NIST 800‐30

1. What is the purpose of NIST Special Publication 800‐30?

The purpose of NIST 800‐30 is to provide a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems and the ultimate goal is to help organizations to better manage IT‐related mission risks.

2. What is the principal goal of an organization’s risk management process?

The principal goal of an organization’s risk management process is should be to protect the organization and its ability to perform their mission, not just its IT assets.

3. According to NIST, what three processes compose risk management?

•Risk Assessment

•Risk Mitigation

•Evaluation and Assessment

4. How does risk management relate to the System Development Life Cycle (SDLC)?

SDLC is an integral part of the functioning of IT systems and it has five phases, all of which partake in risk identification and mitigation. These phases are: initiation, development or acquisition, implementation, operation or maintenance, and disposal.

5. NIST 800‐30 defines seven Information Assurance “key roles”. Name and briefly describe each of them?

•Senior Management ‐ Ensures that necessary resources are effectively applied to ensure that the ultimate mission is accomplished.

•Chief Information Officer‐ Takes care of the IT planning, budgeting and performance including its IT system components.

•System and Information Owners ‐ They are responsible to see that proper controls are in place to ensure integrity, confidentiality and availability of data systems that they own.

•Business and Functional Managers ‐These people are responsible for business operations and IT procurement process must take an active role in the risk management process.

•ISSO ‐ Responsible for their organizations’ security programs, including risk management.

•IT security practitioners ‐ They should look after proper implementation of IT security systems.

•Security Awareness Trainers – Training must be given to the users in order to get awareness on security in an organization.

6. How does NIST 800‐30 define risk?

A function of the likelihood of a given threat‐source’s exercising a particular potential vulnerability, and the resulting impact of the adverse event on the organization.

7. How does NIST 800‐30 define a threat?

NIST defines Threat as the potential for a particular threat‐source to successfully exercise a particular vulnerability.

8. How is a threat source defined? Name three common threat sources.

A threat‐source is defined as any circumstance or event with the potential to cause harm to an IT system. The threat‐sources are: natural, human, and environmental threats

9. How does NIST 800‐30 define vulnerability?

Vulnerability is a flaw or weakness in system security procedures, design, implementation, or internal controls that could be accidentally triggered or intentionally exploited. They result in a security breach or violation of the system’s security policy.

10. According to NIST, whose responsibility is IT Security, (technical or management)

IT security is responsible for both technical and management personnel. Management sets the vision and responsibilities and ensures that the staff has proper technical training. The technical personnel test, implement and maintain security.

11. What is a security control?

Security controls are safeguards or countermeasures to avoid, counteract or minimize security risks.

12. Define: technical controls, management controls, and operational controls.

•Technical controls – safeguards that are incorporated into computer hardware, software, or firmware

•Management controls – focus on the stipulation of information protection policy, guidelines and standards, which are carried out through operational procedures to fulfill the organization’s goals and mission.

•Operational controls – used to correct operational deficiencies that could be exercised by potential threat‐sources.

13. How should the adverse impact of a security event be described?

The adverse impact of a security event can be described in terms of loss or degradation of any, or a combination of any, of the following three security goals: integrity, availability and confidentiality.

14. Describe the difference between quantitative and qualitative assessment?

The qualitative impact analysis prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities and it does not provide specific quantifiable measurements of the magnitude of the impacts, therefore making a cost‐benefit analysis of any recommended controls difficult.

The quantitative impact analysis provides a measurement of the impacts’ magnitude, which can be used in the cost‐benefit analysis of recommended controls and depending on the numerical ranges used to express the measurement, the meaning of the quantitative impact analysis may be unclear such as loss of public confidence, loss of credibility.

15. Name and describe six risk mitigation options.

•Risk Assumption ‐ To accept the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level

•Risk Avoidance ‐ To avoid the risk by eliminating the risk cause and/or consequence.

•Risk Limitation ‐ To limit the risk by implementing controls that minimize the adverse impact of a threat’s exercising vulnerability.

•Risk Planning ‐ To manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains controls

•Research and Acknowledgment ‐To lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability

•Risk Transference ‐To transfer the risk by using other options to compensate for the loss, such as purchasing insurance

16. What is residual risk?

This is the risk remaining after the implementation of new or enhanced controls. Practically no IT system is risk free, and not all implemented controls can eliminate the risk they are intended to address or reduce the risk level to zero.

References:

NIST 800‐30 ‐ Risk Management in IT systems by Gary Stoneburner, Alice Goguen, and Alexis Feringa.