The SP 800-30 Guide for Conducting a Risk Assessment is a guideline by the National Institute of Standards and Technology (NIST). Its goal of risk assessment according to NIST SP 800-30 is to help organizations provide providing senior leaders/executives with the necessary information to implement risk management strategies tailored to their unique risk profile and the cost-benefit tradeoff of mitigation strategies.
This document is aimed specifically at risk assessments of federal information systems and organizations. Obviously, the security of these entities is of national interest. This means that they have to operate at a very high bar. These same standards and best practices may also be helpful for other organizations that handle sensitive information or with a heightened security alertness/low-risk threshold.
According to the document, risk assessment can and should be conducted at all levels of an organization. That includes:
- Organizational level
- Mission/business process level
- Information system level
Investing the time and money to assess your organization’s readiness in the face of an increasingly complex and dangerous threat landscape is paramount.
Here follows a summary of how to conduct the risk assessment process:
Step 1: Preparing for an assessment
This step involves laying the groundwork for carrying out the risk assessment. It includes providing context and the boundaries within which it is conducted. This helps everyone operate on the same page regarding the what, why, and how of the process.
- The following tasks should be conducted as part of preparing for a thorough risk assessment:
- Identify the purpose of the assessment – what information do you want to get out of it? What decisions will it influence?
- Identify the scope of the assessment – To what aspects of your technology/architecture will the assessment apply? What’s the time frame and budget?
- Identify the assumptions and constraints associated with the assessment;
- Identify the sources of information to be used as inputs to the assessment; and
- Identify the risk model and analytic approaches (i.e., assessment and analysis approaches) to be employed during the assessment.
Step 2: Conduct assessment
Above all, the main takeaways of a risk assessment should be a prioritized list of information security risks that can be used to make decisions regarding risk response. Moreover, to ensure measurable success within operational restrictions, it should be carried out in accordance with boundaries set in the previous step.
Identify threat sources and events
Identify specific threat sources so that they can be defined in terms of capability, intent, type, source, and at which organizational level they well have the largest impact.
For example, threats may be adversarial (with the intent to do harm) from groups or individuals from within or outside your organization. On the other hand, they might be completely accidental.
SP 800-30 provides two tables with standardized threat source inputs and taxonomies as well as rating scales for threat modelling. These should be used for the standardized categorization of threat sources and events.
Threats can potentially lead to security events or Tactics, Techniques and Procedures (TTPs) of cyber threats. Examples include network sniffing, phishing attacks, or malware injections. SP 800-30 also includes resources for identifying and classifying these events.
Identify vulnerabilities and predisposing conditions
This step involves identifying existing vulnerabilities in your infrastructure that might lead to exploitation or a loss/compromise of information. It also involves determining whether and to what extent vulnerabilities are exposed and rating the impact its exploitation would have.
Determine likelihood of occurrence
Using inputs from the previous two steps, analyze how likely it is that your organization will suffer a particular security event. This includes considering your organizational susceptibility with the planned safeguards and countermeasures planned or implemented to impede such events.
Determine magnitude of impact
Once again, using inputs from the previous steps, determine what the end result and impact of individual security events would be. All factors that affect your business may be considered, from actual data loss to financial damages as a result of a ransom or regulatory action to a loss of trust or business opportunities. Threats and events should be prioritized based on both likelihood and impact.
Determine risk
Risk is calculated by taking into account both the likelihood and the impact. A highly likely event with a low impact may be considered an equal threat as an unlikely event with a high impact. As a result, the outcome of this step will help determine what an adequate, yet measured, the response would be to your threat landscape.
Step 3: Communicate results
As worded in SP 800-30: “The objective of this step is to ensure that decision-makers across the organization have the appropriate risk-related information needed to inform and guide risk decisions.”
This consists of two main tasks:
- Communicate the risk assessment results; and
- Share information developed in the execution of the risk assessment, to support other risk management activities
Standardized taxonomies, rating scales, and categorizations must be used so that the impact of decisions can be clearly related, even to those who are not security experts. Additionally, it will help with the next step, which is maintaining assessment practices and setting objective metrics for measuring the improvement of your risk response and mitigation.
Step 4: Maintain assessment
Above all, the goal should be for your current findings to support immediate and future inform risk management decisions and guide risk responses. For example, decisions pertaining to the acquisition of security/technology infrastructure, authorizations, common information system controls, etc.
- The end-goal of risk assessment according to NIST SP 800-30 is a long-term assessment strategy that allows you to:
- Monitor risk factors identified in risk assessments on an ongoing basis and understanding subsequent changes to those factors; and
- Update the components of risk assessments reflecting the monitoring activities carried out by organizations
Sources:
SP 800-30 Guide for Conducting a Risk Assessment
