1
1

00:00:00,000  -->  00:00:01,500
<v ->In this section of the course,</v>
2

2

00:00:01,500  -->  00:00:03,660
we're going to go into more depth into our coverage
3

3

00:00:03,660  -->  00:00:06,720
of the seven steps of the risk management framework.
4

4

00:00:06,720  -->  00:00:08,490
As we move through this section,
5

5

00:00:08,490  -->  00:00:11,160
Jason and I will be dividing each step
6

6

00:00:11,160  -->  00:00:14,070
into two distinct types of lessons
7

7

00:00:14,070  -->  00:00:16,440
with my lessons being focused more
8

8

00:00:16,440  -->  00:00:19,590
on the textbook description of how RMF
9

9

00:00:19,590  -->  00:00:22,380
is performed during each step
10

10

00:00:22,380  -->  00:00:25,050
including the associated tasks.
11

11

00:00:25,050  -->  00:00:28,050
And Jason's lesson will be focused more
12

12

00:00:28,050  -->  00:00:31,020
on the real world application of each step
13

13

00:00:31,020  -->  00:00:33,900
including the pitfalls and the landmines
14

14

00:00:33,900  -->  00:00:36,330
and all the common trouble areas experienced
15

15

00:00:36,330  -->  00:00:39,930
by practitioners in the field who are using RMF,
16

16

00:00:39,930  -->  00:00:41,400
like you will be.
17

17

00:00:41,400  -->  00:00:42,930
So as we move through this section,
18

18

00:00:42,930  -->  00:00:45,000
you'll notice ,we'll go step by step
19

19

00:00:45,000  -->  00:00:46,680
through the RMF process,
20

20

00:00:46,680  -->  00:00:49,020
starting with the standard definitions
21

21

00:00:49,020  -->  00:00:54,020
and then exploring the real world implications of using RMF.
22

22

00:00:54,360  -->  00:00:58,110
First, we'll explore step one, which is called Prepare.
23

23

00:00:58,110  -->  00:01:00,960
During the Prepare step, you and your organization
24

24

00:01:00,960  -->  00:01:04,500
will perform essential activities to get the organization
25

25

00:01:04,500  -->  00:01:09,210
and your system ready to manage security, privacy,
26

26

00:01:09,210  -->  00:01:11,340
and supply chain risks.
27

27

00:01:11,340  -->  00:01:14,790
Second, we'll explore step two, Categorize.
28

28

00:01:14,790  -->  00:01:17,520
During the Categorize step, guess what?
29

29

00:01:17,520  -->  00:01:19,080
You'll categorize the system
30

30

00:01:19,080  -->  00:01:21,480
and the information that it processes,
31

31

00:01:21,480  -->  00:01:26,480
stores, and transmits based on an impact analysis.
32

32

00:01:26,640  -->  00:01:30,300
Then, we'll explore step three, which is called Select.
33

33

00:01:30,300  -->  00:01:34,260
During the Select step, you'll select the set
34

34

00:01:34,260  -->  00:01:38,850
of NIST special publication 800 dash 53 controls
35

35

00:01:38,850  -->  00:01:41,370
that you'll need to protect the system
36

36

00:01:41,370  -->  00:01:44,100
based on your risk assessments.
37

37

00:01:44,100  -->  00:01:46,380
Then, we'll explore step number four,
38

38

00:01:46,380  -->  00:01:48,180
which is called Implement.
39

39

00:01:48,180  -->  00:01:49,860
And during the Implement step,
40

40

00:01:49,860  -->  00:01:52,110
you'll actually put the controls that you selected
41

41

00:01:52,110  -->  00:01:54,450
in step three into the system,
42

42

00:01:54,450  -->  00:01:58,230
and you'll document how those controls are deployed.
43

43

00:01:58,230  -->  00:02:00,270
And then, we'll go into step number five,
44

44

00:02:00,270  -->  00:02:01,830
which is called Assess.
45

45

00:02:01,830  -->  00:02:03,900
During the Assess step,
46

46

00:02:03,900  -->  00:02:07,890
you'll assess the controls that you deployed in step four,
47

47

00:02:07,890  -->  00:02:09,210
and you're going to determine
48

48

00:02:09,210  -->  00:02:12,540
if the controls are in place, operating as intended,
49

49

00:02:12,540  -->  00:02:15,420
and producing the desired results.
50

50

00:02:15,420  -->  00:02:18,750
Now, in step six, which is called Authorize,
51

51

00:02:18,750  -->  00:02:20,550
we're going to take a deep dive look
52

52

00:02:20,550  -->  00:02:24,360
at what you need to do to set a senior official up
53

53

00:02:24,360  -->  00:02:26,730
to be able to make a risk-based decision
54

54

00:02:26,730  -->  00:02:28,470
to either authorize the system
55

55

00:02:28,470  -->  00:02:31,320
to operate on your organization's network,
56

56

00:02:31,320  -->  00:02:34,140
or to determine what kind of rework will be necessary
57

57

00:02:34,140  -->  00:02:36,390
so that they can give you that approval.
58

58

00:02:36,390  -->  00:02:37,650
And finally, we'll take a look
59

59

00:02:37,650  -->  00:02:40,290
at step number seven, which is called Monitor.
60

60

00:02:40,290  -->  00:02:41,940
And during the Monitor step,
61

61

00:02:41,940  -->  00:02:46,080
you'll continuously monitor your control implementations
62

62

00:02:46,080  -->  00:02:48,150
and the risks to your systems.
63

63

00:02:48,150  -->  00:02:52,440
So if you're ready, let's jump into our in-depth coverage
64

64

00:02:52,440  -->  00:02:55,890
of the seven steps of the risk management framework
65

65

00:02:55,890  -->  00:02:57,390
in this section of the course.