How to apply risk management to IT resources
The SDLC has similarities to the RMF. One topic of discussion when it comes to the SDLC and the RMF is identifying cyber risks associated with IT resources. When identifying risks, it is a necessity to record them in a document that is also presented to the authorizing official.
A critical component of the SSP is the risk register. This risk register is where all identified risks are recorded and then placed into a project plan for remediation. As we assess the IT resources, we identify risks associated with the environment. We then evaluate how we want to resolve these risks, whether that means accepting, avoiding, mitigating, or transferring them. If we decide to mitigate or transfer the risks, a Plan of Action and Milestones (POA&M) shall be created to record the progress of remediation.
The POA&M is a project plan used to track remediation efforts. The POA&M should include the following:
- Risk ID
- Description...
