the Grade

profileAbduallah
NISTSP800-30R1-1.pptx

NIST SP 800-30R1

Module 3

The Process

4 Step Process

Step 1: Prepare for Assessment

Step 2: Conduct Assessment

Step 3: Communicate Results

Step 4: Maintain Assessment

Each step is divided into a set of tasks

Consistent with the assessment process in 800-39

Step 1: Prepare for Assessment

Task 1-1: Identify the purpose of the assessment

Can be at Tiers 1, 2 or 3

Initial Assessment

Establishing baseline assessment of risk

Identifying threats and vulnerabilities to be tracked over time as part of risk monitoring

Providing a comparative analysis of alternative risk responses

Answering a specific question (e.g. What is the risk of delivering packages with drones?)

Reassessment

Ongoing determination of the effectiveness of security controls

Changes to information systems or operational environment

Results from compliance verification activities

Initiated by organization due to events that have occurred

Step 1: Prepare for Assessment

Task 1-2: Identify the scope of the assessment

Organizational Applicability: Which parts of the organization are affect by the RA?

Effectiveness Time Frame: How long are the results of the RA useful to inform risk-based decisions?

Architecture/Technology Considerations: What systems and how do they fit in the overall architecture?

Step 1: Prepare for Assessment

Task 1-3: Assumptions and constraints

Assumptions

Threat sources

Threat events

Vulnerabilities and Pre-existing conditions

Likelihood

Impacts

Risk Tolerance and Uncertainty

Analytical Approach

Constraints

Resources available for assessment

Skills and expertise required

Operational considerations related to mission/business activies

Step 1: Prepare for Assessment

Task 1-4: Identify the sources of threat, vulnerability and impact information

Internal

External (US-CERT, Information Sharing and Analysis Centers, etc)

Task 1-5: Identify Risk Model and Analytic Approach

Risk Model: Most companies/industries will identify that for you

Analytic Approach

Assessment: Qualitative, Quantitative, Semi-Quantitative

Analysis: Threat-oriented, asset-impact oriented, vulnerability oriented

Step 2: Conduct the Assessment

Task 2-1: Identify and Characterize Threat Sources

Capability

Intent

Targeting Characteristics

See NIST SP 800-30R1, Appendix D for exemplary tables

Step 2: Conduct the Assessment

Task 2-2: Identify potential threat events, relevance of events, and threat sources that could initiate the events

Many-to-many relationship

Multiple sources can carry out an event

A single source can carry out multiple events.

See NIST SP 800-30R1, Appendix E for exemplary tables for use in identify threat events

Step 2: Conduct the Assessment

Task 2-3: Identify vulnerabilities and predisposing conditions

Many-to-many relationship in vulnerabilities

Multiple threat events can target a single vulnerability

Multiple vulnerabilities can be exploited by a single threat event

Predisposing conditions can include mission/business processes, information systems, and environments of operation

Ex: Nurse collecting data in a patient’s room could result in information disclosure to unauthorized individuals and can increase the opportunity for computer theft

Step 2: Conduct the Assessment

Task 2-4: Determine Likelihood

1. That threat events will be initiated

2. How much damage will they cause once initiated?

3. Combination of likelihood of initiation and likelihood they will cause damage

Overall likelihood approaches”

Use the maximum of the two values

Use the minimum of the two values

Use only threat event initiation values

Use only threat impact values

Take a weighted average of the two values

See NIST SP 800-30R1, Appendix G

Step 2: Conduct the Assessment

Task 2-5: Determine impact

Characteristics of the threat source

Vulnerabilities/Predisposing conditions

Susceptibility of the controls planned or implemented to impede such events

Usually want these in a dollar amount

See NIST SP 800-30R1, Appendix H

Step 2: Conduct the Assessment

Task 2-6: Determine Risk

Multiply Probability times Impact

Prioritize based on the highest level of risk

Use this information to determine what controls are needed

See NIST SP 800-30R1, Appendix I

Step 3: Communicating and Sharing Risk Assessment Information

Task 3-1: Communicate risk assessment results

Inform decision makers what you learned

Helps them prioritize risks and the controls need to mitigate risk

Helps them budget for controls

Most organizations will want you to brief the results and many organizations will want recurring risk assessment briefings

See NIST SP 800-30R1, Appendix K

Step 3: Communicating and Sharing Risk Assessment Information

Task 3-2: Share Risk-related Information

Share risk information with other stakeholders in the organization…especially if it affects them

Various laws require RM results are shared with the Executive Branch office that oversees the law (e.g. Department of Health and Human Serves oversees HIPAA)

Share with other in the supply chain

A risk assessment is a snapshot in time. Controls need to be continually monitored

Step 4: Maintaining the Risk Assessment

Task 4-1: Conduct on-going monitoring of the risk factors that contribute to changes in risk

Monitor risk factors (threat sources, threat events, vulnerabilities, predisposing conditions, etc.) that can provide critical information on changing conditions

Also monitor the implementation, effectiveness/efficiency of controls and their ability to mitigate risk

Usually reported to senior leadership on a recurring basis

See NIST SP 800-137 for guidance on the ongoing monitoring of organizational information systems and environments of operation

Step 4: Maintaining the Risk Assessment

Step 4-2: Update risk assessment

If there are significant changes to organizational policy, direction or guidance, revisit the purpose, scope, assumptions and constraints

Also review any new threat events, vulnerabilities, predisposing conditions, undesirable consequences, and affected assets

The point is to keep an eye on things and do updated in between formal risk assessments

Onward

Risk assessment is a continuous process

It give you the risk posture of the organization

It also helps you prioritize risk and make decisions regarding what to do about risk (accept, avoid, transfer, mitigate)

Most organization will take steps to mitigate risk by implement controls.

NIST 800-53R4, “Security and Privacy Controls for Federal Information Systems and Organizations” is where we are heading next

Note: They are NOT just for Federal information systems