The National Institute of Standards and Technology has issued what could be characterized as the bible of risk assessment.
Special Publication 800-30 Revision 1, Guide for Conducting Risk Assessments, provides direction for conducting risk assessments and amplifies the guidance found in SP 800-39: Managing Information Security Risk. Though SP 800-30 was written for federal information systems and organizations, its lessons can be applied to other organizations in and out of government.
Ron Ross, NIST fellow and one of the authors of the new guidance, says risk assessments are essential tools for managers. "With the increasing breadth and depth of cyberattacks on federal information systems and the U.S. critical infrastructure, risk assessments provide important information to guide and inform the selection of appropriate defensive measures so organizations can respond effectively to cyber-related risks," he says.
The new guidance document, issued Sept. 18, provides direction for carrying out each of the steps in the risk assessment process, such as preparing for the assessment, conducting the assessment, communicating the results of the assessment and maintaining the assessment. It also shows how risk assessments and other organizational risk management processes complement each other.
Special Publication 800-30 also provides guidance to organizations on identifying specific risk factors to monitor systems continuously so that they can determine whether risks have increased to unacceptable levels, such as exceeding organizational risk tolerance. And it offers insights on different courses of action that should be taken.
Information technology risks include risk to the organization's operations, such as mission and reputation, as well as its critical assets, including data and physical property as well as individuals who are part of or served by the organization.
In March 2011, NIST released SP 800-39, which describes the process for managing information security risk for federal agencies and contractors. That process includes framing risk, assessing risk, responding to risk and monitoring risk over time.
Can't Protect Everything
The new publication focuses exclusively on risk assessment, the second step in the information security risk management process. The guidance covers the four elements of a classic risk assessment: threats, vulnerabilities, impact to missions and business operations. It also addresses the likelihood of threat exploitation of vulnerabilities in information systems and their physical environment to cause harm or adverse consequences.
"As the size and complexity of our collective IT infrastructure grows, we cannot protect everything we own or manage to the highest degree," Ross says. "Risk assessments show us where we are most at risk. It provides a way to decide where managers should focus their attention."
With the issuance of the revised SP 800-30, the original series of five key computer security documents (including SP 800-39) envisioned by the Joint Task Force to create a unified information security framework for the federal government is completed. The Joint Task Force is a partnership of NIST, the Department of Defense, the Office of the Director of National Intelligence and the Committee on National Security Systems.