The National Institute of Standards and Technology (NIST) is a physics laboratory and non-regulatory body, which is part of the US Department of Commerce. Its mission is to promote innovation and industrial competitiveness in the United States.
NIST’s activities consist of laboratory programs including nanoscience and technology, engineering, information technology, neutron research, materials measurement, and physical measurement. In addition, NIST provides standards that can help organizations better organize and secure business activities.
NIST Risk Assessment (Special Publication 800-30) is the identification of risk factors that could negatively affect an organization’s ability to conduct business. These assessments help identify business risks and provide actions, processes and controls to mitigate the impact of these risks on business operations. The purpose of NIST Special Publication 800-30 is to provide guidance for conducting risk assessments of federal information systems and organizations.
This is part of a series of articles about NIST Cybersecurity Framework.
If your organization follows NIST guidelines for cybersecurity, a NIST risk assessment will be an integral part of the organization’s cybersecurity program.
Private sector companies might not need to comply with all the controls of the NIST Cybersecurity Framework (CSF). However, the Federal Information Security Modernization Act (FISMA) requires all companies doing business with the Department of Defense (DoD) at least to comply with the NIST Risk Management Framework (RMF), including risk assessment.
According to NIST’s guidelines for conducting a risk assessment, the risk assessment process should consist of the following steps:
|Prepare||Reviewing key internal activities at the organizational, its mission, business processes, and information systems level, to better manage security and privacy risks.|
|Categorize||Determining the level of sensitivity of the organization’s data and systems, in terms of potential worst-case scenarios, and the potential damage to the organizations or specific business functions.|
|Select||Using the previous steps as a baseline to identify security controls, and applying guidelines as needed based on the risk assessment.|
|Implement||Implementing security controls in environments and systems using verifiable system security engineering practices.|
|Assess||Determining the effectiveness of security controls – proper implementation of systems and environments, operational intent, and security requirements.|
|Authorize||Conducting a review of security control results by an Authorizing Official to determine if the risk level is acceptable.|
|Monitor||Regularly tracking changes to existing controls and security incidents, and reassessing the effectiveness of security controls.|
The tiered approach is one of the most powerful NIST risk assessment concepts. It is easy to misunderstand your level of risk assessment. For instance, security specialists often conduct risk assessments on Tier 3 but cannot explain the assessment results to the senior management team.
This communicational difficulty is due to the technical complexity of Tier 3 risk assessments – it is not suitable for senior management.
The NIST introduced the tiered approach to help solve this issue:
The main challenge with this tiered approach is to align the different tiers – you need to place risks in context. A Tier 3 risk must consider the context of Tier 2, while Tier 2 risks must consider the context of Tier 1.
For example, you might discover a high risk at Tier 3, such as an application likely to crash regularly. However, this application doesn’t pose a risk to the actual business process – it will not disrupt the business process if the application crashes. Thus, a risk that is critical at Tier 3 can be non-critical at other tiers or to the organization as a whole.
Learn more in our detailed guide to nist incident response.
Lay the groundwork for the risk assessment by providing the scope and context. This plan keeps everyone on the same page regarding the assessment process.
The preparation phase involves identifying the following:
Create a list to prioritize the takeaways from the risk assessment and inform decisions about security risks. This step should adhere to the plan set out in Step 1 and include these activities:
All decision-makers must have access to relevant information about security risks. This step involves communicating the risk assessment results and sharing this information to support risk management efforts. Use standardized taxonomies, categorizations, and rating scales to make decisions easy to understand and help the organization implement improvements.
The findings from the latest risk assessment should support future decisions and responses related to risk management. Your long-term risk assessment strategy should include continuously monitoring risk factors and updating risk assessments – these activities are important to understand future changes to risk factors.
Cynet has an outsourced incident response team that anyone can use, including small, medium and large organizations. The incident response team provides professional security staff who are equipped to carry out fast, effective incident response activities.
Cynet can deploy the Cynet security platform in just minutes across hundreds to thousands of endpoints. They can scan, identify, analyze and attend to threats before any harm is done. The Cynet incident response team can assist with:
Contact Cynet for immediate help
For emergency assistance from Cynet’s security experts, call them now at US 1-(347)-474-0048, International +44-203-290-9051, or contact us.