New NIST publication provides guidance for computer security risk assessments

Sep 19, 2012

The National Institute of Standards and Technology has released a final version of its risk assessment guidelines that can provide senior leaders and executives with the information they need to understand and make decisions about their organization's current information security risks and information technology infrastructures.

" are an important tool for managers," explains Ron Ross, NIST fellow and one of the authors of Guide for Conducting Risk Assessments. "With the increasing breadth and depth of on and the U.S. , risk assessments provide important information to guide and inform the selection of appropriate defensive measures so organizations can respond effectively to cyber-related risks."

Information technology risks include risk to the organization's operations (including, for example, missions and reputation), its critical assets such as data and physical property, and individuals who are part of or served by the organization. In some cases, these risks extend to the nation as a whole. Risk assessments are part of an organization's total risk management process.

In March 2011, NIST released Managing Information Security Risk: Organization, Missions and Information System View (NIST Special Publication 800-39), which describes the process for managing information for federal agencies and contractors. That process includes framing risk, assessing risk, responding to risk and monitoring risk over time.

The new publication, Guide for Conducting Risk Assessments, focuses exclusively on risk assessment—the second step in the information security risk management process. The guidance covers the four elements of a classic risk assessment: threats, vulnerabilities, impact to missions and business operations, and the likelihood of threat exploitation of vulnerabilities in information systems and their to cause harm or adverse consequences.

"As the size and complexity of our collective IT infrastructure grows, we cannot protect everything we own or manage to the highest degree," says Ross. "Risk assessments show us where we are most at risk. It provides a way to decide where managers should focus their attention."

The risk assessment guidance is designed to meet the needs of a variety of organizations, large and small, including financial institutions, health care providers, software developers, manufacturing companies, military planners and operators, and law enforcement groups.

The Guide for Conducting Risk Assessments (SP 800-30, Revision 1) completes the original series of five key computer security documents envisioned by the Joint Task Force—a partnership of NIST, the Department of Defense, the Office of the Director of National Intelligence and the Committee on National Security Systems—to create a unified framework for the federal government. SP 800-39 is also in this series.

The guide is available at www.nist.gov/manuscript-publication-search.cfm?pub_id=912091 .

Explore further: UN study: Cellphones can improve literacy

add to favorites email to friend print save as pdf

Related Stories

Recommended for you

UN study: Cellphones can improve literacy

Apr 23, 2014

A study by the U.N. education agency says cellphones are getting more and more people to read in countries where books are rare and illiteracy is high.

Gates-funded student data group to shut down

Apr 21, 2014

The head of a student data processing organization says it will shut down in the coming months following criticism that led to the recent loss of its last active client—New York state.

Four questions about missing Malaysian plane answered

Apr 19, 2014

Travelers at Asian airports have asked questions about the March 8 disappearance of Malaysia Airlines Flight 370 while en route from Kuala Lumpur to Beijing. Here are some of them, followed by answers.

User comments : 0

More news stories

Google+ boss leaving the company

The executive credited with bringing the Google+ social network to life is leaving the Internet colossus after playing a key role there for nearly eight years.

Facebook woos journalists with 'FB Newswire'

Facebook launched Thursday FB Newswire, billed as an online trove of real-time information for journalists and newsrooms to mine while reporting on events or crafting stories.

Genetic legacy of rare dwarf trees is widespread

Researchers from Queen Mary University of London have found genetic evidence that one of Britain's native tree species, the dwarf birch found in the Scottish Highlands, was once common in England.