In part 1 of this series, we look at how the Categorize step of the Risk Management Framework is implemented using a data-driven approach. The main objective of the Categorize step is “to inform organizational risk management processes and tasks by determining the adverse impact to organizational operations and assets, individuals, other organizations, and the Nation with respect to the loss of confidentiality, integrity, and availability of organizational systems and the information processed, stored, and transmitted by those systems.”[RMF]
So, break that down for me.
In essence, the Categorize step identifies what needs to be protected and the level of protection that is required. Identifying what needs protection requires documenting the characteristics of the system from a security and privacy perspective. Furthermore, this step includes defining things such as the authorization boundary; environment of operation; physical or other processes controlled by system elements; system component inventory; life cycle of the information types managed by the system; and system users and roles, amongst many other things.
From a data-driven perspective this means defining the subjects that you need to collect data about and monitor in subsequent steps of the RMF, i.e. the risk management subjects. Accurately and comprehensively defining these data subjects (i.e. entities in data modeling terms) in the beginning is critical to ensuring that you have the right set of data to fuel the entire process. In Q-Compliance, we support this critical first step with a foundational data model that comprehensively represents all the risk management subjects, e.g. organizations, systems, assets, users, etc. along with dynamic and flexible mechanisms to define and update them as they evolve over time, as shown in Figure 1.

Well, what are my options?
Many traditional GRC tools allow you to define these subjects as they are core to the RMF process. However, with those tools, you define and document, and that’s it. They just stay as static documentation! In comparison, when you define your risk management subjects in Q-Compliance, you are not doing it just to create static documentation, you are setting up the key entities of a comprehensive risk and compliance data model which become the subjects of our analytics and scoring algorithms to help you streamline and automate subsequent steps of the RMF. For example, organizations aren’t just names that show up in some document, they become completely navigable hierarchies of any level of breadth and depth so that you can gain a broad view of your entire enterprise’s risk posture as well as pinpoint problematic departments.
Additionally, in Q-Compliance, systems, authorization boundaries, and asset inventories aren’t just lists of IP addresses that appear in static spreadsheets. They are dynamically defined and act as containers and filters of machine data that’s collected from your environment. Furthermore, data is presented on live dashboards, allowing continuous monitoring, all in near real-time. Even more-so, users aren’t just points-of-contact that show up in a System Security Plan. Instead, they are the subjects of rich analytics that monitor for access control, authentication, privileged access and potential insider threat activities.
Categorize with Q-Compliance:
The risks and threats that organizations are faced with today, are too numerous and dynamic. As such, taking a static documentation-based approach to implement this important foundational step of the RMF doesn’t cut it anymore. The benefits of using Q-Compliance to implement a data-driven approach to Step One – Categorize include:
- Comprehensive data model to define your risk management subjects and all of their important security and privacy characteristics. No longer are they just static words in a document.
- Dynamic mechanisms to update the characteristics of the risk management subjects as they evolve over time.
- Advanced analytics and scoring algorithms that turn your risk management subjects into “living entities”. These entities can be continuously monitored and assessed as they progress through the RMF lifecycle.
- Rich and intuitive dashboards to view and analyze your risk management subjects across the enterprise. The ability to drill down into individual sub-organizations, systems, users, assets and even individual events.