Picture: Bunker Hill, Boston, MA; Photo by Donald E. Hester all rights reserved Why are RMF programs not as effective or efficient as they can be? Why do they fail?
Presenter
Presentation Notes
Program Risks Programs run risks as well Programs don’t always fail Sometimes the program is not as effective as it could be Sometimes the program is not as efficient as it could be
Presenter
Presentation Notes
Problems in Program Scope Accurate inventory Without an accurate inventory you don’t know what is in your system or what data is on the system Make sure you have 100% accurate inventory
Presenter
Presentation Notes
Assessment Focus Problems Only focus on control assessment Must remediate failed controls Management failed to allocate adequate resources Systems change constantly Need to have a system of assessment and remediation Need to have adequate resources
Presenter
Presentation Notes
Short-term Thinking Failing to think of the long-term because they focus on short-term projects neglecting long-term Dealing with problems in fire-fight mode
Presenter
Presentation Notes
Long-term Thinking If an organization fails to think of the short-term because they focus on long-term projects neglecting short-term Focus so much on strategy they fail to implement
Presenter
Presentation Notes
Poor Planning Programs don’t implement themselves Failure to set realistic requirements Failure to assign responsibility Failure to integrate RMF (bake it in) Failure to train people Misconceptions about program Failure to recognize limitation
Presenter
Presentation Notes
Lack of Responsibility Responsibility needs to be assigned If no one is made responsible for the RMF program you will not be able to hold anyone accountable
Presenter
Presentation Notes
Too Much Paperwork RMF program in danger of becoming a paper exercise If it becomes a paper exercise, it will not be based on risk
Presenter
Presentation Notes
Lack of Enforcement Accountability Inconsistency can lead to failure Everyone must be onboard the program
Presenter
Presentation Notes
Lack of Foresight Fail to see the benefit of Risk Management Framework Perform a cost benefit analysis to see the benefit
Presenter
Presentation Notes
Poor Timing If the organization is not ready for implementation Organization may have more pressing needs
Presenter
Presentation Notes
Lack of Support Need for resources Need for management support Need to be supported at the highest and lowest level Management may not understand the value
Presenter
Presentation Notes
Summary The RMF Program may miss the target if it is not properly supported by management If the organization is not ready for the program If the RMF program is looked at as a paper exercise If the organization does not assign responsibility If the organization does not enforce the RMF program If the organization does not properly plan for the RMF program If the program does not get the resources needed
Presenter
Presentation Notes
Class Discussion: Why do RMF programs fail? You have been tasked with ensuring the RMF program does not fail. What would you do to ensure success? Business unit owners, information owners, system owners or approving authorities are not engaged in the RMF process. How would you ensure success of the RMF program? We have all been a part of a program or initiative that failed. What are some reasons programs or initiatives fail?
Presenter
Presentation Notes
Picture: New Port Beach, CA; Photo by Donald E. Hester all rights reserved
If you fail to plan, you plan to fail!
Presenter
Presentation Notes
Quote If you fail to plan, you plan to fail!
Presenter
Presentation Notes
Financial Planning (Budget) Security should be in the budget Needs to be integrated into the existing Capital Planning and Investment Control Process With limited funds it will be necessary to prioritize needs
Presenter
Presentation Notes
Integrating Security into the CPIC Process NIST SP 800-65, “Integrating IT Security into the Capital Planning and Investment Control Process,” provides a seven-step process, illustrated on the right, for prioritizing security activities and corrective actions: Identify the Baseline Identify Prioritization Requirements Conduct Enterprise-Level Prioritization Conduct System-Level Prioritization Develop Supporting Materials Implement Investment Review Board (IRB) and Portfolio Management Submit Exhibit 300s, Exhibit 53, and Conduct Program Management CPIC = Capital Planning and Investment Control
Presenter
Presentation Notes
Security During the CPIC Process NIST SP 800-65 Rev 1 Draft
Presenter
Presentation Notes
Roles and Responsibilities (CPIC) NIST SP 800-65 Rev 1 Draft
Exhibit 300 & Exhibit 53 To submit a funding request for a “major” IT investment, agencies must use the Exhibit 300 Also called the OMB Capital Asset Plan Documents the business case for making a major IT investment If the investment is considered a “non-major,” it will be reported in the Exhibit 53 only It is designed to coordinate OMB’s collection of agency information for its reports to Congress
Presenter
Presentation Notes
Other Planning Factors Key Factors Properly Coordinated Effectively Organized Closely Managed Project management usually takes 10% of the required effort of the program Project Managers Skills Knowledgeable - understand the RMF process Personable - a people-person Present - always on the ball Involved - the one person who should know everyone's status Read: Official (ISC)2 Guide to CAP CBK Second Edition Chapter 1 pg 79-90
Presenter
Presentation Notes
Dealing with People Project manager Need to be a people-person Manage expectations Manage objectives Need to identify the individuals in the project Develop a contact list
Presenter
Presentation Notes
Team Member Selection Should be based on Knowledge Skills Abilities Such as Critical Impartial, Fair People skills Analytical Familiar with RMF or C & A
Presenter
Presentation Notes
Scope Definition How many systems are in the project? How complex are the systems? Are there any deadlines? Locations of the systems? How many people are involved? What are the available resources? What will happen if the scope creeps? What are the costs?
Presenter
Presentation Notes
Assumptions You never have all the information need to make decisions. You have to learn how to make decisions. Learn how to deal with fear, uncertainty and doubt.
Presenter
Presentation Notes
Project Risks Identify risks to the project What could prevent this project from being completed? Lack of cooperation Lack of management support Lack of manpower Lack of funds Lack of time Lack of skills needed Delays Etc.
Presenter
Presentation Notes
Project Agreements Document the project plan This serves to inform people of their roles It also serves to identify what resources will be needed Sets expectations on timing
Presenter
Presentation Notes
Project Team Guidelines May be necessary to implement procedures and policy on how to approach the project Such as procedures to follow in the event of a scope change Also helps to ensure consistency
Presenter
Presentation Notes
Administrative Requirements Don’t forget to take into consideration the cost of administrative support File storage Copy paper Binders Media Software tools Hardware tools Reference materials Etc. Added “materials”
Presenter
Presentation Notes
Reporting Reporting status to management helps to gain support for the program Status reporting Monitoring progress Inform management Reports should be succinct, clear and concise Consider a dashboard approach
Presenter
Presentation Notes
Other Tasks Don’t forget training Most forgotten aspect is training
Presenter
Presentation Notes
Project Kickoff Important to have a kick-off meeting This meeting will help get everyone on the team on the same page Also shows management’s support for the program Should cover Deliverables Timeline Resources Roles & Responsibilities Procedures Scope Input from past projects
Presenter
Presentation Notes
Wrap-up Helpful to have a close out-meeting Cover Deliverables Success or failure What went wrong What went right Lessons learned Recommendations Any handoffs necessary Quality assurance, what do we do next time
If you fail to plan, you plan to fail!
Presenter
Presentation Notes
Summary Project management is necessary for a successful RMF or C & A program Planning is necessary for a successful RMF or C & A program If you fail to plan, you plan to fail!
Presenter
Presentation Notes
Class Discussion: Project Planning You are a project manager for a RMF program. You have one team member who continuously misses deadlines causing delays in the program implementation. How would you solve this problem? You have had projects successfully complete in the past without a project manager. How would you decide when you would need one? Explain project risk. What are some common risks associated with projects?
