Saturday, January 07, 2017

Some more NIST Thoughts (mainly revolving around the Risk Management Framework)

Earlier this week I posted about NIST SP 800-181 the Draft NICE Cybersecurity Workforce Framework.  I had a few criticisms, but one of the things I didn't really discuss was the fact that NIST specifically mentions that they intend (or intended whatever the proper tense should be) for this publication to be used by organizations to help develop certification exams that employers can directly tie to a job role.

Not a bad idea, in my opinion at least, if the Roles, Tasks, Knowledge, Skills, and Abilities can all be kept up to date and relevant.  I have my doubts about that.

Be that as it may however, discussing that with a couple co-workers led back to a discussion that we have had a couple times.  The under-utilization of the NIST Risk Management Framework in the educational process.

NIST has a pretty extensive set of publications dealing with just about every facet of information security.  The part I am particularly interested in is Risk Management,  Business Continuity, and Disaster Recovery.  Not only do they have publications available on various topics in those fields but they have built out an entire framework - aptly named the Risk Management Framework.

The issue that I have seen is that there isn't any sort of real formalized instruction on the process.  I have taken a number of classes on Risk Management, Business Continuity, and Disaster Preparedness and while individual features of the Risk Management Framework are presented, it isn't presented as a coherent whole.

Maybe this is just my experience, but talking with co-workers I don't really think so.

So, you're asking, what's my point?  Well, it's actually a proposal.  We have two, I think, fairly well thought out frameworks.  The CSF and the RMF.  They have also been mapped too each other, although I think that could be done better, and hopefully will be in upcoming revisions.  What we need now is people skilled in implementing them.  I think that just like the NSA has their educational Centers of Excellence NIST / DHS  should implement similar designations for programs that really dig in on the Cybersecurity and Risk Management Frameworks.  They should also help with developing curriculum materials and make them available.  It would also be nice if there was a vendor neutral risk management certification program, sort of like the Project+

(I know it took me a long time to get here for little payoff but I am trying to keep simple and at least partially coherent, basically I am just spitballing an idea)


No comments: