness, documenting changes to the system and environment of operation, conducting risk assessments and impact analyses, and reporting the security and privacy posture of the system.

• 持续监控系统和相关控制措施，包括评估控制措施的有效性、记录系统和运行环境的变化、进行风险评估和影响分析，以及报告系统的安全和隐私状况。

FIGURE 2.5 The elements of the risk management framework (RMF)

(from NIST SP 800-37 Rev. 2, Figure 2)

These six phases are to be performed in order and repeatedly throughout the life of the organization. RMF is intended as a risk management process to identify and respond to threats. Use of the RMF will result in the establishment of a security infrastructure and a process for ongoing improvement of the secured environment.

这六个阶段应在组织的整个生命周期中按顺序反复进行。RMF 是一种风险管理流程，用于识别和应对威胁。使用 RMF 将建立安全基础设施和持续改进安全环境的流程。

There is significantly more detail about RMF in the official NIST publication; we encourage you to review this publication in its entirety for a complete perspective on the RMF. Much of the information in the prior risk management sections in this chapter was derived from the RMF.

有关 RMF 的更多详细信息，请参阅 NIST 的官方出版物；我们建议您阅读该出版物的全文，以全面了解 RMF。本章前面风险管理章节中的许多信息都来自 RMF。

Another important guide to risk management is the ISO/IEC 31000 document “Risk management — Guidelines.” This is a high-level overview of the idea of risk management that many will benefit from reading. You can find it online at www.iso.org/obp/ui/#iso:std:iso:31000:ed-2:v1:en. This ISO guideline is intended to be useful to any type of organization, whether government or private sector. A companion guide, ISO/IEC 31004 “Risk management — Guidance for the implementation of ISO 31000” (www.iso.org/standard/56610.html) might also be of interest, along with ISO/IEC 27005, “Information technology — Security techniques — Information security risk management” （https://www.iso.org/standard/80585.html)

另一份重要的风险管理指南是 ISO/IEC 31000 文件 "风险管理指南"。这是对风险管理理念的高度概括，许多人都会从中受益。您可以在 www.iso.org/obp/ui/#iso:std:iso:31000:ed-2:v1:en 上找到它。这份 ISO 指南旨在为任何类型的组织（无论是政府还是私营部门）提供帮助。ISO/IEC 31004 "风险管理--实施 ISO 31000 的指导"（www.iso.org/standard/56610.html）以及 ISO/IEC 27005 "信息技术--安全技术--信息安全风险管理"（https://www.iso.org/standard/80585.html）也可能是您感兴趣的配套指南。

The NIST RMF is the primary focus of the CISSP exam, but you might want to review other risk management frameworks for use in the real world. Please consider the following for future research:

NIST RMF 是 CISSP 考试的主要重点，但您可能还想复习一下现实世界中使用的其他风险管理框架。请在今后的研究中考虑以下内容：

• The Committee of Sponsoring Organizations (COSO) of the Treadway Commission’s Enterprise Risk Management — Integrated Framework特雷德韦委员会赞助组织委员会 (COSO) 的《企业风险管理--综合框架》

• ISACA’s Risk IT Framework信息系统审计与控制协会的风险 IT 框架

•  Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)关键业务威胁、资产和脆弱性评估

•  Factor Analysis of Information Risk (FAIR)

  信息风险因素分析 (FAIR)

• Threat Agent Risk Assessment (TARA)威胁代理风险评估

For further research, you’ll find a useful article here: www.csoonline.com/article/2125140/it-risk-assessment-frameworks-real-world-experience.html. Understanding that there are a number of well-recognized frameworks and that selecting one that fits your organization’s requirements and style is important.

如需进一步研究，您可以点并阅读5 个信息技术风险评估框架比较，了解到许多公认的框架，选择一个适合贵组织要求和风格的框架非常重要。

原文始发于微信公众号（网络安全等保测评）：Risk Frameworks