The NIST SP 800-30 provides guidance for conducting risk assessments of information systems and organizations to identify threats, vulnerabilities, impacts, and likelihoods. It outlines a four-step risk assessment process: 1) preparing for assessment, 2) conducting assessment, 3) communicating results, and 4) maintaining assessment. The goal is to help organizations understand weaknesses to make risk-based decisions and mitigate cyber risks to information systems critical to their operations.

1. NIST SPECIAL PUBLICATION
800-30 1

2. INTRODUCTION
 The NIST SP 800 30 provides guidance for conducting risk assessments of
information systems and organizations.
 The NIST 800 30 is designed in such a way that it can translate complex
cyber threats in a language easy to understand for the board .
 Any organization, be it private or public is heavily dependent on
information systems to successfully carry out its day-to-day operations.
Information systems may include a plethora of entities from office networks
to personnel systems to very specialized systems.
 To mitigate risks, one needs to create recommendations, and
implementation plans This helps with reducing the likelihood of a threat and
hence mitigating the risk impact of a cyber event. 2

3. RISK MANAGEMENT PROCESS
3

4. CONT’D
I. First, Frame risk or establish a risk context to produce a risk
management strategy that addresses how organizations intend to assess
risk, respond to risk, and monitor risk.
II. The second component of risk management addresses how
organizations assess risk within the context of the organizational risk
frame. The purpose of the risk assessment component is to identify:
• Threats
• Vulnerabilities
• Impact
• Likelihood
4

5. CONT’D
III. The third component of risk management addresses how organizations
respond to risk once that risk is determined based on the results of a risk
assessment.
IV. The fourth component of risk management addresses how organizations
monitor risk over time.
5

6. RISK ASSESSMENT
 The NIST SP 800 30 is used to do a risk assessment within the parameters
of the NIST framework to identify, estimate and prioritize risk to the
operation of organizations. The purpose of risk assessment is to inform the
decision-makers and support their risk responses by knowing:
•Both internal and external vulnerabilities
•Relevant threats to the organization
•Impact on their organization
•Likelihood of harm to occur
 Risk assessments are not simply one-time activities that provide
permanent and definitive information for decision makers to guide and
inform responses to information security risks. Rather, organizations
employ risk assessments on an ongoing basis throughout the system
6

7. CONT’D
development life cycle and across all of the tiers in the risk management
hierarchy with the frequency of the risk assessments and the resources
applied during the assessments, commensurate with the expressly defined
purpose and scope of the assessments.
 In particular, SP 800-30 guides execute the following steps of the risk
assessment process.
• Preparing for the risk assessment
• Conducting the assessment
• Communicating the results of the assessment
• And maintaining it
7

8. KEY RISK CONCEPTS
 Threats - A threat is any circumstance or event with the potential to
adversely impact organizational operations and assets, individuals, other
organizations, or the Nation through an information system via unauthorized
access, destruction, disclosure, or modification of information, and/or denial
of service.
 Vulnerability - A vulnerability is a weakness in an information system,
system security procedures, internal controls, or implementation that could
be exploited by a threat source.
 Likelihood - The likelihood of occurrence is a weighted risk factor based
on an analysis of the probability that a given threat is capable of exploiting a
given vulnerability (or set of vulnerabilities).
8

9. CONT’D
 Impact - The level of impact from a threat event is the magnitude of harm
that can be expected to result from the consequences of unauthorized
disclosure of information, unauthorized modification of information,
unauthorized destruction of information, or loss of information or
information system availability.
 Risk - Risk is a function of the likelihood of a threat event’s occurrence
and potential adverse impact should the event occur.
 Aggregation - Organizations may use risk aggregation to roll up several
discrete or lower-level risks into a more general or higher-level risk.
Organizations may also use risk aggregation to efficiently manage the scope
and scale of risk assessments involving multiple information systems and
multiple mission/business processes.
 Uncertainty - Uncertainty is inherent in the evaluation of risk. 9

10. CONDUCTING RISK
ASSESSMENTS WITHIN
ORGANIZATIONS
The process of assessing information security risk including:
I. a high-level overview of the risk assessment process;
II. the activities necessary to prepare for risk assessments;
III. the activities necessary to conduct effective risk assessments;
IV. the activities necessary to communicate the assessment results and share risk-
related information; and
V. the activities necessary to maintain the results of risk assessments on an
ongoing basis.
10

11. CONDUCTING RISK
ASSESSMENTS WITHIN
ORGANIZATIONS (CONT’D)
11

12. CONT’D
The risk assessment process is composed of four steps:
I. prepare for the assessment;
II. conduct the assessment;
III. communicate assessment results; and
IV. maintain the assessment.
Previous assessment plays a key role in understanding the vulnerabilities
and assisting in with the current requirements. This whole exercise helps
with understanding the weakness of the information system which one
can use as a starting point to improve upon.
12