640 likes | 1.77k Views
NIST 800-30. Risk Management Guide for Information Technology Systems. Recommendations of the National Institute of Standards and Technology. Gary Stoneburner, Alice Goguen, & Alexia Feringa. Reference: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf. Risk Management (RM).
E N D
NIST 800-30 Risk Management Guide for Information Technology Systems Recommendations of the National Institute of Standards and Technology Gary Stoneburner, Alice Goguen, & Alexia Feringa Reference:http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
Risk Management (RM) • RM – the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. • Goal – To protect the organization and its ability to perform their mission, not just its IT assets. • Thus, RM is an essential management function of the organization.
Objectives of RM To enable accomplishment of mission by: • Better secure IT systems • Management making well-informed decisions • Assist management in authorizing (or accrediting) the IT systems on the basis of the supporting documentation.
Purpose of 800-30 • Special Publication July 2002 • This guide provides a foundation for the development of an effective RM program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified by IT systems.
Components in 800-30 This RM guide describes the RM methodology, how it fits into each phase of the SDLC, and how the RM process is tied to the process of system authorization (or accreditation). It involves 3 processes: • Risk Assessment (what is my risk?) • Risk Mitigation (what am I going to do about it?) • Evaluation & Assessment (How did I do?)
Risk Assessment • Step 1: System Characterization • Step 2: Threat Identification. • Step 3: Vulnerability Identification. • Step 4: Control Analysis. • Step 5: Likelihood Determination • Step 6: Impact Analysis. • Step 7: Risk Determination • Step 8: Control Recommendations • Step 9: Results Documentation
Risk Mitigation • Senior management and functional & business managers to use least cost approach, implement most appropriate controls to decrease mission risk to acceptable level, with minimal adverse impact on organization’s resources and mission. • Risk Mitigation options are: • Risk Assumption • Risk Avoidance • Risk Limitation • Risk Transference • Risk Planning • Research and Acknowledgement
Evaluation & Assessment • RM process is ongoing and evolving. • Emphasizes good practice, need ongoing risk evaluation & assessment and factors to successful RM program. • Scheduled, periodic re-assessing and mitigating mission risks • Flexible to allow changes when warranted • Repeated every 3 years for for federal agencies, per OMB A-130