NIST 800-30 Intro to Conducting Risk Assessments - Part 1
-
Upload
denise-tawwab -
Category
Technology
-
view
580 -
download
3
Transcript of NIST 800-30 Intro to Conducting Risk Assessments - Part 1
![Page 1: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/1.jpg)
INTRO TO CONDUCTIONG RISK ASSESSMENTSNIST SPECIAL PUBLICATION 800-30 (REVISION 1)
Denise Tawwab, CISSP
March 2, 2016
![Page 2: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/2.jpg)
ABOUT YOUR PRESENTER – DENISE TAWWAB
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 2
CCSK - Certificate of Cloud Security Knowledge
Denise Tawwab, CISSP, CCSK
![Page 3: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/3.jpg)
WHAT IS NIST SPECIAL PUBLICATION 800-30
Applicability
Purpose
Related Publications
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 3Denise Tawwab, CISSP, CCSK
![Page 4: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/4.jpg)
EVOLUTION OF RISK AND INFORMATION SECURITY
THEN NOW
Confidentiality Confidentiality, Integrity, Availability
Static, Snapshot Focus Dynamic, continuous monitoring, situationally awareness focus
Protect Information Protect AND Share information
Risk Avoidance Risk Management
Government-Centric Solutions Commercial, off-the-shelf solutions
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 4Denise Tawwab, CISSP, CCSK
![Page 5: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/5.jpg)
WHAT WE WILL COVER
The Risk Management Process (2.1)
The Role of Risk Assessments in the Risk Management Process (2.2)
Basic Concepts Used in Conducting Risk Assessments (2.3)
Communications and Information Sharing (2.4)
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 5Denise Tawwab, CISSP, CCSK
![Page 6: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/6.jpg)
THE RISK MANAGEMENT PROCESS (2.1)
Risk assessment is a key piece of an organization-wide risk management process
This Risk Management Process is Defined in NIST SP 800-39, Managing Information
Security Risk: Organization, Mission, and Information System View
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 6Denise Tawwab, CISSP, CCSK
![Page 7: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/7.jpg)
THE 4 COMPONENTS OF THE RISK MANAGEMENT PROCESS
Framing Risk
Assessing Risk
Responding to Risk
Monitoring
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 7
Information and
Communication Flows
Information and
Communication Flows
Denise Tawwab, CISSP, CCSK
![Page 8: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/8.jpg)
THE RISK MANAGEMENT PROCESS – FRAMING RISK
The purpose of the Risk Framing component is to describe the environment (context) in which risk-based
decisions will be made.
The output of risk framing is a risk management strategy that addresses how the organization intends to assess,
respond to, and monitor risk.
The risk management strategy establishes a foundation for managing risk and sets the boundaries for risk-based
decisions within organizations.
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 8Denise Tawwab, CISSP, CCSK
![Page 9: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/9.jpg)
THE RISK MANAGEMENT PROCESS – ASSESSING RISK
The purpose of the Risk Assessment component is to identify:
threats to organizations (operations, assets, or individuals) or threats directed through organizations against
other organizations or the Nation,
internal and external vulnerabilities,
the adverse impacts (harm) that may occur,
the likelihood that harm will occur.
The end result of a risk assessment is a determination of risk.
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 9Denise Tawwab, CISSP, CCSK
![Page 10: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/10.jpg)
THE RISK MANAGEMENT PROCESS – RESPONDING TO RISK
The purpose of the Risk Response component is to address how the organization will consistently respond to the
risk determined in the risk assessment in accordance with the organizational risk frame by:
Developing alternative courses of action for responding to risk
Evaluating the alternative courses of action
Determining appropriate courses of action consistent with risk tolerance
Implementing risk responses based on selected courses of action
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 10Denise Tawwab, CISSP, CCSK
![Page 11: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/11.jpg)
THE RISK MANAGEMENT PROCESS – MONITORING RISK
The purpose of the Risk Monitoring component is to address how the organization will monitor risk over time.
Risk monitoring
Determines the ongoing effectiveness of risk responses.
Identifies risk-impacting changes to information systems and/or the environments in which the systems operate.
Verifies that planned risk responses are implemented and producing the desired results, and that information
security requirements (derived from mission/business functions, legislation, directives, regulations, policies, standards, and
guidelines) are satisfied.
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 11Denise Tawwab, CISSP, CCSK
![Page 12: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/12.jpg)
THE RISK MANAGEMENT PROCESS (2.1)
Framing Risk
Assessing Risk Responding to Risk
Monitoring
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 12
Information and
Communication Flows
Information and
Communication Flows
Assess
Denise Tawwab, CISSP, CCSK
![Page 13: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/13.jpg)
SP 800-30 DEALS WITH THE RISK ASSESSMENT COMPONENT OF RMP
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 13
Information and
Communication Flows
Information and
Communication Flows
Assess
Denise Tawwab, CISSP, CCSK
![Page 14: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/14.jpg)
RISK ASSESSMENTS (2.2)
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 14Denise Tawwab, CISSP, CCSK
![Page 15: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/15.jpg)
RISK ASSESSMENTS
Purposes of Risk Assessments
Characteristics of Risk Assessments
Decisions/Actions Supported by Risk Assessments
Step-by-Step Process for Risk Assessments in NIST 800-30
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 15Denise Tawwab, CISSP, CCSK
![Page 16: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/16.jpg)
PURPOSES OF RISK ASSESSMENTS
Risk assessments address potential adverse impacts arising from the operation and
use of information systems and the information processed, stored, and transmitted by
those systems.
Organizations conduct risk assessments to determine risks that are common to the
organization’s core mission/business functions, processes, segments, common
infrastructure/support services, or information systems.
Risk assessments can support a wide variety of risk-based decisions and activities by
organizational officials across all 3 tiers in the RM hierarchy.
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 16Denise Tawwab, CISSP, CCSK
![Page 17: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/17.jpg)
CHARACTERISTICS OF RISK ASSESSMENTS
Risk assessments are NOT one-time activities.
Employed on an ongoing basis throughout the system development life cycle and across all tiers in the
risk management hierarchy.
The frequency of risk assessments depends on the purpose and scope of the assessments.
The resources applied during an assessment depend on the expressly defined purpose and scope of
the assessments.
The validity and usefulness of any risk assessment is bounded in time because missions/business
functions, business processes, information systems, threats, and environments of operation tend to
change over time)
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 17Denise Tawwab, CISSP, CCSK
![Page 18: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/18.jpg)
RISK-BASED DECISIONS/ACTIVITIES SUPPORTED BY ASSESSMENTS
Development of an information security architecture
Definition of interconnection requirements for information systems
Design of security solutions for information systems and environments of operation including selection of security controls, IT products, suppliers/supply chain, and contractors.
Authorization (or denial of authorization) to operation information systems or to use security controls inherited by those systems (i.e. common controls);
Modification of business functions and/or processes permanently or for a specific time frame (e.g. until a newly discovered threat or vulnerability is addressed, until a compensating control is replaced);
Implementation of security solutions (e.g. whether specific IT products or configurations for those products meet established requirements); and
Operation and maintenance of security solutions (e.g. continuous monitoring strategies and programs, ongoing authorizations).
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 18Denise Tawwab, CISSP, CCSK
![Page 19: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/19.jpg)
800-30 PROVIDES A STEP-BY-STEP PROCESS FOR RISK ASSESSMENTS
How to Prepare for Risk Assessments
How to Conduct Risk Assessments
How to Communicate the Risk Assessment Results
How to Maintain the Risk Assessments over Time
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 19Denise Tawwab, CISSP, CCSK
![Page 20: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/20.jpg)
RISK ASSESSMENTS – WHAT WE COVERED
Purposes of Risk Assessments
Characteristics of Risk Assessments
Decisions/Actions Supported by Risk Assessments
Step-by-Step Process for Risk Assessments in NIST 800-30
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 20Denise Tawwab, CISSP, CCSK
![Page 21: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/21.jpg)
KEY RISK CONCEPTS (2.3)AND RELATIONSHIPS AMONG RISK FRAMING AND RISK ASSESSMENT COMPONENTS
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 21Denise Tawwab, CISSP, CCSK
![Page 22: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/22.jpg)
KEY RISK CONCEPTS – WHAT WE WILL COVER
Key Concepts (Risk, InfoSec Risk, Risk Assessment, Risk Assessment Methodology)
Risk Models (2.3.1)
Assessment Approaches (2.3.2)
Analysis Approaches (2.3.3)
Effects of Organizational Culture on Risk Assessments (2.3.4)
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 22Denise Tawwab, CISSP, CCSK
![Page 23: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/23.jpg)
KEY RISK CONCEPTS – WHAT IS RISK AND INFO SECURITY RISK?
Risk is a measure of the extent to which an entity is threatened by a potential circumstance or event, and is typically
a function of:
The adverse impacts that would arise if the circumstance or event occurs; and
The likelihood of occurrence.
Information security risks – those risks that arise from the loss of confidentiality, integrity, or availability of
information or information systems and reflect the potential adverse impacts to organizational operations (i.e.,
mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the nation.
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 23Denise Tawwab, CISSP, CCSK
![Page 24: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/24.jpg)
KEY RISK CONCEPTS – WHAT IS A RISK ASSESSMENT?
Risk Assessment – is the process of identifying, estimating, and prioritizing information security risks.
Assessing risk requires the careful analysis of threat and vulnerability information to determine the extent to which
circumstances or events could aversely impact an organization and the likelihood that such circumstances or events
will occur.
A risk assessment results in determination of risk.
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 24Denise Tawwab, CISSP, CCSK
![Page 25: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/25.jpg)
RELATIONSHIP AMONG FRAMING & ASSESSMENT COMPONENTS
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 25Denise Tawwab, CISSP, CCSK
![Page 26: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/26.jpg)
WHAT IS A RISK ASSESSMENT METHODOLOGY
Risk Assessment methodologies are defined by organizations and are a component of the risk management
strategy developed during the risk framing step of the risk management process.
A Risk Assessment Methodology typically includes:
Risk assessment process
Risk model
Assessment approach
Analysis approach
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 26Denise Tawwab, CISSP, CCSK
![Page 27: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/27.jpg)
COMPONENTS OF A RISK ASSESSMENT METHODOLOGY
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 27Denise Tawwab, CISSP, CCSK
![Page 28: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/28.jpg)
CAN USE ONE OR MORE RISK ASSESSMENT METHODOLOGIES
Organizations can use a single risk assessment methodology or can employ multiple assessment methodologies, with
the selection of a specific methodology depending on, for example:
The time frame for investment planning or for planning policy changes;
The complexity/maturity of organizational mission/business processes (by enterprise architecture segments);
The phase of the information systems in the SDLC; or
The criticality/sensitivity of the information and information systems supporting the core organizational
missions/business functions.
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 28Denise Tawwab, CISSP, CCSK
![Page 29: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/29.jpg)
REPRODUCIBILITY/REPEATABILITY OF ASSESSMENTS
By having an explicit risk methodology and requiring – as part of the assessment process – a rationale for
the assessed values of risk factors, organizations can increase the reproducibility and repeatability of risk
assessments.
Reproducibility refers to the ability of different experts to produce the same results from the same
data.
Repeatability refers to the ability to repeat the assessment in the future in a manner that is consistent
with and comparable to prior assessments – enabling the organization to identify trends.
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 29Denise Tawwab, CISSP, CCSK
![Page 30: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/30.jpg)
RISK MODELS (2.3.1)DEFINE THE RISK FACTORS TO BE ASSESSED AND THE RELATIONSHIPS AMONG THOSE FACTORS
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 30Denise Tawwab, CISSP, CCSK
![Page 31: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/31.jpg)
WHAT IS A RISK MODEL (2.3.1)
A Risk Model defines the risk factors to be assessed and the relationship among those factors.
Risk factors should be clearly defined and documented BEFORE conducting the risk assessment because the
assessment relies upon well-defined attributes of threats, vulnerabilities, impact, and other risk factors to
effectively determine risk.
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 31Denise Tawwab, CISSP, CCSK
![Page 32: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/32.jpg)
RISK FACTORS
Threats
Threat sources
Threat events
Vulnerabilities and predisposing conditions
Likelihood of occurrence
Impact
Risk
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 32Denise Tawwab, CISSP, CCSK
![Page 33: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/33.jpg)
DECOMPOSING RISK FACTORS INTO CHARACTERISTICS
Risk factors can be decomposed into more detailed characteristics (e.g., threats decomposed into threat sources
and threat events).
A risk factor can have a single assessable characteristic (e.g., impact severity) or multiple characteristics,
Some characteristics may be assessable and some may not be assessable. Characteristics which are not assessable
typically help determine what lower-level characteristics are relevant.
Example: a threat source has a (characteristic) threat type (using a taxonomy of threat types, which are nominal
rather than assessable). The threat type determines which of the more detailed characteristics are relevant (e.g., a
threat source of type adversarial has associated characteristics of capabilities, intent, and targeting, which are
directly assessable characteristics).
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 33Denise Tawwab, CISSP, CCSK
![Page 34: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/34.jpg)
THREAT , THREAT EVENTS, AND THREAT SCENARIO
A threat is any circumstance or event with the potential to adversely impact organizational operations and
assets, individuals, other organizations, or the Nation through an information system via unauthorized access,
destruction, disclosure or modification of information and/or denial of service.
Organizations can choose to specify threat events as
single events, actions, or circumstances; or
sets and/or sequences of related actions, activities, and/or circumstances.
Threat events are caused by threat sources, and (when caused by adversarial threat sources) are characterized
by tactics, techniques, and procedures (TTPs) employed by adversaries.
Threat events identified with great specificity allow you to model, develop, and analyze threat scenarios. A threat
Scenario is a set of discrete threat events, attributed to a specific threat source or multiple threat sources,
ordered in time, that result in adverse effects.
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 34Denise Tawwab, CISSP, CCSK
![Page 35: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/35.jpg)
THREAT SOURCE
A Threat Source is:
The intent and method targeted at the exploitation of a vulnerability; or
A situation and method that may accidentally exploit a vulnerability.
4 Types of Threat sources
Adversarial - Hostile cyber or physical attacks
(Individuals, groups, organizations, or states that seek to exploit the organization’s dependence on cyber resources)
Accidental - Human errors (commission or omission)
Structural - Failures of resources controlled by the organization (e.g., hardware, software, environmental controls);
Environmental - Natural and man-made disasters, accidents, and failures beyond the control of the organization.
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 35Denise Tawwab, CISSP, CCSK
![Page 36: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/36.jpg)
THREAT SHIFTING
Threat shifting is the response of adversaries to your safeguards and/or countermeasures (i.e., security controls) in which they
change their intent/targeting in order to avoid or defeat those safeguards/countermeasures. Default is to the path of least
resistance.
Threat shifting can occur in one or more domains, including:
The Time domain – delay in an attack or illegal entry to conduct additional surveillance
The Target domain – select a target that is not as well protected.
The Resource domain – add resources to the attack in order to reduce uncertainty or overcome safeguards and/or
countermeasures; or
The Attack planning/Attack method domain – change the attack weapon or attack path.
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 36Denise Tawwab, CISSP, CCSK
![Page 37: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/37.jpg)
RISK FACTORS
Threat sources
Threat events
Vulnerabilities and predisposing conditions
Likelihood of occurrence
Impact
Risk
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 37Denise Tawwab, CISSP, CCSK
![Page 38: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/38.jpg)
TABLE E-2: REPRESENTATIVE EXAMPLES – ADVERSARIAL THREAT EVENTS
Threat Events (characterized by TTPs) Description
Perform Reconnaissance and Gather Data
Perform perimeter network recon/scanning, Adversary Uses commercial or free software to scan organizational perimeter to obtain a
better understanding of the information technology infrastructure and improve the ability to
launch successful attacks.
Craft or Create Attack Tools
Create counterfeit/spoof website Adversary creates duplicates of legitimate websites, when users visit a counterfeit site, the site
can gather information or download malware.
Deliver/insert/install Malicious Capabilities
Deliver known malware to internal organizational information systems (e.g.,
virus via email)
Adversary uses common delivery mechanisms (e.g., email) to install/insert known malware (e.g.,
malware whose existence is known) into organizational information systems.
Exploit and Compromise
Exploit physical access of authorized staff to gain access to organizational
facilities.
Adversary follows (“tailgates”) authorized individuals into secure/controlled locations with the
goal of gaining access to facilities, circumventing physical security checks.
Conduct an Attack (i.e., direct/coordinate attack tools or activities).
Achieve Results (i.e., cause adverse impacts, obtain information)
Maintain a presence or set of capabilities.
Coordinate a campaign
38Denise Tawwab, CISSP, CCSKNIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS
![Page 39: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/39.jpg)
TABLE E-3: REPRESENTATIVE EXAMPLES – NON-ADVERSARIAL THREAT EVENTS
Threat Event Description
Spill Sensitive Information Authorized user erroneously contaminates a device, information system, or network by placing on it o sending to
it information of a classification/sensitivity which it has not been authorized to handle. The information is exposed
to access b unauthorized individuals, and as a result, the device, system, or network is unavailable while the spill is
investigated and mitigated.
Mishandling of critical and/or sensitive information by
authorized users
Authorized privileged user inadvertently exposes critical/sensitive information
Incorrect privilege settings Authorized privileged user or administrator erroneously assigns a user exceptional privileges or sets privilege
requirements on a resource too low.
Communications contention Degraded communications performance due to contention.
Unreadable display Display unreadable due to aging equipment.
Earthquake at primary facility. Earthquake of organization-defined magnitude at primary facility makes facility inoperable
Fire at primary facility Fire (not due to adversarial activity) at primary facility makes facility inoperable.
Fire at backup facility Fire (not due to adversarial activity) at backup facility makes facility inoperable or destroys backups of software,
configurations, data, and/or logs
Resource depletion Degraded processing performance due to resource depletion.
Introduction of vulnerabilities into software products. Due to inherent weaknesses in programming languages and software development environments, errors and
vulnerabilities are introduced into commonly used software products.
Disk error Corrupted storage due to a disk error.39Denise Tawwab, CISSP, CCSKNIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS
![Page 40: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/40.jpg)
RISK FACTORS
Threat sources
Threat events)
Vulnerabilities and predisposing conditions
Likelihood of occurrence
Impact
Risk
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 40Denise Tawwab, CISSP, CCSK
![Page 41: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/41.jpg)
RISK FACTOR –VULNERABILITY
A vulnerability is a weakness in an information system, system security procedures, internal controls, or
implementation that could be exploited by a threat source.
Vulnerabilities can be found not only in information systems but also in organizational governance structures,
external relationships, mission/business processes, and enterprise/information security architectures.
The severity of a vulnerability is an assessment of the relative importance of mitigating/remediating the
vulnerability. Severity can be determined by the extent of the potential adverse impact if such a vulnerability is
exploited by a threat source. The severity of vulnerabilities is context-dependent.
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 41Denise Tawwab, CISSP, CCSK
![Page 42: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/42.jpg)
RISK FACTOR - PREDISPOSING CONDITIONS
A predisposing condition is a condition that exists within an organization, a business process, enterprise
architecture, information system, or environment of operation which affects (i.e. increases or decreases) the
likelihood that threat events, once initiated, result in adverse impacts to organizational operations and assets,
individuals, other organizations, or the Nation.
Location of a facility in a flood zone or hurricane-prone region (increases)
A stand-alone information system with no external network connectivity (decreases)
Gaps in contingency plans
Use of outdated technologies
Weaknesses in information system backup and failover mechanisms
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 42Denise Tawwab, CISSP, CCSK
![Page 43: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/43.jpg)
TABLE F-4: TAXONOMY OF PREDISPOSING CONDITIONS
Type of Predisposing Condition Description
Information-Related
• Classified National Security Information
• Compartments
• Controlled Unclassified Information
• Personally Identifiable Information
• Special Access Programs
• Agreement-Determined (NOFORN, Proprietary)
Needs to handle information (as it is
created, transmitted, stored, processed,
and/or displayed) in a specific manner,
due to its sensitivity (or lack of
sensitivity), legal or regulatory
requirements, and/or contractual or
other organizational agreements.
Technical
• Architectural
• Compliance with technical standards
• Use of specific products or product lines
• Solutions for and/or approaches to user-based collaboration and information sharing.
• Allocation of specific security functionality to common controls
• Functional
• Network multiuser
• Simple-user
• Stand-alone / non-networked
• Restricted functionality (e.g., communications, sensors, embedded controllers)
Needs to use technology in specific
ways.
Operational / Environmental
• Mobility (Fixed-site (specify location); Semi-mobile (land-based, Airborne, Sea-based, Space-based);
Mobile (e.g., handheld device)
• Population with physical and/or logical access to components of the Information System, mission/business process, EA segment
• Size of population
• Clearance/vetting of population
Ability to rely upon physical, procedural,
and personnel controls provided by the
operational environment.
43Denise Tawwab, CISSP, CCSKNIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS
![Page 44: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/44.jpg)
RISK FACTORS
Threat sources
Threat events)
Vulnerabilities and predisposing conditions
Likelihood of occurrence
Impact
Risk
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 44Denise Tawwab, CISSP, CCSK
![Page 45: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/45.jpg)
RISK FACTOR - LIKELIHOOD OF OCCURRENCE
Likelihood of Occurrence is a weighted risk factor based on an analysis of the probability that a given threat is
capable of exploiting a given vulnerability (or set of vulnerabilities).
For adversarial threats, and assessment of likelihood of occurrence is based on:
Adversary intent
Adversary capability
Adversary Targeting
For non-adversarial threats an assessment of likelihood of occurrence is based on
Historical evidence
Empirical data
Other factors
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 45Denise Tawwab, CISSP, CCSK
![Page 46: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/46.jpg)
DETERMINING THE LIKELIHOOD OF OCCURRENCE
3-step process to determine the overall likelihood of occurrence:
1. Assess the likelihood that threat events will be initiated (adversarial) or will occur (non-adversarial).
2. Assess the likelihood that the threat event once initiated or occurring, will result in adverse impacts or harm
3. Assess the overall likelihood as a combination of likelihood of initiation/occurrence and likelihood of resulting in
harm.
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 46Denise Tawwab, CISSP, CCSK
![Page 47: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/47.jpg)
RISK FACTORS
Threat sources
Threat events)
Vulnerabilities and predisposing conditions
Likelihood of occurrence
Impact
Risk
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 47Denise Tawwab, CISSP, CCSK
![Page 48: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/48.jpg)
RISK FACTORS - IMPACT
Impact is the magnitude of harm that can be expected to result from the consequences of unauthorized
disclosure of information, unauthorized modification of information, unauthorized destruction of information, or
loss of information or information system availability.
Clearly define:
The process used to conduct impact determinations
Assumptions related to impact determinations (Risk tolerance assumptions may state that threat evets with an impact
below a specific value do not warrant further analysis.)
Sources and methods for obtaining impact information
Rationale for conclusions reached with regard to impact determinations.
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 48Denise Tawwab, CISSP, CCSK
![Page 49: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/49.jpg)
TYPES OF IMPACT
Harm to Operations
Harm to Assets
Harm to Individuals
Harm to Other Organizations
Harm to the Nation
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 49Denise Tawwab, CISSP, CCSK
![Page 50: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/50.jpg)
RISK FACTORS
Threat sources
Threat events)
Vulnerabilities and predisposing conditions
Likelihood of occurrence
Impact
Risk
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 50Denise Tawwab, CISSP, CCSK
![Page 51: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/51.jpg)
RISK FACTORS - RISK
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 51Denise Tawwab, CISSP, CCSK
![Page 52: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/52.jpg)
RISK ASSESSMENT APPROACHES (2.3.2)KEY CONCEPTS
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 52Denise Tawwab, CISSP, CCSK
![Page 53: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/53.jpg)
3 RISK ASSESSMENT APPROACHES (2.3.2)
Quantitative
Qualitative
Semi-Quantitative
Each approach has advantages and disadvantages. A preferred approach (or set of
approaches) can be selected based on organizational culture and attitudes toward the
concepts of uncertainty and risk communication.
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 53Denise Tawwab, CISSP, CCSK
![Page 54: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/54.jpg)
ASSESSMENT APPROACHES – QUANTITATIVE
Quantitative Assessments use a set of methods, principles or rules for assessing risk based on numbers –
where the meaning and proportionality of values are maintained inside and outside the context of the assessment.
Most effectively supports cost-benefit analyses of alternative risk responses or courses of action.
The meaning of the quantitative results may not always be clear and may require interpretation and explanation –
particularly to explain the assumptions and constraints on using the results. Organizations may typically ask if the
numbers or results obtained in the risk assessments are reliable or if the differences in the obtained values are meaningful
or insignificant.
The rigor of quantification is significantly lessened when subjective determinations are buried within the
quantitative assessments, or when significant uncertainty surrounds the determination of values.
The benefits of quantitative assessments (rigor, repeatability, and reproducibility of results) can be outweighed by
the costs (expert time/effort and the possible deployment and use of tools required to make such assessments)
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 54Denise Tawwab, CISSP, CCSK
![Page 55: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/55.jpg)
ASSESSMENT APPROACHES – QUALITATIVE
Qualitative Assessments use a set of methods, principles, or rules for assessing risk based on non-numerical
categories or levels (e.g. very low, low, moderate, high, very high).
Supports communicating risk results to decision makers
The range of values in qualitative assessments is comparatively small in most cases, making the relative
prioritization or comparison within the set of reported risks difficult.
Unless each value is clearly defined or is characterized by meaningful examples, different experts relying on their
individual different experiences could produce significantly different assessment results.
The repeatability and reproducibility of qualitative assessments are increased by the annotation of assessed values
(e.g. This value is high because of the following reasons) and by the use of tables or other well-defined functions to
combine qualitative values.
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 55Denise Tawwab, CISSP, CCSK
![Page 56: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/56.jpg)
ASSESSMENT APPROACHES – SEMI-QUANTITATIVE
Semi-Quantitative Assessments use a set of methods, principles, or rules for assessing risk that uses bins,
scales, or representative numbers whose values and meanings are not maintained in other contexts.
Provides the benefits of quantitative and qualitative assessments.
The role of expert judgement in assigning values is more evident than in a purely quantitative approach.
If the scales or sets of bins provide sufficient granularity, relative prioritization among results is better supported
than in a purely qualitative approach.
As in a quantitative approach, when subjective determinations are buried within assessments or when significant
uncertainty surrounds a determination of value, rigor is significantly lessened.
As with the non-numeric categories or levels used in a qualitative approach, each bin or range of values needs to
be clearly defined and/or characterized by meaningful examples.
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 56Denise Tawwab, CISSP, CCSK
![Page 57: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/57.jpg)
ASSESSMENT APPROACHES
Independent of the value scale selected, assessments make explicit the temporal
element of risk factors.
Organizations can associate a specific time period with assessments of likelihood of
occurrence and assessments of impact severity.
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 57Denise Tawwab, CISSP, CCSK
![Page 58: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/58.jpg)
RISK ANALYSIS APPROACHES (2.3.3)KEY CONCEPTS
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 58Denise Tawwab, CISSP, CCSK
![Page 59: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/59.jpg)
3 RISK ANALYSIS APPROACHES
Threat-oriented
Asset/impact-oriented
Vulnerability-oriented
Organizations have great flexibility in choosing a particular analysis approach. The specific approach taken is
driven by different organizational considerations (e.g., the quality and quantity of information available with
respect to threats, vulnerabilities, and impact/assets; the specific orientation carrying the highest priority for the
organizations; availability of analysis tools emphasizing certain orientations; or a combination of the above.
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 59Denise Tawwab, CISSP, CCSK
![Page 60: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/60.jpg)
RISK ANALYSIS APPROACHES
Analysis approaches differ with respect to the orientation or starting point of the risk assessment,
level of detail in the assessment, and how risks due to similar threat scenarios are treated.
Differences in the starting point of the risk assessment can bias the results, causing some risks not to
be identified.
Identification of risks from a second orientation (e.g., complementing a threat-oriented analysis
approach with an asset/impact-oriented analysis approach) can improve the rigor and effectiveness of
the analysis.
Each analysis approach takes into consideration the same risk factors, and thus entails the same set of
risk assessment activities, just in a different order.
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 60Denise Tawwab, CISSP, CCSK
![Page 61: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/61.jpg)
THREAT-ORIENTED ANALYSIS APPROACH
Starts with the identification of threat sources and threat events.
Focuses on developing threat scenarios.
Vulnerabilities are identified in the context of threats.
For adversarial threats, impacts are identified based on adversary intent.
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 61Denise Tawwab, CISSP, CCSK
![Page 62: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/62.jpg)
ASSET/IMPACT-ORIENTED ANALYSIS APPROACH
Starts with the identification of highly adverse impacts of concern and/or critical or high-value
assets (possibly using the results of a business impact analysis (BIA)).
Focuses on identifying threat events and threat sources that could lead to and/or that could seek
those impacts.
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 62Denise Tawwab, CISSP, CCSK
![Page 63: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/63.jpg)
VULNERABILITY-ORIENTED ANALYSIS APPROACH
Starts with a set of predisposing conditions or exploitable weaknesses/deficiencies in organizational
information systems or the environments in which the systems operate.
Identifies threat events that could exercise those vulnerabilities together with possible consequences
of vulnerabilities being exercised.
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 63Denise Tawwab, CISSP, CCSK
![Page 64: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/64.jpg)
MORE RIGOROUS ANALYSIS TECHNIQUES
In addition to the orientation of the analysis approach, organizations can apply more rigorous analysis techniques
such as graph-based, or attack trees to provide an effective way to account for the many-to-many relationships
between:
Threat sources and threat events (a single threat event can be caused by multiple threat sources and a single
threat source can cause multiple threat events)
Threat events and vulnerabilities (a single threat event can exploit multiple vulnerabilities and a single vulnerability
can be exploited by multiple threat events).
Threat events and impacts/assets (a single threat event can affect multiple assets or have multiple impacts, and a
single asset can be affected by multiple threat events).
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 64Denise Tawwab, CISSP, CCSK
![Page 65: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/65.jpg)
MORE RIGOROUS ANALYSIS TECHNIQUES
Rigorous analysis approaches also provide a way to account for whether (in the given
time frame) a specific adverse impact could occur (or a specific asset could be harmed)
at most once, or perhaps repeatedly, depending on the nature of the impacts and on
how organizations recover from such adverse impacts.
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 65Denise Tawwab, CISSP, CCSK
![Page 66: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/66.jpg)
EFFECTS OF ORGANIZATIONAL CULTURE ON RISKKEY CONCEPTS – 2.3.4
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 66Denise Tawwab, CISSP, CCSK
![Page 67: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/67.jpg)
EFFECTS OF ORGANIZATIONAL CULTURE ON RISK ASSESSMENTS
(2.3.4)
Cultural issues can predispose an organization to:
Employ risk models that assume a constant value for one or more possible risk factors, so that some factors that
are present in other organizations’ models are not represented.
Employ risk models that require detailed analyses using quantitative assessments (e.g. nuclear safety).
Prefer qualitative or semi-quantitative assessment approaches.
Organizations can use coarse or high-level risk models early in the SDLC to select security controls, and then
later use more detailed models to assess risk to given missions or business functions.
Organizational risk frames determine which risk models, assessment approaches, and analysis approaches to use
under varying circumstances.
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 67Denise Tawwab, CISSP, CCSK
![Page 68: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/68.jpg)
RISK COMMUNICATIONS & INFORMATION SHARING
Ongoing communications and information sharing among stakeholders ensure:
Inputs are as accurate as possible
Intermediate assessment results can be used, for example, to support risk assessments at other tiers; and
The results are meaningful and useful inputs to the risk response step in the risk management process.
Manner and form of communications is an expression of organizational culture as well as legal, regulatory, and contractual constraints and to be effective, should be consistent with other forms of risk communication within organizations.
Establish policies procedures and implementing mechanisms to ensure that the information produced during such assessments is effectively communicated and shared across all three risk management tiers.
To reinforce the importance of risk communication and information sharing use the input tables in the appendices of 800-30 as well as the recommended elements of a risk assessment report. Appendix K provides recommendations for risk communications/sharing among tiers.
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 68Denise Tawwab, CISSP, CCSK
![Page 69: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/69.jpg)
KEY RISK CONCEPTS – WHAT WE COVERED
Overview of Risk
Risk Models (2.3.1)
Assessment Approaches (2.3.2)
Analysis Approaches (2.3.3)
Effects of Organizational Culture on Risk Assessments (2.3.4)
Risk communications & information sharing (2.4.4)
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 69Denise Tawwab, CISSP, CCSK
![Page 70: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/70.jpg)
THE RISK ASSESSMENT PROCESS
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 70Denise Tawwab, CISSP, CCSK
![Page 71: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/71.jpg)
THE FUNDAMENTALS – WHAT WE COVERED
The Risk Management Process (2.1)
The Role of Risk Assessments in the Risk Management Process (2.2)
Basic Concepts Used in Conducting Risk Assessments (2.3)
Communications and Information Sharing (2.4)
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 71Denise Tawwab, CISSP, CCSK
![Page 72: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/72.jpg)
DENISE TAWWAB
NIST SP 800-30(REV 1): GUIDE FOR CONDUCTING RISK ASSESSMENTS 72
CCSK - Certificate of Cloud Security Knowledge
(919) 339-2253
Denise Tawwab, CISSP, CCSK
![Page 73: NIST 800-30 Intro to Conducting Risk Assessments - Part 1](https://reader031.fdocuments.in/reader031/viewer/2022020301/58a3268d1a28ab71398b59ff/html5/thumbnails/73.jpg)
INTRO TO CONDUCTIONG RISK ASSESSMENTSNIST SPECIAL PUBLICATION 800-30 (REVISION 1)