Receive industry and products news from the market categories that matter to you most.
Stay up to date on industry news and trends, product announcements and the latest innovations.
Risk Assessment Guide addresses federal information systems.
Press Release Summary:
Sep 30, 2011 - As update to original 2002 publication, Guide for Conducting Risk Assessments (NIST Special Publication 800-30, Revision 1) provides authoritative source of comprehensive risk assessment guidance for federal information systems. Overall guidance on risk management for information systems is covered in Managing Information Security Risk: Organization, Mission, and Information System View (NIST SP 800-39), issued last March. Updated SP 800-30 focuses exclusively on risk assessments.
Original Press Release
Comprehensive Risk Assessment Guidance for Federal Information Systems Published
Press release date: Sep 20, 2011
"Risk assessments can help federal agencies effectively evaluate the current threat, organizational and information system vulnerabilities, potential adverse impacts to core missions and business operations-using the results to determine appropriate risk responses," said NIST Fellow Ron Ross.
Overall guidance on risk management for information systems is now covered in Managing Information Security Risk: Organization, Mission, and Information System View (NIST SP 800-39), issued last March.* The updated SP 800-30 now focuses exclusively on risk assessments, one of the four steps in risk management, says Ross.
As threats to computer systems grow more complex and sophisticated, risk assessments are an important tool for organizations to rely on as part of a comprehensive risk management program Ross explains. Risk assessments help organizations:
The guidance in the revised publication has been significantly expanded to include more information on a variety of risk factors essential to determining information security risk, such as threat sources and events, vulnerabilities and predisposing conditions, impact, and likelihood of threat occurrence. The publication describes a three-step process to help organizations prepare for risk assessments, successfully conduct risk assessments and keep assessment results up to date.
Guide for Conducting Risk Assessments also describes how to apply the risk assessment process at the three tiers of the risk management hierarchy outlined in Special Publication 800-39. Sample templates, tables and assessment scales for common risk factors are provided for users to adapt to their own organizational risk assessments based on the purpose, scope, assumptions, and constraints of the assessments.
Guide for Conducting Risk Assessments is the fifth guideline developed for the unified information security framework under the direction of the Joint Task Force, a joint partnership among the Department of Defense, the intelligence community, NIST and the Committee on National Security Systems. The task force will continue to collaborate on protecting federal information systems and the nation's critical information infrastructure.
Guide for Conducting Risk Assessments (Special Publication 800-30, Revision 1) may be downloaded from: csrc.nist.gov/publications/drafts/800-30-rev1/SP800-30-Rev1-ipd.pdf. Please send comments to firstname.lastname@example.org by Nov. 4.
* Managing Information Security Risk: Organization, Mission, and Information System View (NIST SP 800-39) is available online at http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf.
The National Institute of Standards and Technology (NIST) is an agency of the U.S. Department of Commerce.
Don't miss the latest news!