What do you think?
Rate this book
Risk Management Framework for Information Systems and Organizations: NIST SP 800-37 Revision 2
NIST SP 800-37 Revision 2 - Released 20 December 2018
This publication provides guidelines for applying the Risk Management Framework (RMF) to information systems and organizations. The RMF includes a disciplined, structured, and flexible process for organizational asset valuation; security and privacy control selection, implementation, and assessment; system and control authorizations; and continuous monitoring. It also includes enterprise-level activities to help better prepare organizations to execute the RMF at the system level. The RMF promotes the concept of near real-time risk management and ongoing system authorization through the implementation of continuous monitoring processes; provides senior leaders and executives with the necessary information to make cost-effective, risk management decisions about the systems supporting their missions and business functions; and integrates security and privacy controls into the system development life cycle.
Why buy a book you can download for free?
First you gotta find a good clean (legible) copy and make sure it’s the latest version (not always easy). Some documents found on the web are missing some pages or the image quality is so poor, they are difficult to read. We look over each document carefully and replace poor quality images by going back to the original source document. We proof each document to make sure it’s all there – including all changes. If you find a good copy, you could print it using a network printer you share with 100 other people (typically its either out of paper or toner). If it’s just a 10-page document, no problem, but if it’s 250-pages, you will need to punch 3 holes in all those pages and put it in a 3-ring binder. Takes at least an hour.
It’s much more cost-effective to just order the latest version from Amazon.com
This book is published by 4th Watch Books and includes copyright material. We publish compact, tightly-bound, full-size books (8 ½ by 11 inches), with glossy covers. 4th Watch Books is a Service Disabled Veteran-Owned Small Business (SDVOSB). If you like the service we provide, please leave positive review on Amazon.com.
Other titles we
NIST SP 800-12 An Introduction to Information Security
NIST SP 800-18 Developing Security Plans for Federal Information Systems
NIST SP 800-31Intrusion Detection Systems
NIST SP 800-34 Contingency Planning Guide for Federal Information Systems
NIST SP 800-35Guide to Information Technology Security Services
NIST SP 800-39Managing Information Security Risk
NIST SP 800-40 Guide to Enterprise Patch Management Technologies
NIST SP 800-41Guidelines on Firewalls and Firewall Policy
NIST SP 800-44Guidelines on Securing Public Web Servers
NIST SP 800-47Security Guide for Interconnecting Information Technology Systems
NIST SP 800-48 Guide to Securing Legacy IEEE 802.11 Wireless Networks
NIST SP 800-53A Assessing Security and Privacy Controls
This publication provides guidelines for applying the Risk Management Framework (RMF) to information systems and organizations. The RMF includes a disciplined, structured, and flexible process for organizational asset valuation; security and privacy control selection, implementation, and assessment; system and control authorizations; and continuous monitoring. It also includes enterprise-level activities to help better prepare organizations to execute the RMF at the system level. The RMF promotes the concept of near real-time risk management and ongoing system authorization through the implementation of continuous monitoring processes; provides senior leaders and executives with the necessary information to make cost-effective, risk management decisions about the systems supporting their missions and business functions; and integrates security and privacy controls into the system development life cycle.
Why buy a book you can download for free?
First you gotta find a good clean (legible) copy and make sure it’s the latest version (not always easy). Some documents found on the web are missing some pages or the image quality is so poor, they are difficult to read. We look over each document carefully and replace poor quality images by going back to the original source document. We proof each document to make sure it’s all there – including all changes. If you find a good copy, you could print it using a network printer you share with 100 other people (typically its either out of paper or toner). If it’s just a 10-page document, no problem, but if it’s 250-pages, you will need to punch 3 holes in all those pages and put it in a 3-ring binder. Takes at least an hour.
It’s much more cost-effective to just order the latest version from Amazon.com
This book is published by 4th Watch Books and includes copyright material. We publish compact, tightly-bound, full-size books (8 ½ by 11 inches), with glossy covers. 4th Watch Books is a Service Disabled Veteran-Owned Small Business (SDVOSB). If you like the service we provide, please leave positive review on Amazon.com.
Other titles we
NIST SP 800-12 An Introduction to Information Security
NIST SP 800-18 Developing Security Plans for Federal Information Systems
NIST SP 800-31Intrusion Detection Systems
NIST SP 800-34 Contingency Planning Guide for Federal Information Systems
NIST SP 800-35Guide to Information Technology Security Services
NIST SP 800-39Managing Information Security Risk
NIST SP 800-40 Guide to Enterprise Patch Management Technologies
NIST SP 800-41Guidelines on Firewalls and Firewall Policy
NIST SP 800-44Guidelines on Securing Public Web Servers
NIST SP 800-47Security Guide for Interconnecting Information Technology Systems
NIST SP 800-48 Guide to Securing Legacy IEEE 802.11 Wireless Networks
NIST SP 800-53A Assessing Security and Privacy Controls
185 pages, Paperback
Published September 28, 2017
1 person is currently reading
2 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 of 1 review
August 29, 2020
Professional development read for work.
Hard for me to rate this... it's like asking someone to rate a refrigerator owners guide. "Oh, the chapter on the manufacturer warranty was really well written." "Oh and the diagram of the condenser coils? Superb!" I guess for a technical publication, I didn't hate it and the appendixes are pretty good, so how about a 3/5.
All in all though, I can say that I am walking away with more knowledge about RMF and the time spent on this upon rising and right before going to sleep was beneficial as I start to pursue work related professional development content on my free/own time.
A big takeaway for me and this publication is that the way RMF is written, in such a broad/one size fits all format... that even if you memorized this cover to cover, it wouldn't matter that much in the precise/specific environment you are actually working on, hands on keyboard.
Organizations will assume different levels of risk, have different controls in place, have their own unique approach to POA&Ms, have their own timelines, have their own everything. It honestly reminds me of Agile, another wonderfully broad methodology that can be tap-danced to fit automobile factories, software development, or pretty much whatever the minds limitations of creativity may be. Hats off to the creators of RMF and Agile, making products that are so broad that they can be spun to fit any organization, getting so widely adopted (by the DoD for example), and certainly being incredibly financially rewarding.
This is good supplemental material to support your RMF journey to obtain more RMF knowledge, and if you can find your Role (System Owner for example) and it align it with a particular Task (Assess, Authorize, Implement, Monitor, Plan, etc...)... then it could help you with your decision making process. BUT, at the end of the day, your unique organization is really going to define what work has to get done, based off of leadership guidance, historical efforts, so on and so forth.
In summary, we can talk in circles all day about what x, y, or z could or could not do, and then maybe if we implement a, b, c... etc, etc... but, when it comes down to exactly what is due, when, who is the decision maker, what happens next, what are the roadblocks and how/if we can overcome them, so on and so forth... it is unique to the organization/environment you are working in that really matters.
Hard for me to rate this... it's like asking someone to rate a refrigerator owners guide. "Oh, the chapter on the manufacturer warranty was really well written." "Oh and the diagram of the condenser coils? Superb!" I guess for a technical publication, I didn't hate it and the appendixes are pretty good, so how about a 3/5.
All in all though, I can say that I am walking away with more knowledge about RMF and the time spent on this upon rising and right before going to sleep was beneficial as I start to pursue work related professional development content on my free/own time.
A big takeaway for me and this publication is that the way RMF is written, in such a broad/one size fits all format... that even if you memorized this cover to cover, it wouldn't matter that much in the precise/specific environment you are actually working on, hands on keyboard.
Organizations will assume different levels of risk, have different controls in place, have their own unique approach to POA&Ms, have their own timelines, have their own everything. It honestly reminds me of Agile, another wonderfully broad methodology that can be tap-danced to fit automobile factories, software development, or pretty much whatever the minds limitations of creativity may be. Hats off to the creators of RMF and Agile, making products that are so broad that they can be spun to fit any organization, getting so widely adopted (by the DoD for example), and certainly being incredibly financially rewarding.
This is good supplemental material to support your RMF journey to obtain more RMF knowledge, and if you can find your Role (System Owner for example) and it align it with a particular Task (Assess, Authorize, Implement, Monitor, Plan, etc...)... then it could help you with your decision making process. BUT, at the end of the day, your unique organization is really going to define what work has to get done, based off of leadership guidance, historical efforts, so on and so forth.
In summary, we can talk in circles all day about what x, y, or z could or could not do, and then maybe if we implement a, b, c... etc, etc... but, when it comes down to exactly what is due, when, who is the decision maker, what happens next, what are the roadblocks and how/if we can overcome them, so on and so forth... it is unique to the organization/environment you are working in that really matters.
Displaying 1 of 1 review