Corporate Headquarters:
1010 Wayne Avenue, Suite 1150Silver Spring, Maryland 20910301.565.2988 Telephone301.565.2995 Facsimilewww.e-mcinc.com
Satellite Office:
13800 Coppermine Road, Suite 221Herndon, Virginia 20171
SBA certified 8(a)woman-owned,minority-ownedsmall business
e-Gov Risk Portfolio ManagerTM
Online Tutorial
2
Configuration Tasks
Risk Portfolios
Risk Identification
Risk Response
Security Management Tab
Reports Module
This tutorial will provide an overview of the following eGov Risk Portfolio Manager (eGov RPM) functions:
eGov Risk Portfolio Manager Functions
3
eGov RPM Configuration Tasks
Locations: Physical sites where people or assets reside Sources: Reference publications used for risk
identification Assessors: Functions or job positions which identify risks
(which may include non-eGov RPM users, e.g. IG Auditors)
Categories: Names for groupings of similar types of risks Roles: Functional titles assigned to eGov RPM end-users,
and risk editing privilege settings for each role Users: Login IDs, passwords, and portfolio access
settings
eGov RPM Configuration Definitions include:
4
Locations
Portfolios are associated with a physical location, which typically is identified as an office building, data center, or other site where IT assets reside.
Administration tab, Locations submenu
5
Sources
Sources of risk reduction or risk control objectives are typically written references.
Example Sources:
Bureau Policy
Department Policy
OMB Memoranda
GAO Report
IG Report
NIST Guidance
6
Assessors
Assessors are typically functional roles performed by people, though a software tool could also be considered a type of “assessor.” Assessors are the individuals (or software tools) that identify risks.
eGov RPM’s definition of an assessor associates the function of the assessor with a Source document such as a standard or an audit report.
Example Assessors:
Assessor Applicable Standard or Source
ISSO NIST SP 800-37
Security Tester
NIST SP 800-53A
Project Manager
PMI® PMBOK ®
GAO Auditor GAO FISCAM
Capital Investment Owner
OMB Circular A-11
7
Categories
Risk Categories tracked by eGov RPM are chosen by the customer organization, so you can decide which types of risk issues are most important to you to track.
Note that you, the customer, decide how granular you want your
categories to be. For example, the “NIST 800-53” category shown here
could be divided into 3 classes of risks (M-O-T), or 17 families of risks.
Example Sources:
NIST SP 800-53 Control
Privacy
Staffing
Budget
Physical Security
Schedule
8
Roles – The Concept
You decide which types of users should have read, write, create, or delete privileges to risk data and related data structures (e.g., security plans, POA&Ms) in eGov RPM.
Example Roles:
System Owner
ISSO
Software Tester
Auditor
Business User
State Agency User
The term Roles in eGov RPM pertains to the definition of the access privileges of eGov RPM users.
9
Roles – Setting Permissions
Role permissions are defined for portfolios, projects, risk entries, administration functions, and reports.
10
Users – Applying the Roles Concept
Administration tab, Users submenu
Note the custom defined role “Business Analyst.”
11
Review: eGov RPM Configuration Tasks
You have completed a review of the six eGov RPM configuration tasks:
You are now ready to create portfolios and
define your risk control structure!
Locations Sources Assessors Categories Roles Users
12
The Risk Module: Portfolios
13
Portfolios – General Concepts
Portfolios are simply hierarchical representations of assets or mission activities that may have risks that you wish to monitor.
Portfolio folders can represent:– Organization chart entities – Names of IT contracts– Names of networks– Names of IT budget
investments– Names of project phases– Names of C&A
accreditation boundaries
14
Creating a Portfolio
Creating a Portfolio in eGov RPM is simple:
2) Click the new folder icon located in the lower left corner of the page.
1) Click on the Risks tab, and then select the Risk Repository submenu.
3) Enter the name and location of the portfolio you are creating and click Save.
15
NIST SP 800-37 defines the term “accreditation boundary” as a collection of IT assets under a common direct management control
The Department of Defense (DoD) has used the term “enclave” in a manner similar to NIST’s definition of accreditation boundary
eGov RPM can model complex enclaves or accreditation boundaries through the portfolio representation
Portfolios – Certification & Accreditation Example 1
16
In the portfolio at left, we are representing major C&A deliverable activities as portfolios
The idea: Each of the five process activities listed at left will identify risks relevant to the Enclave
The collection of risks from the Enclave’s 5 deliverable areas comprises a good set of risks for the Enclave’s risk assessment
Portfolios – Certification & Accreditation Example 2
17
How Many Levels of Portfolios?
Recommendation: The “depth” or number of portfolio levels defined in your portfolio hierarchy should be based on the number of different risk owners involved in mitigating identified risks.
Multiple risk owners Multiple portfolios recommended
Few risk owners Fewer portfolios recommended
18
The Risk Module: Risk Identification
19
Theory 101: What is a Risk?
A risk, in the most abstract sense, is the probability that a business objective will not be met
IT security risks (usually) pertain to the probability of Confidentiality, Integrity, or Availability objectives not being met
Examples using NIST SP 800-53 families:
Confidentiality Objectives Integrity Objectives Availability Objectives
• Access controls (AC)• Identification and
Authentication (IA)• Systems and
Communications protection (SC)
• Awareness and Training (AT)• Audit and Accountability (AU)• Certification, Accreditation and Security
Assessments (CA)• Configuration Management (CM)• Media Protection (MP)• Physical and Environmental protection (PE)• Planning (PL)• Risk Assessment (RA)• System and Information Integrity (SI)
• Contingency Planning (CP)• Incident Response (IR)• Maintenance (MA)• Risk Assessment (RA)• System and Services Acquisition
(SA)• System and Communication
protection (SC)• System and Information Integrity (SI)
20
Example Risk Record
Note the use of categories, sources, and assessors
21
Resources: Probability and Impact Information
Resources tab, Risk Quantification submenu
22
The Risk Module: Risk Response
23
Risk Response Alternatives
Response alternatives for identified risks include:
Mitigate (i.e., resolve) the risks locally
Transfer the risks to another organization for mitigation (i.e., this is a variation of Mitigating the risks)
Create Plans of Actions and Milestones (POA&M) entries for risks requiring unplanned or additional resources to mitigate
Identify the risks as risk acceptance candidates for an authorizing official, e.g., Designated Approving (or Approval) Authority (DAA), for approval as “accepted risks”
24
Risk Mitigation Example
The Mitigation Plan is the second tab of risk entries
25
POA&M Example
The POA&M entry is the third tab of risk entries
26
The Security Management Tab
27
Security Categorization Analysis
eGov RPM automates NIST SP 800-60 security categorization:
28
eGov RPM Security Test and Evaluation (ST&E)
The SP 800-53A module of eGov RPM automates ST&E reporting:
29
SSP Creation Tasks
Navigate to the Security Management tab, Security Plan submenu
Select a portfolio you are associating with the SSP Define the FIPS 199 Impact Rating of the portfolio, and click the
Update button in the lower left part of the SSP page Enter the SSP’s System Identification information (as required
by NIST SP 800-18 Revision 1) Identify the applicable software, hardware, and architecture
products that provide functionality required by NIST SP 800-53 controls
Enter text for the Management, Operational, and Technical control sections
The steps involved in creating an SSP in eGov RPM are as follows:
30
SSP System Identification Section
FIPS 199 rating
Asset (the C&A package’s portfolio) identification
Security Management tab, Security Plan submenu
31
Identifying Products that Implement SSP Controls
Management Controls, Control Menu, Product List
32
Identifying Products (continued)
Steps:
1. Click New
2. Enter vendor info
3. Click Save
4. Select applicable controls
5. Click Save
33
Adding Attachments (Evidence) to SSP Controls
Steps:
1. In SSP module, click on Control Menu
2. Select Upload Document
34
The Reports Module
35
Reports Tab Functionality
The Reports Tab contains two submenus:
Report Generation, which contains eleven types of reports having varying degrees of detail
The Executive Dashboard, which contains several graphical depictions of risk data meant for summarizing risk status for management
36
Two Executive Dashboard Reports
Risk Probability Matrix: Pie Chart Distribution:
37
The Risk Summary Executive Dashboard Report
38
If you need additional information
on eGov Risk Portfolio Manager,
please contact e-Management at
301.565.2988
or e-mail [email protected].
e-Management Contact Information