NIST Special Publication 800-30 Revision 1, Guide for Conducting Risk Assessments, offers an overview of the many methods in performing risk assessments, mitigating risks, and a summary of how risk management applies to the System Development Life Cycle (SDLC). The article is widely used for assistance in conducting risk assessments of federal organizations and information systems; however, its teachings can be applied to any scenario. In any given situation, there are three phases in the risk assessment process: preparing for the assessment, conducting the assessment, and maintaining the assessment. Furthermore, NIST Special Publication 800-30 shares how risk assessments and other forms of risk processes interact with each other.
Per the article’s lessons, a proper risk assessment includes identifying the purpose of the assessment, its scope, assumptions and constraints, locating sources of data to be utilized as inputs, and finally, identifying the risk model and which analytic approach one will take. Many of the difficulties one faces during an assessment, whether the organization is large or a small and medium-sized business (SMB), is merely adapting the assessment to fit the organization’s specific needs; determining the scope of the assessment is vital to ensure the work performed is fit for the particular situation. Scope creep, an often encountered issue, is quite common in risk assessments; to combat this, proper attention should be made to deciphering the type, size, and nature of the business, deciding upon an allotted time frame for the risk assessment, and considering the technology and architectural significance.
As many already know, the risk management process never ends; it should be reviewed on a regular basis and evolve with any recent changes to personnel, technology, policies, or business processes. Per the article, the personnel involved in the risk assessment and management process play a vital role in its overall success; choosing these individuals, as well as maintaining constant communication, are equally important. Individuals such as operators, stakeholders, decision-makers, security officers, and information systems owners all have their role to play in every stage of the risk assessment process. With an adequately designed and implemented risk management program, documentation and communication go hand-in-hand with ensuring the program’s success in the future.
Beyond the many concerns with risk assessments, such as budgeting, personnel, skill level, available technology, and defining the project’s scope, the risk management process can be quite simple to understand using four, clearly-identified steps- framing risk/establishing risk context, assessing risk, responding to the risk, and finally, monitoring the risk. Risk, defined as “a measure of the extent to which an entity is threatened by a potential circumstance or event” (NIST, 2012), should not be confused with threats, which are events with the possibility to impact an organization’s operations adversely. Risk is the likelihood of a threat from occurring, allowing an organization to prioritize its resources in attempting to mitigate or remove it from the playing field. Vulnerabilities found in an organization dramatically increases the possibility of risk, thus increasing the chance for a known threat for occurring; this then impacts the business with a hopefully already-predicted set of expected results.
By utilizing NIST Special Publication 800-30 Revision 1, Guide for Conducting Risk Assessments’ various analysis approaches, risk models, applications of risk assessments, applying the Risk Management Framework (RMF), ensuring communication and information sharing, properly implementing each phase of the risk assessment process, as well as monitoring the program continuously, we, as an organization, can significantly benefit from NIST’s lessons in adopting a similar program. A proper risk management program, suited for our specific company’s culture, nature, and operations, increase trust with our employees, customers, and stakeholders. There is no single method to assessing and preventing risk, threats, and minimizing their impact on our business; however, while armed with publications such as the NIST Special Publication 800-30 Revision 1, we will be a step ahead of the competition in our fight to plan for the always-rising dangers of the world of tomorrow.
Wheeler, E. (2011). Security risk management: Building an information security risk management program from the ground up. Waltham, MA: Syngress.
NIST. (2012, September 17). Guide for Conducting Risk Assessments. Retrieved September 10, 2020, from https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final.