Thursday, September 20, 2012

The Bible of Risk Assessment

NIST Issues Risk Assessments Guidance

Special Publication 800-30 Revision 1, Guide for Conducting Risk Assessments, provides direction for conducting risk assessments and amplifies the guidance found in SP 800-39: Managing Information Security Risk. Though SP 800-30 was written for federal information systems and organizations, its lessons can be applied to other organizations in and out of government.

The new guidance document, issued Sept. 18, provides direction for carrying out each of the steps in the risk assessment process, such as preparing for the assessment, conducting the assessment, communicating the results of the assessment and maintaining the assessment. It also shows how risk assessments and other organizational risk management processes complement each other.

Continuous Monitoring

Special Publication 800-30 also provides guidance to organizations on identifying specific risk factors to monitor systems continuously so that they can determine whether risks have increased to unacceptable levels, such as exceeding organizational risk tolerance. And it offers insights on different courses of action that should be taken.

Information technology risks include risk to the organization's operations, such as mission and reputation, as well as its critical assets, including data and physical property as well as individuals who are part of or served by the organization.

Can't Protect Everything

The new publication focuses exclusively on risk assessment, the second step in the information security risk management process. The guidance covers the four elements of a classic risk assessment: threats, vulnerabilities, impact to missions and business operations.

It also addresses the likelihood of threat exploitation of vulnerabilities in information systems and their physical environment to cause harm or adverse consequences.

With the insurance of the revised SP 800-30, the original series of five key computer security documents (including SP 800-39) envisioned by the Joint Task Force to create a unified information security framework for the federal government is completed. The Joint Task Force is a partnership of NIST, the Department of Defense, the Office of the Director of National Intelligence and the Committee on National Security Systems.

No comments: