• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
NIST 800 30 revision  Sep 2012
 

NIST 800 30 revision Sep 2012

on

  • 1,453 views

 

Statistics

Views

Total Views
1,453
Views on SlideShare
1,449
Embed Views
4

Actions

Likes
0
Downloads
36
Comments
0

1 Embed 4

http://www.linkedin.com 4

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    NIST 800 30 revision  Sep 2012 NIST 800 30 revision Sep 2012 Presentation Transcript

    • Information Systems Risk Assessment Framework (ISRAF)(Addendum of NIST 800-39 information systems risk management and revision of NIST SP 800 30 ) Prepared by S. Periyakaruppan (PK)
    • Need of Addendum/ Revision ?
    • Should It get transformed ? ! Why
    • Does it need a Model/Framework ?? !!!!!!! ???
    • Assessing risk – What & Why ???????
    • Assessing risks - When
    • Risk framing  Model ???
    • The Model/Framework Frame (CONTEXT) Tier 1 Tier 2Tier 3 The Frame work addresses comprehensive risk management function in a hierarchical approach and leverage context centric approach.
    • The Focus Assess Respond Monitor Risk Assessment is a key element of risk management Risk Assessment process in modular approach. Preparation checklist. Activity checklist. Protocol to maintain appropriate result of risk assessments. Method of communicating risk results across organization.
    • Strategy/Approach
    • Risk – Key concepts
    • Risk – Key Factors
    • Assessing Risk – High Level Process Step -1 Step -2 Step -3 Step -4
    • Prepare for Assessment
    • Conducting Assessment Intent,Target,CapabilityIdentify Threat source and events Capability of adversaries Step 1 Range of effectsIdentify vulnerabilities and pre-disposing conditions Step 2 Effect of existing controls Intentional/accidentalDetermine likelihood of Occurrence flaw /weakness in Step 3 system/processDetermine Magnitude of Impact Depends on the degree of Step 4 Step 1 and the effect ofDetermine Risk Step 2 Step 5 Result of BIA Depends on effective BCP/DR MTTR/MTBF RTO/RPO
    • Method of Risk AnalysisThreat oriented Vulnerability oriented Asset/Impact Oriented• Identify threat source • Identify pre-disposing • Identify mission/business and event conditions critical assets• Developing Threat • Identify exploitable • Analyze the scenario and model vulnerabilities consequences of the• Identify vulnerabilities in • Identify threats related adversarial threat event context of threats to the known/open • Identify vulnerabilities to vulnerabilities the threat events/scenario of critical assets with severe adverse impact.
    • Method of Risk Assessments • Objective oriented assessment • Using non-numerical values to define risk factors Qualitative • Likelihood and impact with definite value based on individual expertise • Subjective oriented approach • Using numerical values to define risk factors Quantitative • Likelihood and impact with definite number based on history of events. • Contextual analysis and result oriented approach • Using Bin values (numerical range) with uniqueSemi Quantitative meaning and context. • Likelihood and impact derived with range of numerical values with degree of unique context
    • Sample Assessment ScaleQualitative Quantitative Semi QualitativeCaution: The assessment scales and its descriptive meanings are subject to varybetween organization to organization and with in organization discretion to theorganizational culture and its policies and guidelines
    • Communicate Result Determine the Communicate to the Furnish evidence comply appropriate method of designated organizational with organizational communication stakeholders policies & GuidelinesFormat defined by Identify appropriate Capture appropriateorganization. authority. analysis data support theExecutive briefings Ensure right result.Presenting Illustrative information reach right Include applicablerisk figures person at right time. supporting documentsRisk Assessment  Present contextual to convey the degree ofDashboards information in resultsOut sketch the accordance with risk  Identify andorganizational prioritized strategy document the source ofrisk internal and external information.
    • Maintain Risk Posture Identify Key Risk Define Frequency of Reconfirm the scope factors revisit and assumptions• Monitor the key • Track the risk • Get the risk factors response as concurrence of• Document the required scope and variations. • Initiate the assumptions from• Re-define the key assessment when appropriate risk factors needed authorities • Communicate the • Document the plan results to of action with organizational respect to the risk entities response.
    • Applications of Risk Assessment Information Risk Strategy decisions Contribute EA design decisions IS Policy/Program/Guidance decisions Common Control/Security Standards decisions. Help risk response – Avoid/Accept/Mitigate/Transfer Investment decisions – ROSI(Returns Of Security Investments)/VAR(value at Risk)/ALE(Annual Loss Expectancy) Support EA(Enterprise Architecture) integration in to SA. Assist in business/function information continuity decisions Assist in business process resiliency requirements Contribute IS systems design decisions Supports vendor/product decisions Supports on-going system operations authorizations
    • Risk Assessment in RMF life Cycle 1 2 6 3 5 4
    • Organizational cultural effects on Risk assessment