Risk Assessment ‘Bible’ Available

Friday, September 21, 2012 @ 03:09 PM gHale


The “bible of risk assessment” is now out and ready to go.

At least that is what the National Institute of Standards and Technology (NIST) is calling the Special Publication 800-30 Revision 1, Guide for Conducting Risk Assessments, provides direction for conducting risk assessments and amplifies the guidance found in SP 800-39: Managing Information Security Risk.

RELATED STORIES
DHS Adopts Chem Site Screening Plan
Locking Out Electromagnetic Pulses
‘Narco Sub’ Defense in Depth
Summer Cyber Institute a Success

While SP 800-30 was originally for federal information systems and organizations, its lessons are applicable to other organizations in and out of government.

Ron Ross, NIST fellow and one of the authors of the new guidance, said risk assessments are essential tools for managers.

“With the increasing breadth and depth of cyber attacks on federal information systems and the U.S. critical infrastructure, risk assessments provide important information to guide and inform the selection of appropriate defensive measures so organizations can respond effectively to cyber-related risks,” Ross said.

The new guidance document, issued Sept. 18, provides direction for carrying out each of the steps in the risk assessment process, such as preparing for the assessment, conducting the assessment, communicating the results of the assessment and maintaining the assessment. It also shows how risk assessments and other organizational risk management processes complement each other.

The document also provides guidance to organizations on identifying specific risk factors to monitor systems continuously so they can determine whether risks have increased to unacceptable levels, such as exceeding organizational risk tolerance. And it offers insights on different courses of action.

Information technology risks include risk to the organization’s operations, such as mission and reputation, as well as its critical assets, including data and physical property as well as individuals who are part of or served by the organization.

In March 2011, NIST released SP 800-39, which describes the process for managing information security risk for federal agencies and contractors. That process includes framing risk, assessing risk, responding to risk and monitoring risk over time.

The new publication focuses exclusively on risk assessment, the second step in the information security risk management process. It covers the four elements of a classic risk assessment: Threats, vulnerabilities, impact to missions and business operations. It also addresses the likelihood of threat exploitation of vulnerabilities in information systems and their physical environment to cause harm or adverse consequences.

“As the size and complexity of our collective IT infrastructure grows, we cannot protect everything we own or manage to the highest degree,” Ross said. “Risk assessments show us where we are most at risk. It provides a way to decide where managers should focus their attention.”



Leave a Reply

You must be logged in to post a comment.