NIST Risk Management
Instructions
Scenario
Our organization, Nadir Tools Inc., makes power tools, and although security is usually vigilant, the Sales team managed to bypass the normal process in purchasing to buy a large screen for a special presentation to potential customers. As a result, neither IT nor Security personnel were aware that a Wi-Fi enabled screen had been in the Sales Demo area for the last week until unusual network traffic coming from the screen was detected by a member of the networking team.
You have been tasked with applying the NIST Risk Management Framework to the whole situation. The CISO wants to figure out how to mitigate the current situation and also how the entire situation could have been avoided in the first place.
Do the following:
- Considering the mitigation process in the above scenario, pick the most relevant task from each of the Tables E-1 to E-7 on pages 145-138 of the NIST SP 800-37 document, and explain why the task you picked was the most relevant one from each table. You can make reasonable assumptions about the organizational structure of Nadir Tools Inc. and about its current security arrangements as long as you spell out your assumptions.
- Explain which two tasks from these tables will be the most important as you come up with a plan for avoiding a repeat of the scenario in the future. What did you take into account when selecting these two tasks?
TIP The various steps of the NIST RMF are summarized in Tables E-1 to E-7 on pages 145-138 of the NIST SP 800-37 document. There are links that take you back to earlier parts of the document where the specific tasks are spelled out.
For example, on page 131 we see Table E-3, and when we click on the “Task S-1” link, we are taken to page 50 where this task is described in more detail. Clicking on the “Task S-2” link in Table E-3 on page 131 takes us to the description starting on page 51 and so on.