1 / 38

e-Gov Risk Portfolio Manager TM Online Tutorial

e-Gov Risk Portfolio Manager TM Online Tutorial. eGov Risk Portfolio Manager Functions. This tutorial will provide an overview of the following eGov Risk Portfolio Manager (eGov RPM) functions:. Configuration Tasks Risk Portfolios Risk Identification Risk Response

deacon
Download Presentation

e-Gov Risk Portfolio Manager TM Online Tutorial

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. e-Gov Risk Portfolio ManagerTM Online Tutorial

  2. eGov Risk Portfolio Manager Functions This tutorial will provide an overview of the following eGov Risk Portfolio Manager (eGov RPM) functions: • Configuration Tasks • Risk Portfolios • Risk Identification • Risk Response • Security Management Tab • Reports Module 2

  3. eGov RPM Configuration Tasks eGov RPM Configuration Definitions include: • Locations: Physical sites where people or assets reside • Sources: Reference publications used for risk identification • Assessors: Functions or job positions which identify risks (which may include non-eGov RPM users, e.g. IG Auditors) • Categories: Names for groupings of similar types of risks • Roles: Functional titles assigned to eGov RPM end-users, and risk editing privilege settings for each role • Users: Login IDs, passwords, and portfolio access settings 3

  4. Administration tab, Locations submenu Locations Portfolios are associated with a physical location, which typically is identified as an office building, data center, or other site where IT assets reside.

  5. Sources Sources of risk reduction or risk control objectives are typically written references. Example Sources: 5

  6. Assessors Assessors are typically functional roles performed by people, though a software tool could also be considered a type of “assessor.” Assessors are the individuals (or software tools) that identify risks. eGov RPM’s definition of an assessor associates the function of the assessor with a Source document such as a standard or an audit report. Example Assessors:

  7. Note that you, the customer, decide how granular you want your categories to be. For example, the “NIST 800-53” category shown here could be divided into 3 classes of risks (M-O-T), or 17 families of risks. Categories Risk Categories tracked by eGov RPM are chosen by the customer organization, so you can decide which types of risk issues are most important to you to track. Example Sources:

  8. Roles – The Concept The term Roles in eGov RPM pertains to the definition of the access privileges of eGov RPM users. You decide which types of users should have read, write, create, or delete privileges to risk data and related data structures (e.g., security plans, POA&Ms) in eGov RPM. Example Roles:

  9. Roles – Setting Permissions Role permissions are defined for portfolios, projects, risk entries, administration functions, and reports.

  10. Users – Applying the Roles Concept Administration tab, Users submenu Note the custom defined role “Business Analyst.”

  11. Review: eGov RPM Configuration Tasks You have completed a review of the six eGov RPM configuration tasks: • Locations • Sources • Assessors • Categories • Roles • Users You are now ready to create portfolios and define your risk control structure!

  12. The Risk Module: Portfolios

  13. Portfolios – General Concepts • Portfolios are simply hierarchical representations of assets or mission activities that may have risks that you wish to monitor. • Portfolio folders can represent: • Organization chart entities • Names of IT contracts • Names of networks • Names of IT budget investments • Names of project phases • Names of C&A accreditation boundaries

  14. Creating a Portfolio Creating a Portfolio in eGov RPM is simple: 1) Click on the Risks tab, and then select the Risk Repository submenu. 2) Click the new folder icon located in the lower left corner of the page. 3) Enter the name and location of the portfolio you are creating and click Save.

  15. Portfolios – Certification & Accreditation Example 1 • NIST SP 800-37 defines the term “accreditation boundary” as a collection of IT assets under a common direct management control • The Department of Defense (DoD) has used the term “enclave” in a manner similar to NIST’s definition of accreditation boundary • eGov RPM can model complex enclaves or accreditation boundaries through the portfolio representation

  16. Portfolios – Certification & Accreditation Example 2 • In the portfolio at left, we are representing major C&A deliverable activities as portfolios • The idea: Each of the five process activities listed at left will identify risks relevant to the Enclave • The collection of risks from the Enclave’s 5 deliverable areas comprises a good set of risks for the Enclave’s risk assessment

  17. How Many Levels of Portfolios? Recommendation: The “depth” or number of portfolio levels defined in your portfolio hierarchy should be based on thenumber of different risk ownersinvolved in mitigating identified risks. Multiple risk owners  Multiple portfolios recommended Few risk owners  Fewer portfolios recommended

  18. The Risk Module: Risk Identification

  19. Theory 101: What is a Risk? • A risk, in the most abstract sense, is the probability that a business objective will not be met • IT security risks (usually) pertain to the probability of Confidentiality, Integrity, or Availability objectives not being met Examples using NIST SP 800-53 families: 19

  20. Example Risk Record Note the use of categories, sources, and assessors

  21. Resources: Probability and Impact Information Resources tab, Risk Quantification submenu

  22. The Risk Module: Risk Response

  23. Risk Response Alternatives Response alternatives for identified risks include: • Mitigate (i.e., resolve) the risks locally • Transferthe risks to another organization for mitigation (i.e., this is a variation of Mitigating the risks) • Create Plans of Actions and Milestones (POA&M) entries for risks requiring unplanned or additional resources to mitigate • Identify the risks as risk acceptance candidates for an authorizing official, e.g., Designated Approving (or Approval) Authority (DAA), for approval as “accepted risks”

  24. Risk Mitigation Example The Mitigation Plan is the second tab of risk entries

  25. POA&M Example The POA&M entry is the third tab of risk entries

  26. The Security Management Tab

  27. Security Categorization Analysis eGov RPM automates NIST SP 800-60 security categorization:

  28. eGov RPM Security Test and Evaluation (ST&E) The SP 800-53A module of eGov RPM automates ST&E reporting: 28

  29. SSP Creation Tasks The steps involved in creating an SSP in eGov RPM are as follows: • Navigate to the Security Management tab, Security Plan submenu • Select a portfolio you are associating with the SSP • Define the FIPS 199 Impact Rating of the portfolio, and click the Update button in the lower left part of the SSP page • Enter the SSP’s System Identification information (as required by NIST SP 800-18 Revision 1) • Identify the applicable software, hardware, and architecture products that provide functionality required by NIST SP 800-53 controls • Enter text for the Management, Operational,and Technical control sections 29

  30. SSP System Identification Section Security Management tab, Security Plan submenu Asset (the C&A package’s portfolio) identification FIPS 199 rating

  31. Identifying Products that Implement SSP Controls Management Controls, Control Menu, Product List

  32. Identifying Products (continued) • Steps: • Click New • Enter vendor info • Click Save • Select applicable controls • Click Save

  33. Adding Attachments (Evidence) to SSP Controls • Steps: • In SSP module, click on Control Menu • Select Upload Document

  34. The Reports Module

  35. Reports Tab Functionality The Reports Tab contains two submenus: • Report Generation, which contains eleven types of reports having varying degrees of detail • The Executive Dashboard, which contains several graphical depictions of risk data meant for summarizing risk status for management

  36. Two Executive Dashboard Reports Risk Probability Matrix: Pie Chart Distribution:

  37. The Risk Summary Executive Dashboard Report

  38. e-Management Contact Information If you need additional information on eGov Risk Portfolio Manager, please contact e-Management at 301.565.2988 or e-mail info@e-mcinc.com.

More Related