Skip to main content

NIST Releases Guide for Conducting Risk Assessments

National Institute of Standards and Technology (NIST) has released the Guide for Conducting Risk Assessments (NIST Special Publication 800-30, Revision 1).

As threats to cyber systems grow more and more complex, risk assessments help companies determine appropriate responses to mitigate risks to their organizations, guide investment strategies and maintain ongoing situational awareness of the state of their systems.

Overall guidance for risk assessment for information security can be found in Managing Information Security Risk: Organization, Mission, and Information System View (NIST SP 800-39).

 

Comments

  1. The NIST guidelines for risk management are based on the ISO 31000 risk management standards, which borrowed heavily from the AS/NZS 4360 risk management standards that proceeded them by a decade.  All of these standards follow a common approach for assessing inherent (uncontrolled) risk.  The most common risk assesment model is to use a 5 x 5 risk matrix, with one axis for the different levels of Likelihood and the other axis for different levels of Consequences (called Impact by the NIST guidelines).  Where the columns and rows intersect in the risk matrix (see Table G-5), determines the inherent risk score, which falls into one of several severity bands (very high,high, moderate, low, very low in the example).  Therefore an Impact of Very High and a Likelihood of Moderate in this model would result in an inherent risk score falling into the High severity band.  These are subjective descriptions, but if you also assign numeric scores to the columns and rows of the risk matrix and calculate the result using multiplication then an inherent risk score of 15 would be the result of C5 x L3, and a score of 15 would fall within the numeric score range defined for the high severity band. This is great for calculating the inherent risk score, and where we have a single control the residual risk score could be similarly calculated by identifying how the control impacts either the Likelihood or the Impact. Say, the control moves the likelihood from Moderate down to Low, the residual risk score would now be 10 (C5 x L2), which falls within the Moderate score band.
    Unfortunately, while all of the standards discuss the concept of residual risk, none of them clearly explain how you actually arrive at a residual risk score when more than one control is implemented. 
    An advantage of calculating the inherent and residual risk scores numerically, is that you can easily calculate a numeric value for each control by subtracting the inherent risk score from the residual risk score for each control in isolation, and then subtract the sum of multiple controls from the numeric score of the inherent risk.This approach also means that the residual risk score (where multiple controls are applied) can actually exceed the lowest numeric value possible within the risk matrix, in other words you can have a negative value for the residual risk. This could mean that you have raised more controls than are absolutely necessary, but that is OK provided it is deliberate and you can justify the cost and effort of some over-controlling.  Another advantage of numerically scoring each control is to highlight any controls that don't have any effect on either the likelihood or the impact. This simply means that they are not really controls at all.

    ReplyDelete
  2. Ian:
     
    I can't quite follow your logic.  What are the scales for the various ranges?  Also using what you have said and creating the matrix I found some inconsistencies (if I am understanding what you are saying correctly).  See below.  Can you help me understand?  Thanks.
     

    Threat LikelihoodImpactVery Low (1)Low (2)Moderate (3)High (4)Very High (5)Very High (5)Low (5)Moderate (10)High (15)Very High (20)Very High (25)High (4)Low (4)Moderate (8)High (12)High (16)Very High (20)Moderate (3)Very Low (3)  Low (6)Moderate (9)Moderate (12)High (15)Low (2)Very Low (2)Low (4)Low (6)Low (8)Moderate (10)Very Low (1)Very Low (1)Very Low (2)Very Low (3)Low (4)Low (5)

    ReplyDelete

Post a Comment

Popular posts from this blog

Policies and Controls are King in the IT Security world

I came across an article by Roger Grimes over at Infoworld on how security policies and controls are the real power when it comes to IT security. Roger mentions the SANS 20 Critical Security Controls for Effective Cyber Defence , which are a great read for anyone looking at updating or auditing your policies for completeness. The SANS top 20 controls are a must for any organization: Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Boundary Defense Maintenance, Monitoring, and Analysis of Security Audit Logs Application Software Security Controlled Use of Administrative Privileges Controlled Access Based on the Need to Know Continuous Vulnerability Assessment and Remediation Account Monitoring and Control Malware Defenses Limitation and Control

Fun Little Earthquake

It's 1:45pm EST in Ottawa, Ontario, Canada. We just had an earthquake.  Not strong enough to damage anything, but enough that I watched people run out of buildings. What a fun Wednesday.

Error 217 - Error creating product object on Domino 64 bit

I'd like to share something with you.   An error that you'll get if you are trying to use ODBC with Domino 8.5.1 64bit. It starts out with an agent error of Error 217.  The text of the error is "Error creating product object" You can read about it here on the Notes/Domino forum . You can find the solution here as well . I guess I'm now waiting for Domino 8.5.2 for a solution for this.   It would have been nice to have had this in the release notes.  It would have help me greatly.