Presentation on theme: "Jump to first page NIST 800-30 Risk Management Guide for Information Technology Systems Reference:"— Presentation transcript:
Jump to first page NIST 800-30 Risk Management Guide for Information Technology Systems Reference: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf Recommendations of the National Institute of Standards and Technology Gary Stoneburner, Alice Goguen, & Alexia Feringa
Jump to first page Risk Management (RM) n RM – the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. n Goal – To protect the organization and its ability to perform their mission, not just its IT assets. n Thus, RM is an essential management function of the organization.
Jump to first page Objectives of RM To enable accomplishment of mission by: u Better secure IT systems u Management making well-informed decisions u Assist management in authorizing (or accrediting) the IT systems on the basis of the supporting documentation.
Jump to first page Purpose of 800-30 n Special Publication July 2002 n This guide provides a foundation for the development of an effective RM program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified by IT systems.
Jump to first page Components in 800-30 This RM guide describes the RM methodology, how it fits into each phase of the SDLC, and how the RM process is tied to the process of system authorization (or accreditation). It involves 3 processes: u Risk Assessment (what is my risk?) u Risk Mitigation (what am I going to do about it?) u Evaluation & Assessment (How did I do?)
Jump to first page Risk Assessment n Step 1: System Characterization n Step 2: Threat Identification. n Step 3: Vulnerability Identification. n Step 4: Control Analysis. n Step 5: Likelihood Determination n Step 6: Impact Analysis. n Step 7: Risk Determination n Step 8: Control Recommendations n Step 9: Results Documentation
Jump to first page Risk Mitigation n Senior management and functional & business managers to use least cost approach, implement most appropriate controls to decrease mission risk to acceptable level, with minimal adverse impact on organizations resources and mission. n Risk Mitigation options are: u Risk Assumption u Risk Avoidance u Risk Limitation u Risk Transference u Risk Planning u Research and Acknowledgement
Jump to first page Evaluation & Assessment n RM process is ongoing and evolving. n Emphasizes good practice, need ongoing risk evaluation & assessment and factors to successful RM program. n Scheduled, periodic re-assessing and mitigating mission risks n Flexible to allow changes when warranted n Repeated every 3 years for for federal agencies, per OMB A-130