the Grade
NIST SP 800-30R1
Module 3
The Process
4 Step Process
Step 1: Prepare for Assessment
Step 2: Conduct Assessment
Step 3: Communicate Results
Step 4: Maintain Assessment
Each step is divided into a set of tasks
Consistent with the assessment process in 800-39
Step 1: Prepare for Assessment
Task 1-1: Identify the purpose of the assessment
Can be at Tiers 1, 2 or 3
Initial Assessment
Establishing baseline assessment of risk
Identifying threats and vulnerabilities to be tracked over time as part of risk monitoring
Providing a comparative analysis of alternative risk responses
Answering a specific question (e.g. What is the risk of delivering packages with drones?)
Reassessment
Ongoing determination of the effectiveness of security controls
Changes to information systems or operational environment
Results from compliance verification activities
Initiated by organization due to events that have occurred
Step 1: Prepare for Assessment
Task 1-2: Identify the scope of the assessment
Organizational Applicability: Which parts of the organization are affect by the RA?
Effectiveness Time Frame: How long are the results of the RA useful to inform risk-based decisions?
Architecture/Technology Considerations: What systems and how do they fit in the overall architecture?
Step 1: Prepare for Assessment
Task 1-3: Assumptions and constraints
Assumptions
Threat sources
Threat events
Vulnerabilities and Pre-existing conditions
Likelihood
Impacts
Risk Tolerance and Uncertainty
Analytical Approach
Constraints
Resources available for assessment
Skills and expertise required
Operational considerations related to mission/business activies
Step 1: Prepare for Assessment
Task 1-4: Identify the sources of threat, vulnerability and impact information
Internal
External (US-CERT, Information Sharing and Analysis Centers, etc)
Task 1-5: Identify Risk Model and Analytic Approach
Risk Model: Most companies/industries will identify that for you
Analytic Approach
Assessment: Qualitative, Quantitative, Semi-Quantitative
Analysis: Threat-oriented, asset-impact oriented, vulnerability oriented
Step 2: Conduct the Assessment
Task 2-1: Identify and Characterize Threat Sources
Capability
Intent
Targeting Characteristics
See NIST SP 800-30R1, Appendix D for exemplary tables
Step 2: Conduct the Assessment
Task 2-2: Identify potential threat events, relevance of events, and threat sources that could initiate the events
Many-to-many relationship
Multiple sources can carry out an event
A single source can carry out multiple events.
See NIST SP 800-30R1, Appendix E for exemplary tables for use in identify threat events
Step 2: Conduct the Assessment
Task 2-3: Identify vulnerabilities and predisposing conditions
Many-to-many relationship in vulnerabilities
Multiple threat events can target a single vulnerability
Multiple vulnerabilities can be exploited by a single threat event
Predisposing conditions can include mission/business processes, information systems, and environments of operation
Ex: Nurse collecting data in a patient’s room could result in information disclosure to unauthorized individuals and can increase the opportunity for computer theft
Step 2: Conduct the Assessment
Task 2-4: Determine Likelihood
1. That threat events will be initiated
2. How much damage will they cause once initiated?
3. Combination of likelihood of initiation and likelihood they will cause damage
Overall likelihood approaches”
Use the maximum of the two values
Use the minimum of the two values
Use only threat event initiation values
Use only threat impact values
Take a weighted average of the two values
See NIST SP 800-30R1, Appendix G
Step 2: Conduct the Assessment
Task 2-5: Determine impact
Characteristics of the threat source
Vulnerabilities/Predisposing conditions
Susceptibility of the controls planned or implemented to impede such events
Usually want these in a dollar amount
See NIST SP 800-30R1, Appendix H
Step 2: Conduct the Assessment
Task 2-6: Determine Risk
Multiply Probability times Impact
Prioritize based on the highest level of risk
Use this information to determine what controls are needed
See NIST SP 800-30R1, Appendix I
Step 3: Communicating and Sharing Risk Assessment Information
Task 3-1: Communicate risk assessment results
Inform decision makers what you learned
Helps them prioritize risks and the controls need to mitigate risk
Helps them budget for controls
Most organizations will want you to brief the results and many organizations will want recurring risk assessment briefings
See NIST SP 800-30R1, Appendix K
Step 3: Communicating and Sharing Risk Assessment Information
Task 3-2: Share Risk-related Information
Share risk information with other stakeholders in the organization…especially if it affects them
Various laws require RM results are shared with the Executive Branch office that oversees the law (e.g. Department of Health and Human Serves oversees HIPAA)
Share with other in the supply chain
A risk assessment is a snapshot in time. Controls need to be continually monitored
Step 4: Maintaining the Risk Assessment
Task 4-1: Conduct on-going monitoring of the risk factors that contribute to changes in risk
Monitor risk factors (threat sources, threat events, vulnerabilities, predisposing conditions, etc.) that can provide critical information on changing conditions
Also monitor the implementation, effectiveness/efficiency of controls and their ability to mitigate risk
Usually reported to senior leadership on a recurring basis
See NIST SP 800-137 for guidance on the ongoing monitoring of organizational information systems and environments of operation
Step 4: Maintaining the Risk Assessment
Step 4-2: Update risk assessment
If there are significant changes to organizational policy, direction or guidance, revisit the purpose, scope, assumptions and constraints
Also review any new threat events, vulnerabilities, predisposing conditions, undesirable consequences, and affected assets
The point is to keep an eye on things and do updated in between formal risk assessments
Onward
Risk assessment is a continuous process
It give you the risk posture of the organization
It also helps you prioritize risk and make decisions regarding what to do about risk (accept, avoid, transfer, mitigate)
Most organization will take steps to mitigate risk by implement controls.
NIST 800-53R4, “Security and Privacy Controls for Federal Information Systems and Organizations” is where we are heading next
Note: They are NOT just for Federal information systems