The National Institute of Standards and Technology (NIST) announces the initial public draft of Special Publication 800-30, Revision 1, Guide for Conducting Risk Assessments. Special Publication 800-30, Revision 1, is the fifth in the series of risk management and information security guidelines being developed by the Joint Task Force, a joint partnership among the Department of Defense, the Intelligence Community, NIST, and the Committee on National Security Systems. The partnership, under the leadership of the Secretary of Defense, the Director of National Intelligence, and the Secretary of Commerce, continues to collaborate on the development of a unified information security framework for the federal government to address the challenges of protecting federal information and information systems as well as the Nation’s critical information infrastructure.
In today’s world of complex and sophisticated threats, risk assessments are an essential tool for organizations to employ as part of a comprehensive risk management program. Risk assessments can help organizations:
- Determine the most appropriate risk responses to ongoing cyber attacks or threats from man-made or natural disasters;
- Guide investment strategies and decisions for the most effective cyber defenses to help protect organizational operations (including missions, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and
- Maintain ongoing situational awareness with regard to the security state of organizational information systems and the environments in which the systems operate.
This publication changes the focus of Special Publication 800-30, originally published as a risk management guideline. NIST Special Publication 800-39 has now replaced Special Publication 800-30 as the authoritative source of comprehensive risk management guidance. The update to Special Publication 800-30 focuses exclusively on risk assessments, one of the four steps in the risk management process. The risk assessment guidance in Special Publication 800-30 has been significantly expanded to include more in-depth information on a wide variety of risk factors essential to determining information security risk (e.g., threat sources and events, vulnerabilities and predisposing conditions, impact, and likelihood of threat occurrence). A three-step process is described including key activities to prepare for risk assessments, activities to successfully conduct risk assessments, and approaches to maintain the currency of assessment results.
In addition to providing a comprehensive process for assessing information security risk, the publication also describes how to apply the process at the three tiers in the risk management hierarchy—the organization level, mission/business process level, and information system level. To facilitate ease of use for individuals or groups conducting risk assessments within organizations, a set of exemplary templates, tables, and assessment scales for common risk factors is also provided. The templates, tables, and assessment scales give maximum flexibility in designing risk assessments based on the express purpose, scope, assumptions, and constraints established by organizations.
The public comment period for NIST Special Publication 800-30, Revision 1, is September 19 through November 4, 2011. Please send comments to firstname.lastname@example.org
The draft document is attached below.