Risk Assessment Process NIST 800-30

  • 39,162 views
Uploaded on

Risk Assessment Process NIST 800-30

Risk Assessment Process NIST 800-30

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • Excelente material, gracias Frank
    Are you sure you want to
    Your message goes here
  • A risk assessment is an important step in protecting your workers and your business, as well as complying with the law.

    Risk Assessment Process
    Are you sure you want to
    Your message goes here
  • Impressive presentation of 'Risk Assessment Process NIST 800-30'. You've shown your credibility on presentation with this slideshow. This one deserves thumbs up. I'm John, owner of www.freeringtones.ws/ . Hope to see more quality slides from you.

    Best wishes.
    Are you sure you want to
    Your message goes here
  • thanq its really good and useful to me in thinking about innovation comes along with think of that.... really good work.... tanq for this.....
    Anisa
    http://financejedi.com http://healthjedi.com
    Are you sure you want to
    Your message goes here
  • I would like to add some words on risk assessment from my side. The objective of Risk Assessment is to identify current risks and threats to the business and implement measures to eliminate or reduce those potential risks. The Risk Assessment is only part one of an overall Business Assessment. A Business Assessment is separated into two constituents, Risk Assessment and Business Impact Analysis (BIA). The Risk Assessment is intended to measure present vulnerabilities to the business’s environment, while the Business Impact Analysis evaluates probable loss that could result during a disaster. To maximize the Risk Assessment, a Business Impact Analysis should also be completed. More information on risk assessment can also be found on http://training-hipaa.net/compliance/Security_Risk_Assessment.htm
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
39,162
On Slideshare
0
From Embeds
0
Number of Embeds
9

Actions

Shares
Downloads
3,672
Comments
5
Likes
22

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Risk Assessment Process Based on recommendations of the National Institute of Standards and Technology in “Risk Management Guide for Information Technology Systems” (special publication 800-30)
  • 2. Goal of Risk Management Process
    • Protect the organization’s ability to perform its mission (not just its IT assets)
    • An essential management function (not just an IT technical function)
  • 3. NIST Guide Purpose
    • Provide a foundation for risk management program development
    • Provide information on cost-effective security controls
  • 4. Guide Structure
    • Risk Management Overview
    • Risk Assessment Methodology
    • Risk Mitigation Process
    • Ongoing Risk Evaluation
  • 5. Risk Assessment – a definition
    • “The process of identifying the risks to system security and determining the probability of occurrence, the resulting impact, and additional safeguards that would mitigate this impact.”
  • 6. Risk Assessment
    • 1 st process in risk management methodology
    • Used to determine potential threats and associated risk
    • Output of this process helps to identify appropriate controls to reduce or eliminate risk
  • 7. Definitions
    • Vulnerability – weakness that can be accidentally triggered or intentionally exploited
    • Threat-Source – “Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.”
    • Threat – “The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.”
  • 8. Definitions
    • Risk - “…a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.”
    • Risk management – process of identifying, assessing and reducing risk
  • 9. Risk Assessment Methodology
    • Step 1: System Characterization
      • Input: system-related info including
        • Hardware
        • Software
        • System interfaces
        • Data and information
        • People
        • System mission
      • Output:
      • A good picture of system boundary, functions,
      • criticality and sensitivity
  • 10. Risk Assessment Methodology
    • Step 2: Threat Identification
      • Input:
        • Security violation reports
        • Incident reports
        • Data from intelligence agencies and mass media
      • Output:
        • Threat statement listing potential threat-sources
        • (natural, human, environmental) applicable to
        • the system being evaluated
  • 11. Risk Assessment Methodology
    • Step 3: Vulnerability Identification
      • Input:
        • System security tests (e.g. penetration tests)
        • Audit results
        • Vulnerability lists/advisories
        • Security requirements checklist (contains basic security standards)
      • Output:
        • List of system vulnerabilities (flaws or
        • weaknesses) that could be exploited –
        • Vulnerability/Threat pairs
  • 12. Vulnerability/Threat Pair Examples Dialing into the company’s network and accessing proprietary info Terminated employees Terminated employee ID’s are not removed from the system Obtaining unauthorized access to sensitive files based on known vulnerabilities Unauthorized users (e.g. terminated employees, hackers) Vendor has identified security flaws in system and patches have not been applied Water sprinklers being turned on Fire; negligent persons Water sprinklers used for fire suppression and no protective coverings in place Threat Action Threat-Source Vulnerability
  • 13. Risk Assessment Methodology
    • Step 4: Control Analysis
      • Input: c urrent controls, planned controls
        • Control Methods – may be technical or non-technical
        • Control Categories – preventative or detective (e.g. audit trails)
      • Output:
        • List of current and planned controls
  • 14. Risk Assessment Methodology
    • Step 5: Likelihood Determination
      • Input:
        • Threat-source motivation & capability
        • Nature of the vulnerability
        • Existence & effectiveness of current controls
      • Output:
        • Likelihood rating of High, Medium or Low
  • 15. Risk Assessment Methodology
    • Step 6: Impact Analysis
      • Input:
        • System mission
        • System and data criticality
        • System and data sensitivity
      • Analysis:
      • Adverse impact described in terms of loss or degradation of integrity, confidentiality, availability
      • Output:
        • Impact Rating of High, Medium or Low
  • 16. Risk Assessment Methodology
    • Step 7: Risk Determination
      • Input:
        • Likelihood of threat
        • Magnitude of risk
        • Adequacy of planned or current controls
      • Output:
        • Risk Level Matrix ( Risk Level = Threat Likelihood x Threat Impact)
        • Risk Scale and Necessary Actions
  • 17. Risk-Level Matrix Low 100 X 0.1 = 10 Low 50 X 0.1 = 5 Low 10 X 0.1 = 1 Low (0.1) Medium 100 X 0.5 = 50 Medium 50 X 0.5 = 25 Low 10 X 0.5 = 5 Medium (0.5) High 100 X 1.0 = 100 Medium 50 X 1.0 = 50 Low 10 X 1.0 = 10 High (1.0) High (100) Medium (50) Low (10) Impact Threat Likelihood
  • 18. Risk Scale & Necessary Actions
    • Determine whether corrective actions
    • are still required or decide to accept
    • the risk
    Low
    • Corrective actions are needed
    • Plan must be developed within a
    • reasonable period of time
    Medium
    • Strong need for corrective measures
    • Corrective action plan must be put in
    • place as soon as possible
    High Risk Description and Necessary Actions Risk Level
  • 19. Risk Assessment Methodology
    • Step 8: Control Recommendations
      • Factors to consider
        • Effectiveness of recommended option
        • Legislation and regulation
        • Organizational policy
        • Operational impact
        • Safety and reliability
      • Output:
        • Recommended controls and alternative
        • solutions to mitigate risk
  • 20. Risk Assessment Methodology
    • Step 9: Results Documentation
      • Output:
        • Risk Assessment Report
        • Presented to senior management and mission owners
        • Describes threats & vulnerabilities, measures risk and provides recommendations on controls to implement
        • Purpose: Assist decision-makers in making decisions on policy, procedural, budget and system operational and management changes