The principal goal of an organization’s risk management process should be to protect
the organization and its ability to perform their mission, not just its IT assets. Therefore, the risk management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage the IT system, but as an essential management function of the organization.
Risk is the net negative impact of the exercise of a vulnerability, considering both the probability and the impact of occurrence. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level.
Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.
To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system. Impact refers to the magnitude of harm that could be caused by a threat’s exercise of a vulnerability. The level of impact is governed by the potential mission impacts and in turn produces a relative value for the IT assets and resources affected (e.g., the criticality and sensitivity of the IT system components and data). The risk assessment methodology encompasses nine primary steps:
1)
SP 800-67 Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher
http://csrc.nist.gov/publications/nistpubs...67/SP800-67.pdf2)
SP 800-64 Security Considerations in the Information System Development Life Cycle
http://csrc.nist.gov/publications/nistpubs...ST-SP800-64.pdf3)
SP 800-63 Electronic Authentication Guideline: Recommendations of the National Institute of Standards and Technology
http://csrc.nist.gov/publications/nistpubs...00-63v6_3_3.pdf4)
SP 800-61 Computer Security Incident Handling Guide
http://csrc.nist.gov/publications/nistpubs...61/sp800-61.pdf5)
SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories
http://csrc.nist.gov/publications/nistpubs...-60V1-final.pdf6)
SP 800-59 Guideline for Identifying an Information System as a National Security System
http://csrc.nist.gov/publications/nistpubs...59/SP800-59.pdf7)
SP 800-55 Security Metrics Guide for Information Technology Systems
http://csrc.nist.gov/publications/nistpubs...55/sp800-55.pdf8)
SP 800-51 Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme
http://csrc.nist.gov/publications/nistpubs...51/sp800-51.pdf9)
SP 800-50 Building an Information Technology Security Awareness and Training Program
http://csrc.nist.gov/publications/nistpubs...ST-SP800-50.pdf10)
SP 800-49 Federal S/MIME V3 Client Profile
http://csrc.nist.gov/publications/nistpubs...49/sp800-49.pdf11)
SP 800-48 Wireless Network Security: 802.11, Bluetooth, and Handheld Devices
http://csrc.nist.gov/publications/nistpubs...T_SP_800-48.pdf12)
SP 800-47 Security Guide for Interconnecting Information Technology Systems
http://csrc.nist.gov/publications/nistpubs...47/sp800-47.pdf13)
SP 800-46 Security for Telecommuting and Broadband Communications
http://csrc.nist.gov/publications/nistpubs...46/sp800-46.pdf14)
SP 800-45 Guidelines on Electronic Mail Security
http://csrc.nist.gov/publications/nistpubs...45/sp800-45.pdf15)
SP 800-44 Guidelines on Securing Public Web Servers
http://csrc.nist.gov/publications/nistpubs...44/sp800-44.pdf16)
SP 800-43 Systems Administration Guidance for Windows 2000 Professional
http://csrc.nist.gov/itsec/guidance_W2Kpro.html17)
SP 800-42 Guideline on Network Security Testing
http://csrc.nist.gov/publications/nistpubs...ST-SP800-42.pdf18)
SP 800-41 Guidelines on Firewalls and Firewall Policy
http://csrc.nist.gov/publications/nistpubs...41/sp800-41.pdf19)
SP 800-40 Procedures for Handling Security Patches
http://csrc.nist.gov/publications/nistpubs...40/sp800-40.pdf20)
SP 800-38C Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality
http://csrc.nist.gov/publications/nistpubs...C/SP800-38C.pdf21)
SP 800-38A Recommendation for Block Cipher Modes of Operation - Methods and Techniques
http://csrc.nist.gov/publications/nistpubs...a/sp800-38a.pdf22)
SP 800-37 Guide for the Security Certification and Accreditation of Federal Information Systems
http://csrc.nist.gov/publications/nistpubs...00-37-final.pdf23)
SP 800-36 Guide to Selecting Information Security Products
http://csrc.nist.gov/publications/nistpubs...ST-SP800-36.pdf24)
SP 800-35 Guide to Information Technology Security Services
http://csrc.nist.gov/publications/nistpubs...ST-SP800-35.pdf25)
SP 800-34 Contingency Planning Guide for Information Technology Systems
http://csrc.nist.gov/publications/nistpubs...34/sp800-34.pdf26)
SP 800-33 Underlying Technical Models for Information Technology Security
http://csrc.nist.gov/publications/nistpubs...33/sp800-33.pdf27)
SP 800-32 Introduction to Public Key Technology and the Federal PKI Infrastructure
http://csrc.nist.gov/publications/nistpubs...32/sp800-32.pdf28)
SP 800-31 Intrusion Detection Systems (IDS)
http://csrc.nist.gov/publications/nistpubs...31/sp800-31.pdf29)
SP 800-30 Risk Management Guide for Information Technology Systems
http://csrc.nist.gov/publications/nistpubs...30/sp800-30.pdf30)
SP 800-29 A Comparison of the Security Requirements for Cryptographic Modules in FIPS 140-1 and FIPS 140-2
http://csrc.nist.gov/publications/nistpubs...29/sp800-29.pdf 31)
SP 800-28 Guidelines on Active Content and Mobile Code
http://csrc.nist.gov/publications/nistpubs...28/sp800-28.pdf32)
SP 800-27 Rev. A Engineering Principles for Information Technology Security (A Baseline for Achieving Security), Revision A
http://csrc.nist.gov/publications/nistpubs...800-27-RevA.pdf33)
SP 800-26 Security Self-Assessment Guide for Information Technology Systems
http://csrc.nist.gov/publications/nistpubs...26/sp800-26.pdf34)
SP 800-25 Federal Agency Use of Public Key Technology for Digital Signatures and Authentication
http://csrc.nist.gov/publications/nistpubs...25/sp800-25.pdf35)
SP 800-24 PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does
http://csrc.nist.gov/publications/nistpubs...sp800-24pbx.pdf 36)
SP 800-23 Guideline to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products
http://csrc.nist.gov/publications/nistpubs...23/sp800-23.pdf37)
SP 800-22 A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications
http://csrc.nist.gov/publications/nistpubs...0-22-051501.pdf38)
SP 800-21 Guideline for Implementing Cryptography in the Federal Government
http://csrc.nist.gov/publications/nistpubs/800-21/800-21.pdf 39)
SP 800-19 Mobile Agent Security
http://csrc.nist.gov/publications/nistpubs...19/sp800-19.pdf40)
SP 800-17 Modes of Operation Validation System (MOVS): Requirements and Procedures
http://csrc.nist.gov/publications/nistpubs/800-17/800-17.pdf41)
SP 800-16 Information Technology Security Training Requirements: A Role- and Performance-Based Model (supersedes NIST Spec. Pub. 500-172)
http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf42)
SP 800-12 An Introduction to Computer Security: The NIST Handbook
http://csrc.nist.gov/publications/nistpubs...12/handbook.pdf
