Individually managing permissions and configurations becomes more difficult across a group of people, for several reasons:
- Each group consists of a variety of people, and the weakest computer or least-tech-savvy user is the highest risk for the organization.
- A group draws more attention than an individual, proportionally to its popularity, creating more desire for hackers to infiltrate it.
- Groups are often subject to more regional government laws than individuals.
- If the organization is spread across multiple regions, completely legal actions in one region could imprison someone for life in another.
The legality and safety of the organization can often sit on the nuanced difference in IP address or choice of protocol.
NIST created its Risk Management Framework (RMF) to put risk management systems in place and test to be sure they work:
- Prepare – everyone should be aware changes will be happening.
- Categorize – organize how the system processes, stores, and transmits information and conduct a risk assessment.
- Select – choose the controls that will protect the system based on the risk assessment.
- Implement – carry out the controls and document what happens.
- Assess – examine if the controls are in place, operating as intended, and creating desired results.
- Authorize – the group leader makes a risk-based decision to authorize the system to operate.
- Monitor – continuously monitor the implementation, as well as any further risks to the system.