Senior managers are responsible for managing risk for an organization, and the RMF is only a portion of risk management portfolio they must ensure their organization is prepared to handle. Fortunately, the National Institute of Standards and Technology provides a framework for organizations to manage information system risk. When senior officials fail to address the risks which exist from operating information systems, they are failing in their ethical and professional duties to prevent harm to their organizations. Cyber security professionals may find they are in a situation where they are not empowered to identify and communicate information system risks which exist in their organization, however, it is our professional and ethical duty to report any risks we find which may cause harm to the organization. If senior management has been properly informed and is aware of cyber security risks which exist from their operation of information systems, then they bear the responsibility if, or when, the organization experiences an impact to the organization from those risks.
Here is an example of applying the RMF for an organization which was the final paper for the Cyber Security Risk Management course at the University of San Diego. This can be used as an example and guide for applying the Risk Management Framework (RMF) for an organization. In this case the organization shares an office environment with other organizations and wants to effectively manage the risk posed to their information system in response to changes in personnel, software, hardware, firmware, and their environment.
Here is an example of applying the RMF for an organization which was the final paper for the Cyber Security Risk Management course at the University of San Diego. This can be used as an example and guide for applying the Risk Management Framework (RMF) for an organization. In this case the organization shares an office environment with other organizations and wants to effectively manage the risk posed to their information system in response to changes in personnel, software, hardware, firmware, and their environment.