Week 8
October 25, 2015210
NIST SP 800-30 Rev.1 “Guide for
Conducting Risk Assessments”
As the technological advancement and easily
accessible Internet everywhere providing sophistication where as the complex
and sophisticated threats are being imminent too. Therefore, implementations of risk assessments are an
essential tool for any organizations as a part of a comprehensive risk
management program.
Risk assessments could help organizations to
determine the most appropriate risk response to ongoing cyber attacks or
threats for disaster (man-made or natural). It will guide investment strategies
and decisions for the most effective cyber defenses to help protect
organizational operations, assets, individuals, and other organization’s
issues. Risk assessments also helps to maintain ongoing situational awareness
with regard to the security state of organizational information systems and the
environments in which the systems operate.
This updated National Institute of Standards and
Technology Special Publication (NIST SP) 800-30 focuses exclusively on risk
assessments, one of four steps in the risk management process. The risk
assessment guideline has been significantly expanded to include more in-depth
information on a wide variety of risk factors essential to determine
Information Security (InfoSec) risk including threat sources and events,
vulnerabilities and predisposing conditions, impact, and likelihood of the
threat. The three-step process
mentioned in this special publication describes including key activities to
prepare for risk assessments, activities to successfully conduct risk
assessments, and approaches to maintain the currency of assessment results.
Along with the comprehensive approach in the process
for assessing organization’s InfoSec risk, the SP 800-30 provides a specific
guidelines, which describes how to apply the process at the three tiers in the
risk management hierarchy the organization level, business process level, and
information system level. It also
provides a framework for individual or groups to conduct risk assessments
within organizations, a set of exemplary templates, tables, and assessment
scales given maximum flexibility in designing risk assessments based on the organization’s purpose, scope, assumptions, and constraints established.
References:
NIST
SP 800-30 Rev.1, “Guide for conducting Risk Assessments”, Published on NIST.gov
on September 2012. Retrieved from: http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf
No comments:
Post a Comment