The US National Institute of Standards and Technology (NIST) has published the final version of a special publication that can help organisations to more effectively integrate information security risk planning into their mission-critical functions and overall goals.
‘Managing Information Security Risk: Organization, Mission, and Information System View’ (NIST Special Publication 800-39) provides the groundwork for a three-tiered, risk-management approach that "fundamentally changes how we manage information security risk," according to Ron Ross, NIST Fellow and one of the principal authors of the publication.
For decades, organisations have managed risk at the information system level that resulted in a very narrow perspective that constrained risk-based decisions by senior management, Ross explains.
SP 800-39 calls for a holistic approach in which senior leaders determine what needs to be protected based on the organization's core missions and business functions.
For example, managers of a power plant tied to the distribution grid need to ensure that its computer security keeps hackers from interfering with the plant's power generation or getting into the power grid to wreak greater havoc.
The publication is the fourth in the series of risk management and information security guidelines being developed by the Joint Task Force Transformation Initiative, a joint partnership among the Department of Defense, Intelligence Community, NIST and the Committee on National Security Systems.
SP 800-39 can be downloaded from here (PDF) or by clicking on the picture.
No comments:
Post a Comment