1 / 9

NIST 800-30

NIST 800-30. Risk Management Guide for Information Technology Systems. Recommendations of the National Institute of Standards and Technology. Gary Stoneburner, Alice Goguen, & Alexia Feringa. Reference: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf. Risk Management (RM).

mina
Download Presentation

NIST 800-30

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NIST 800-30 Risk Management Guide for Information Technology Systems Recommendations of the National Institute of Standards and Technology Gary Stoneburner, Alice Goguen, & Alexia Feringa Reference:http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

  2. Risk Management (RM) • RM – the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. • Goal – To protect the organization and its ability to perform their mission, not just its IT assets. • Thus, RM is an essential management function of the organization.

  3. Objectives of RM To enable accomplishment of mission by: • Better secure IT systems • Management making well-informed decisions • Assist management in authorizing (or accrediting) the IT systems on the basis of the supporting documentation.

  4. Purpose of 800-30 • Special Publication July 2002 • This guide provides a foundation for the development of an effective RM program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified by IT systems.

  5. Components in 800-30 This RM guide describes the RM methodology, how it fits into each phase of the SDLC, and how the RM process is tied to the process of system authorization (or accreditation). It involves 3 processes: • Risk Assessment (what is my risk?) • Risk Mitigation (what am I going to do about it?) • Evaluation & Assessment (How did I do?)

  6. Risk Assessment • Step 1: System Characterization • Step 2: Threat Identification. • Step 3: Vulnerability Identification. • Step 4: Control Analysis. • Step 5: Likelihood Determination • Step 6: Impact Analysis. • Step 7: Risk Determination • Step 8: Control Recommendations • Step 9: Results Documentation

  7. Risk Mitigation • Senior management and functional & business managers to use least cost approach, implement most appropriate controls to decrease mission risk to acceptable level, with minimal adverse impact on organization’s resources and mission. • Risk Mitigation options are: • Risk Assumption • Risk Avoidance • Risk Limitation • Risk Transference • Risk Planning • Research and Acknowledgement

  8. Evaluation & Assessment • RM process is ongoing and evolving. • Emphasizes good practice, need ongoing risk evaluation & assessment and factors to successful RM program. • Scheduled, periodic re-assessing and mitigating mission risks • Flexible to allow changes when warranted • Repeated every 3 years for for federal agencies, per OMB A-130

  9. THE END

More Related