Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Risk Assessment Process NIST 800-30

59,475 views

Published on

Risk Assessment Process NIST 800-30

Published in: Economy & Finance, Technology
  • Excelente material, gracias Frank
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • A risk assessment is an important step in protecting your workers and your business, as well as complying with the law.

    Risk Assessment Process
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Impressive presentation of 'Risk Assessment Process NIST 800-30'. You've shown your credibility on presentation with this slideshow. This one deserves thumbs up. I'm John, owner of www.freeringtones.ws/ . Hope to see more quality slides from you.

    Best wishes.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • thanq its really good and useful to me in thinking about innovation comes along with think of that.... really good work.... tanq for this.....
    Anisa
    http://financejedi.com http://healthjedi.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • I would like to add some words on risk assessment from my side. The objective of Risk Assessment is to identify current risks and threats to the business and implement measures to eliminate or reduce those potential risks. The Risk Assessment is only part one of an overall Business Assessment. A Business Assessment is separated into two constituents, Risk Assessment and Business Impact Analysis (BIA). The Risk Assessment is intended to measure present vulnerabilities to the business’s environment, while the Business Impact Analysis evaluates probable loss that could result during a disaster. To maximize the Risk Assessment, a Business Impact Analysis should also be completed. More information on risk assessment can also be found on http://training-hipaa.net/compliance/Security_Risk_Assessment.htm
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Risk Assessment Process NIST 800-30

  1. 1. Risk Assessment Process Based on recommendations of the National Institute of Standards and Technology in “Risk Management Guide for Information Technology Systems” (special publication 800-30)
  2. 2. Goal of Risk Management Process <ul><li>Protect the organization’s ability to perform its mission (not just its IT assets) </li></ul><ul><li>An essential management function (not just an IT technical function) </li></ul>
  3. 3. NIST Guide Purpose <ul><li>Provide a foundation for risk management program development </li></ul><ul><li>Provide information on cost-effective security controls </li></ul>
  4. 4. Guide Structure <ul><li>Risk Management Overview </li></ul><ul><li>Risk Assessment Methodology </li></ul><ul><li>Risk Mitigation Process </li></ul><ul><li>Ongoing Risk Evaluation </li></ul>
  5. 5. Risk Assessment – a definition <ul><li>“The process of identifying the risks to system security and determining the probability of occurrence, the resulting impact, and additional safeguards that would mitigate this impact.” </li></ul>
  6. 6. Risk Assessment <ul><li>1 st process in risk management methodology </li></ul><ul><li>Used to determine potential threats and associated risk </li></ul><ul><li>Output of this process helps to identify appropriate controls to reduce or eliminate risk </li></ul>
  7. 7. Definitions <ul><li>Vulnerability – weakness that can be accidentally triggered or intentionally exploited </li></ul><ul><li>Threat-Source – “Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.” </li></ul><ul><li>Threat – “The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.” </li></ul>
  8. 8. Definitions <ul><li>Risk - “…a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.” </li></ul><ul><li>Risk management – process of identifying, assessing and reducing risk </li></ul>
  9. 9. Risk Assessment Methodology <ul><li>Step 1: System Characterization </li></ul><ul><ul><li>Input: system-related info including </li></ul></ul><ul><ul><ul><li>Hardware </li></ul></ul></ul><ul><ul><ul><li>Software </li></ul></ul></ul><ul><ul><ul><li>System interfaces </li></ul></ul></ul><ul><ul><ul><li>Data and information </li></ul></ul></ul><ul><ul><ul><li>People </li></ul></ul></ul><ul><ul><ul><li>System mission </li></ul></ul></ul><ul><ul><li>Output: </li></ul></ul><ul><ul><li>A good picture of system boundary, functions, </li></ul></ul><ul><ul><li>criticality and sensitivity </li></ul></ul>
  10. 10. Risk Assessment Methodology <ul><li>Step 2: Threat Identification </li></ul><ul><ul><li>Input: </li></ul></ul><ul><ul><ul><li>Security violation reports </li></ul></ul></ul><ul><ul><ul><li>Incident reports </li></ul></ul></ul><ul><ul><ul><li>Data from intelligence agencies and mass media </li></ul></ul></ul><ul><ul><li>Output: </li></ul></ul><ul><ul><ul><li>Threat statement listing potential threat-sources </li></ul></ul></ul><ul><ul><ul><li>(natural, human, environmental) applicable to </li></ul></ul></ul><ul><ul><ul><li>the system being evaluated </li></ul></ul></ul>
  11. 11. Risk Assessment Methodology <ul><li>Step 3: Vulnerability Identification </li></ul><ul><ul><li>Input: </li></ul></ul><ul><ul><ul><li>System security tests (e.g. penetration tests) </li></ul></ul></ul><ul><ul><ul><li>Audit results </li></ul></ul></ul><ul><ul><ul><li>Vulnerability lists/advisories </li></ul></ul></ul><ul><ul><ul><li>Security requirements checklist (contains basic security standards) </li></ul></ul></ul><ul><ul><li>Output: </li></ul></ul><ul><ul><ul><li>List of system vulnerabilities (flaws or </li></ul></ul></ul><ul><ul><ul><li>weaknesses) that could be exploited – </li></ul></ul></ul><ul><ul><ul><li>Vulnerability/Threat pairs </li></ul></ul></ul>
  12. 12. Vulnerability/Threat Pair Examples Dialing into the company’s network and accessing proprietary info Terminated employees Terminated employee ID’s are not removed from the system Obtaining unauthorized access to sensitive files based on known vulnerabilities Unauthorized users (e.g. terminated employees, hackers) Vendor has identified security flaws in system and patches have not been applied Water sprinklers being turned on Fire; negligent persons Water sprinklers used for fire suppression and no protective coverings in place Threat Action Threat-Source Vulnerability
  13. 13. Risk Assessment Methodology <ul><li>Step 4: Control Analysis </li></ul><ul><ul><li>Input: c urrent controls, planned controls </li></ul></ul><ul><ul><ul><li>Control Methods – may be technical or non-technical </li></ul></ul></ul><ul><ul><ul><li>Control Categories – preventative or detective (e.g. audit trails) </li></ul></ul></ul><ul><ul><li>Output: </li></ul></ul><ul><ul><ul><li>List of current and planned controls </li></ul></ul></ul>
  14. 14. Risk Assessment Methodology <ul><li>Step 5: Likelihood Determination </li></ul><ul><ul><li>Input: </li></ul></ul><ul><ul><ul><li>Threat-source motivation & capability </li></ul></ul></ul><ul><ul><ul><li>Nature of the vulnerability </li></ul></ul></ul><ul><ul><ul><li>Existence & effectiveness of current controls </li></ul></ul></ul><ul><ul><li>Output: </li></ul></ul><ul><ul><ul><li>Likelihood rating of High, Medium or Low </li></ul></ul></ul>
  15. 15. Risk Assessment Methodology <ul><li>Step 6: Impact Analysis </li></ul><ul><ul><li>Input: </li></ul></ul><ul><ul><ul><li>System mission </li></ul></ul></ul><ul><ul><ul><li>System and data criticality </li></ul></ul></ul><ul><ul><ul><li>System and data sensitivity </li></ul></ul></ul><ul><ul><li>Analysis: </li></ul></ul><ul><ul><li>Adverse impact described in terms of loss or degradation of integrity, confidentiality, availability </li></ul></ul><ul><ul><li>Output: </li></ul></ul><ul><ul><ul><li>Impact Rating of High, Medium or Low </li></ul></ul></ul>
  16. 16. Risk Assessment Methodology <ul><li>Step 7: Risk Determination </li></ul><ul><ul><li>Input: </li></ul></ul><ul><ul><ul><li>Likelihood of threat </li></ul></ul></ul><ul><ul><ul><li>Magnitude of risk </li></ul></ul></ul><ul><ul><ul><li>Adequacy of planned or current controls </li></ul></ul></ul><ul><ul><li>Output: </li></ul></ul><ul><ul><ul><li>Risk Level Matrix ( Risk Level = Threat Likelihood x Threat Impact) </li></ul></ul></ul><ul><ul><ul><li>Risk Scale and Necessary Actions </li></ul></ul></ul>
  17. 17. Risk-Level Matrix Low 100 X 0.1 = 10 Low 50 X 0.1 = 5 Low 10 X 0.1 = 1 Low (0.1) Medium 100 X 0.5 = 50 Medium 50 X 0.5 = 25 Low 10 X 0.5 = 5 Medium (0.5) High 100 X 1.0 = 100 Medium 50 X 1.0 = 50 Low 10 X 1.0 = 10 High (1.0) High (100) Medium (50) Low (10) Impact Threat Likelihood
  18. 18. Risk Scale & Necessary Actions <ul><li>Determine whether corrective actions </li></ul><ul><li>are still required or decide to accept </li></ul><ul><li>the risk </li></ul>Low <ul><li>Corrective actions are needed </li></ul><ul><li>Plan must be developed within a </li></ul><ul><li>reasonable period of time </li></ul>Medium <ul><li>Strong need for corrective measures </li></ul><ul><li>Corrective action plan must be put in </li></ul><ul><li>place as soon as possible </li></ul>High Risk Description and Necessary Actions Risk Level
  19. 19. Risk Assessment Methodology <ul><li>Step 8: Control Recommendations </li></ul><ul><ul><li>Factors to consider </li></ul></ul><ul><ul><ul><li>Effectiveness of recommended option </li></ul></ul></ul><ul><ul><ul><li>Legislation and regulation </li></ul></ul></ul><ul><ul><ul><li>Organizational policy </li></ul></ul></ul><ul><ul><ul><li>Operational impact </li></ul></ul></ul><ul><ul><ul><li>Safety and reliability </li></ul></ul></ul><ul><ul><li>Output: </li></ul></ul><ul><ul><ul><li>Recommended controls and alternative </li></ul></ul></ul><ul><ul><ul><li>solutions to mitigate risk </li></ul></ul></ul>
  20. 20. Risk Assessment Methodology <ul><li>Step 9: Results Documentation </li></ul><ul><ul><li>Output: </li></ul></ul><ul><ul><ul><li>Risk Assessment Report </li></ul></ul></ul><ul><ul><ul><li>Presented to senior management and mission owners </li></ul></ul></ul><ul><ul><ul><li>Describes threats & vulnerabilities, measures risk and provides recommendations on controls to implement </li></ul></ul></ul><ul><ul><ul><li>Purpose: Assist decision-makers in making decisions on policy, procedural, budget and system operational and management changes </li></ul></ul></ul>

×