Thursday, October 27, 2011

NIST: New Guidlines for Conducting Risk Assessments

Risk assessment is the topic of the newest special publication from the National Institute of Standards and Technology (NIST).

Guide for Conducting Risk Assessments (NIST Special Publication 800-30, Revision 1), an extensive update to its original 2002 publication, is the authoritative source of comprehensive risk assessment guidance for federal information systems, and is open for public comments through November 4.

Overall guidance on risk management for information systems is now covered in Managing Information Security Risk: Organization, Mission, and Information System View (NIST SP 800-39), issued last March.

The updated SP 800-30 now focuses exclusively on risk assessments, one of the four steps in information risk management.

Information risk assessments help organizations:
  • Determine the most appropriate risk responses to ongoing cyber attacks or threats stemming from man-made or natural disasters;
  • Guide investment strategies and decisions for the most effective cyber defenses to help protect organizational operations (including missions, functions, image and reputation), organizational assets, individuals, other organizations and the US nation; and
  • Maintain ongoing situational awareness of the security state of an organization's information systems and the environments in which those systems operate.
The guidance in the revised publication has been significantly expanded to include more information on a variety of risk factors essential to determining information security risk, such as threat sources and events, vulnerabilities and predisposing conditions, impact, and likelihood of threat occurrence.

The publication describes a three-step process to help organizations prepare for risk assessments, successfully conduct risk assessments and keep assessment results up to date.

Guide for Conducting Risk Assessments also describes how to apply the risk assessment process at the three tiers of the risk management hierarchy outlined in Special Publication 800-39.

Sample templates, tables and assessment scales for common risk factors are provided for users to adapt to their own organizational risk assessments based on the purpose, scope, assumptions, and constraints of the assessments.

Guide for Conducting Risk Assessments (Special Publication 800-30, Revision 1) may be downloaded from here. Please send comments to by Nov. 4.

1 comment:

  1. Risk management attempts to plan for and handle events that are uncertain in that they may or may actually occur. These are surprises. Some surprises are pleasant. We may plan an event for the public and it is so successful that twice as many people attend as we expected. A good turn-out is positive. However, if we have not planned for this possibility, we will not have resources available to meet the needs of these additional people in a timely manner and the positive can quickly turn into a negative.