Corporate Headquarters:

1010 Wayne Avenue, Suite 1150Silver Spring, Maryland 20910301.565.2988 Telephone301.565.2995 Facsimilewww.e-mcinc.com

Satellite Office:

13800 Coppermine Road, Suite 221Herndon, Virginia 20171

SBA certified 8(a)woman-owned,minority-ownedsmall business

e-Gov Risk Portfolio ManagerTM

Online Tutorial

2

Configuration Tasks

Risk Portfolios

Risk Identification

Risk Response

Security Management Tab

Reports Module

This tutorial will provide an overview of the following eGov Risk Portfolio Manager (eGov RPM) functions:

eGov Risk Portfolio Manager Functions

3

eGov RPM Configuration Tasks

Locations: Physical sites where people or assets reside Sources: Reference publications used for risk

identification Assessors: Functions or job positions which identify risks

(which may include non-eGov RPM users, e.g. IG Auditors)

Categories: Names for groupings of similar types of risks Roles: Functional titles assigned to eGov RPM end-users,

and risk editing privilege settings for each role Users: Login IDs, passwords, and portfolio access

settings

eGov RPM Configuration Definitions include:

4

Locations

Portfolios are associated with a physical location, which typically is identified as an office building, data center, or other site where IT assets reside.

Administration tab, Locations submenu

5

Sources

Sources of risk reduction or risk control objectives are typically written references.

Example Sources:

Bureau Policy

Department Policy

OMB Memoranda

GAO Report

IG Report

NIST Guidance

6

Assessors

Assessors are typically functional roles performed by people, though a software tool could also be considered a type of “assessor.” Assessors are the individuals (or software tools) that identify risks.

eGov RPM’s definition of an assessor associates the function of the assessor with a Source document such as a standard or an audit report.

Example Assessors:

Assessor Applicable Standard or Source

ISSO NIST SP 800-37

Security Tester

NIST SP 800-53A

Project Manager

PMI® PMBOK ®

GAO Auditor GAO FISCAM

Capital Investment Owner

OMB Circular A-11

7

Categories

Risk Categories tracked by eGov RPM are chosen by the customer organization, so you can decide which types of risk issues are most important to you to track.

Note that you, the customer, decide how granular you want your

categories to be. For example, the “NIST 800-53” category shown here

could be divided into 3 classes of risks (M-O-T), or 17 families of risks.

Example Sources:

NIST SP 800-53 Control

Privacy

Staffing

Budget

Physical Security

Schedule

8

Roles – The Concept

You decide which types of users should have read, write, create, or delete privileges to risk data and related data structures (e.g., security plans, POA&Ms) in eGov RPM.

Example Roles:

System Owner

ISSO

Software Tester

Auditor

Business User

State Agency User

The term Roles in eGov RPM pertains to the definition of the access privileges of eGov RPM users.

9

Roles – Setting Permissions

Role permissions are defined for portfolios, projects, risk entries, administration functions, and reports.

10

Users – Applying the Roles Concept

Administration tab, Users submenu

Note the custom defined role “Business Analyst.”

11

Review: eGov RPM Configuration Tasks

You have completed a review of the six eGov RPM configuration tasks:

You are now ready to create portfolios and

define your risk control structure!

Locations Sources Assessors Categories Roles Users

12

The Risk Module: Portfolios

13

Portfolios – General Concepts

Portfolios are simply hierarchical representations of assets or mission activities that may have risks that you wish to monitor.

Portfolio folders can represent:– Organization chart entities – Names of IT contracts– Names of networks– Names of IT budget

investments– Names of project phases– Names of C&A

accreditation boundaries

14

Creating a Portfolio

Creating a Portfolio in eGov RPM is simple:

2) Click the new folder icon located in the lower left corner of the page.

1) Click on the Risks tab, and then select the Risk Repository submenu.

3) Enter the name and location of the portfolio you are creating and click Save.

15

NIST SP 800-37 defines the term “accreditation boundary” as a collection of IT assets under a common direct management control

The Department of Defense (DoD) has used the term “enclave” in a manner similar to NIST’s definition of accreditation boundary

eGov RPM can model complex enclaves or accreditation boundaries through the portfolio representation

Portfolios – Certification & Accreditation Example 1

16

In the portfolio at left, we are representing major C&A deliverable activities as portfolios

The idea: Each of the five process activities listed at left will identify risks relevant to the Enclave

The collection of risks from the Enclave’s 5 deliverable areas comprises a good set of risks for the Enclave’s risk assessment

Portfolios – Certification & Accreditation Example 2

17

How Many Levels of Portfolios?

Recommendation: The “depth” or number of portfolio levels defined in your portfolio hierarchy should be based on the number of different risk owners involved in mitigating identified risks.

Multiple risk owners Multiple portfolios recommended

Few risk owners Fewer portfolios recommended

18

The Risk Module: Risk Identification

19

Theory 101: What is a Risk?

A risk, in the most abstract sense, is the probability that a business objective will not be met

IT security risks (usually) pertain to the probability of Confidentiality, Integrity, or Availability objectives not being met

Examples using NIST SP 800-53 families:

Confidentiality Objectives Integrity Objectives Availability Objectives

• Access controls (AC)• Identification and

Authentication (IA)• Systems and

Communications protection (SC)

• Awareness and Training (AT)• Audit and Accountability (AU)• Certification, Accreditation and Security

Assessments (CA)• Configuration Management (CM)• Media Protection (MP)• Physical and Environmental protection (PE)• Planning (PL)• Risk Assessment (RA)• System and Information Integrity (SI)

• Contingency Planning (CP)• Incident Response (IR)• Maintenance (MA)• Risk Assessment (RA)• System and Services Acquisition

(SA)• System and Communication

protection (SC)• System and Information Integrity (SI)

20

Example Risk Record

Note the use of categories, sources, and assessors

21

Resources: Probability and Impact Information

Resources tab, Risk Quantification submenu

22

The Risk Module: Risk Response

23

Risk Response Alternatives

Response alternatives for identified risks include:

Mitigate (i.e., resolve) the risks locally

Transfer the risks to another organization for mitigation (i.e., this is a variation of Mitigating the risks)

Create Plans of Actions and Milestones (POA&M) entries for risks requiring unplanned or additional resources to mitigate

Identify the risks as risk acceptance candidates for an authorizing official, e.g., Designated Approving (or Approval) Authority (DAA), for approval as “accepted risks”

24

Risk Mitigation Example

The Mitigation Plan is the second tab of risk entries

25

POA&M Example

The POA&M entry is the third tab of risk entries

26

The Security Management Tab

27

Security Categorization Analysis

eGov RPM automates NIST SP 800-60 security categorization:

28

eGov RPM Security Test and Evaluation (ST&E)

The SP 800-53A module of eGov RPM automates ST&E reporting:

29

SSP Creation Tasks

Navigate to the Security Management tab, Security Plan submenu

Select a portfolio you are associating with the SSP Define the FIPS 199 Impact Rating of the portfolio, and click the

Update button in the lower left part of the SSP page Enter the SSP’s System Identification information (as required

by NIST SP 800-18 Revision 1) Identify the applicable software, hardware, and architecture

products that provide functionality required by NIST SP 800-53 controls

Enter text for the Management, Operational, and Technical control sections

The steps involved in creating an SSP in eGov RPM are as follows:

30

SSP System Identification Section

FIPS 199 rating

Asset (the C&A package’s portfolio) identification

Security Management tab, Security Plan submenu

31

Identifying Products that Implement SSP Controls

Management Controls, Control Menu, Product List

32

Identifying Products (continued)

Steps:

1. Click New

2. Enter vendor info

3. Click Save

4. Select applicable controls

5. Click Save

33

Adding Attachments (Evidence) to SSP Controls

Steps:

1. In SSP module, click on Control Menu

2. Select Upload Document

34

The Reports Module

35

Reports Tab Functionality

The Reports Tab contains two submenus:

Report Generation, which contains eleven types of reports having varying degrees of detail

The Executive Dashboard, which contains several graphical depictions of risk data meant for summarizing risk status for management

36

Two Executive Dashboard Reports

Risk Probability Matrix: Pie Chart Distribution:

37

The Risk Summary Executive Dashboard Report

38

If you need additional information

on eGov Risk Portfolio Manager,

please contact e-Management at

301.565.2988

or e-mail info@e-mcinc.com.

e-Management Contact Information