The NIST Risk Management Framework (RMF) provides recommendations for systematically protecting information resources. FISMA requires RMF compliance for federal civilian systems. Applied judiciously, the RMF can be useful in the private sector as well.
It’s a common perception that FISMA is a joke (preumably everything associated with it as well, including the RMF), a pointless exercise that’s designed to kill trees and feed beltway bandits… but the RMF is ultimately about specifying security controls, and ensuring the controls function correctly. It seems difficult to argue against that, unless you are willing to postulate security controls are entirely worthless. Of course the RMF isn’t a security panacea.
Security isn’t easy. The 24 task RMF process requires the collection and evaluation of a lot of information. Some organizations muddle through the process, in a very ad hoc CYA fashion. These organizations are likely to adhere to the law and not the spirit of the RMF, and even though they may spend a lot on compliance, the quality of their plans is poor and they don’t get as much out of the RMF as they ought to.
The RMF is complicated by the fact that it is designed for large organizations that have well defined procedures, roles, and responsibilities. One of its purposes is to make certain these roles work together effectively. If your IT staff consists of one person, the coordination problem largely disappears and you can trim the RMF back considerably. Of course you will be in deep trouble if that one savant is flattened by a truck while fetching her mail, or off on vacation when an incident occurs.
How confident are you that your security plans are really meaningful, and not a pro forma cut and paste? Can you, for example, verify that the boundaries of systems described in different plans actually fit together without gaps? Can you tell exactly which systems require a given control, and the results of testing the efficacy of that control? Do you know exactly who is responsible for every aspect of keeping your applications available and information secured, and who their backups are? Can you answer questions like these in a moment, or does someone need to root through emails or a sheaf of Word documents?