Essay Undergraduate 993 words

Authorization and Accreditation in Risk Management Frameworks

~5 min read

Abstract

This paper examines how organizations can plan, implement, and manage risk using the six-step Risk Management Framework (RMF) as required by the E-Government Act. It walks through each step in sequence: categorizing information systems, selecting appropriate baseline security controls, implementing those controls via checklists, assessing control effectiveness, authorizing system operations, and conducting continuous monitoring. Drawing on sources including Gantz and Philpott's work on FISMA and federal cybersecurity, the paper argues that a structured RMF approach provides the flexibility and consistency needed to reduce risk to acceptable levels while protecting organizational assets, operations, and personnel.

📝 How to Write This Type of Paper Writing guide — click to expand

▼

What makes this paper effective

The paper follows a clear sequential structure that mirrors the six steps of the Risk Management Framework, making the argument easy to follow and logically coherent.
It grounds abstract security concepts in practical organizational contexts, explaining not just what each step is but how a company would actually carry it out.
The use of multiple authoritative sources (Gantz & Philpott, Jain & Zhang, Bowden & Martin) lends credibility to the procedural claims made throughout.

Key academic technique demonstrated

The paper demonstrates effective process-based exposition — a technique in which a multi-step framework is unpacked step by step, with each paragraph anchored to a specific stage. This keeps the argument tightly organized and ensures no step is overlooked. The writer also integrates citations at the point of claim rather than clustering them at the end of paragraphs, which strengthens the perceived authority of each individual statement.

Structure breakdown

The paper opens with a brief introduction establishing the legal basis (E-Government Act) and purpose. The body then progresses through the six RMF steps — categorization, control selection, implementation, assessment, authorization, and monitoring — each treated as a distinct analytical unit. A short conclusion synthesizes the overall value of the framework. The structure is linear and procedural, appropriate for a policy-oriented security management topic at the undergraduate level.

Introduction

An organization's risk management framework offers a structured process to help the company identify, assess, and take steps to reduce risks to a reasonable level. The E-Government Act requires organizations to protect their information technology and information systems that support their assets and operations (Jain & Zhang, 2012). This paper examines how an organization will plan, implement, and manage its risk management steps under the Risk Management Framework, which comprises six key steps.

Risk Management Steps Overview

The Risk Management Framework (RMF) structures the process of securing information systems into six sequential steps. Each step builds on the previous one, guiding organizations from initial categorization through continuous monitoring.

Categorization and Security Control Selection

To implement the first step, the organization will need to categorize its information systems, as well as the information being stored, processed, and transmitted by those systems. This will be based on the possible effect to the company if events occur that put the information and the system at risk. The organization will assign a security effect value — high, low, or moderate — for the security objectives of integrity, availability, and confidentiality (Bowden & Martin, 2011). This will relate to the information systems and information the company requires for achieving its mission, fulfilling its legal responsibilities, maintaining its daily functions, and protecting its individuals and assets.

The categorization of security standards for information systems and information will provide a common understanding and framework for documenting the possible effect on individuals or organizations in the event of a security breach. The organization's information system and information categorization will help the company identify the security category of each system. The categorization process will likewise promote consistent reporting and effective management of information systems (Jain & Zhang, 2012).

In implementing the second step, the organization will identify an appropriate class of security controls for its information system after it has determined its security categorizations. The E-Government Act specifies that companies must meet minimum security requirements by choosing an appropriately tailored set of baseline security controls. This selection will be based on assessing risks and local conditions such as the company's security requirements, cost-benefit analysis, threat information, and special circumstances. In a move to exceed minimum security requirements, the company will select appropriate security controls (Jain & Zhang, 2012). This will help the company protect its information systems in accordance with its business requirements and mission. The company will determine an initial set of security controls based on the impact analysis conducted previously, and will supplement and tailor the baseline security control selections based on its ongoing assessment of risks.

2 Locked Sections · 385 words remaining

Implementing and Assessing Security Controls · 230 words

"Steps three and four: checklists and control assessment"

Authorization and Continuous Monitoring · 155 words

"Steps five and six: authorizing operations and ongoing monitoring"

Conclusion

Bowden, A. R., & Martin, J. H. (2011). Triple bottom line risk management: Enhancing profit, environmental performance, and community benefits. John Wiley & Sons.

Jain, L. C., & Zhang, G. (2012). Handbook on decision making: Vol. 2: Risk management in decision making. Springer.

You’re 46% through this paper. Sign up to read the remaining 2 sections.

130,000+ paper examples AI writing assistant Citation generator Cancel anytime

Key Concepts in This Paper

Risk Management Framework Security Categorization Baseline Security Controls Authorization Accreditation Continuous Monitoring FISMA Compliance E-Government Act Security Assessment Information Systems