NIST SP 800-100 Chapter 10 “Risk Management” provides a comprehensive standard for defining, implementing, and managing risk in an organization. It provides a structured approach to understanding, assessing, and addressing risk. Based on my analysis, this document offers a robust and systematic framework that is essential in our ever-evolving technological landscape.
According to NIST SP 800-100, risk management is a critical aspect of information security management. Notably, the risk management chapter provides an insightful overview of concepts such as risk identification, risk assessment, risk mitigation, risk monitoring, and risk communication. By implementing a risk management process based on this standard, organizations can minimize the potential impact of risk on information assets.
The NIST SP 800-100 Chapter 10 seeks to address crucial dimensions in the realm of risk management. Its multidimensional approach in the facet of risk management allows the integrated performance of diverse organizational functions and processes, contributing significantly to the attainment of organizational objectives. Yet, it also bears further exploration to investigate and address more specific issues related to each dimension.
In conclusion, the NIST SP 800-100 Chapter 10 successfully encapsulates the essential elements of a well-rounded risk management approach. Its importance cannot be overstated in the current corporate landscape, where risk pervades every data point and process. It is well-recognized for providing a systematic route to a disciplined and informed risk-based decision-making process.
Risk assessment is a crucial step in the risk management process. conduct a comprehensive risk assessment to determine the likelihood of a risk occurring and the potential impact it might have. Organization needs to recognize not all risks require immediate action as the cost of mitigation and implementing security controls might outweigh the potential consequences of the risk being exploited. Organizations have the option to accept, mitigate, or transfer the risk to a third party.
The use of a risk rating approach helps organizations identify where to prioritize their focus. By assigning the overall score and risk level(low, medium, and high) organization gains an insight into which risk to address first and what type of security control should the organization invest in to effectively manage and mitigate identified risks.
Hi Miriam,
Thank you for bringing this mix of perspective up. Your second paragraph brings to bare the need to balance the cost implications of mitigating some risks with respect to how negligible the impact of the risk is. On the contrary, I hold the belief that every risk , no matter how negligible the impact is, if not properly addressed immediately could open door for a bigger risk. This risk could be as small as having a secretary who is totally ignorant of what phishing is. What do you think?
While I do agree that all risks can introduce problems to any organization, there is a need for prioritization and managing what needs to be done. For example, Wiz.IO is a risk management solution I have used previously that automates some aspects of assessing how risky IT assets are based on active vulnerabilities on systems or based on configurations on systems. Wiz.IO utilizes five levels of risks based on each item/issue found on a system: critical, high, medium, low, and informational. Through these levels, the more important issues come to surface and what needs to be mitigated/resolved comes up based on the level of criticality from the report. Organizations should take care of critical and high level issues before dealing with medium and low level issues since critical usually involves a simple-to-execute vulnerability or a long-standing issue on systems.
In the case of large organizations, it is not possible to immediately address all levels of issues at the same time, especially if dealing with an issue results in other issues or other conflicts in other parts of an organization.
Hi Kenneth,
Thanks a lot, I appreciate this perspective you brought here. I appreciate the Wiz.IO you introduced.I would have to further my readings on it. It seems quite insightful. Almost taking a cue from FIPS-199.
Hi Michael, I agree with your reasoning on some risks can lead to bigger problems. However sometimes you can be fixing a risks that will cost you 5000 usd and the impact of when the risk is exploited is 2000 usd then on this scenario it doesn’t make sense fixing the risk,therefore organizations can choose to either accept the risk or implement compensating controls.
I agree that conducting a thorough risk assessment is essential for understanding the landscape of potential threats your organization faces. This includes identifying the risks, analyzing their likelihood of occurrence, and evaluating their possible impact. However, not all risks are created equal. Some pose a more significant threat than others, limiting your resources. That’s why prioritizing risks is crucial. By understanding the likelihood and impact of each risk, you can focus your efforts on mitigating the most critical ones first.
After reading chapter 10 of NIST 800-100 on Risk Management, I find it difficult to find one key point when the entire chapter was so informative. The chapter starts with the importance of treating risk more than a technical function but also, “an essential management function of the organization” that is in lock step with the system development life cycle management (SDLC). I like this because this strengthens the point that business operations and technical operations must work together to be successful.
Looking at the diagram of Risk Management in the System Security Life Cycle gave me a visual of the process and the publications that provide guidance of each control. The Risk Assessment Process diagram again was nice as it you see the process and goes into it. This is vital when trying to explain risk to those who truly do not understand. Overall, the entire chapter as again informative but the straight forward explanations.
I am in agreement with you on this. Upon reading Chapter 10 of NIST 800-100 on Risk Management, I alao found profound insight into how risk transcends being just a technical function, simultaneously operating as an integral management component. This synergy in business and technical operations, punctuated further by the System Security Life Cycle’s diagram, is crucial. Notably, the Risk Assessment Process diagram effectively unravels the complicated subject of risk for those with limited understanding, thereby making this chapter highly informative.
NIST 800-100 chapter 10 deals with the overall process of risk management. The chapter goes into very specific detail about how to evaluate, calculate, and place controls into an organization to mitigate risk.. My key takeaway from this chapter was specifically how mathematical or numeric you can make something as abstract as risk. Typically in our every day we conceptualize risks as things that can’t be prevented past a certain point and are relatively unpredictable. This NIST chapter, however, walks the reader through how this isn’t necessarily the case. NIST has created robust charts and formulas, not only to outline the risks that exist to organization’s security, but how responses and evaluations of this should work. Being able to quantify the abstract and present it as a hard number or equation is extremly useful, especially when trying to explain to somebody outside of the IT world how these things operate. The diagrams provided in the article gice the reader a wide overview of the ideas while also being condesned for convenience, and allow students like myself to see how these systems work in concept
You bring an excellent point on numerically identifying risk even if it doesn’t seem like something that can be done on the outside. By quantifying how risky assets are, you can convince the right people and implement the right controls to reduce how risky assets are even if they don’t seem like they have any problems to the business on the outside. Although the handbook mentions utilizing a high-medium-low matrix based on impact and threat likelihood, do you think there are other options for assessing risk level?
I would think there likely are. A lot of what I’ve noticed in the IT field so far is that there are a lot of tools for different jobs, and a lot of categories for different types of things. This chapter does a great job of giving us an overview, but I’m sure if we zoom in on very specific aspects or elements in various categories or asset areas we’d find risk calculations specifically tailored for them. It’s interesting to me to see how specific these categories or areas can get and I’m excited to see how these concepts are expanded on going further down the line
Chapter 10 is packed with information on Risk Management. The risk analysis 10.1.4 Step 4 is one that stood out for me at first as I found it interesting that, “It is not possible to estimate the level of risk posted by the successful exploitation of given vulnerability without considering the EFFICACY of the security controls that have been or are to be implemented to mitigate or eliminate the potential for such exploitation”. It then goes on to explain how the four steps which are: control analysis, likelihood determination, impact analysis, and risk determination are performed simultaneously or nearly simultaneously because they’re so tightly linked to each other. So, what I gleaned from that is that it is all about the controls and their efficacy which seems obvious but what comes to mind in this, and the other sections are that the risks, I assume, change all the time. It may not be the same kind of risk or vulnerability etc. that you found or fought the day prior. This then made me post my question in the weekly question section so I can get a more in depth understanding on how the security controls are kept updated with the constant threats. It also makes me think about how AI will play a role on each side coming from the threat to mitigating the threat. I also think I found that the control analysis 10.1.4.1 section may help me in identifying how the controls are kept updated via the NIST SP 800-53A. I’m curious to see what the answer will be on keeping these controls updated.
What I also found interesting is the diagram on pg. 85, this finally shows me what the professor has kept speaking about. It gives me a visual to the information that is brought up in this class and my prior class of protection of information assets.
Jeffrey, your insights on the efficacy of security controls are spot-on, the dynamic nature of risks in the cybersecurity landscape requires a proactive approach to control analysis and constant updates to stay ahead of evolving threats. Your questioning about how security controls are kept updated is crucial especially considering the rapid changes in the threat landscape. Also your observation about the diagram on page 85 it’s great to see concepts materialize visually, aiding in a better grasp of complex information at least for me. How do you envision AI influencing not only threats but also the strategies for mitigating them in the realm of cybersecurity?
Chapter 10 of NIST SP 800-100 outlines the Risk Management process in great detail including a general format for assessing assets, mitigating risk, and the evaluation and assessment process to execute risk-based decisions. One key point that stood out to me was 10.1.1 which is the system characterization step for risk management. The most important step to conducting any form of risk management is to fully understand the asset(s) that need to be assessed. Understanding all system components including hardware, software, interfaces, data, and people are all essential in understanding how important and how risky the asset is to an organization. There are also other assets that are not directly related such as network topology and physical security that are equally important when understanding how risky an asset is. Through understanding each asset that is part of a risk assessment, prioritization and threat identification can be properly conducted.
My favorite section for this chapter was within 10.1.2 which would be threat identification. I found it interesting when it mentioned a threat statement. This is essentially a list of possible sources of threats. Before doing a threat statement, A threat evaluation must be done. It should be noted that This must be individually tailored for each business. I think this part is important because in an effort to save time, a specialist could try and create a one size fits all list, but every situation is different and to truly have an accurate representation, each business must be looked at on their own. This section also is a callback to last terms course as it talks about natural disasters and how they too should be considered natural disasters. Another key thing I take away from this reading is that having access to accurate information regarding facts. For example, If I were to truly identify whether or not said natural disaster was going to happen, I need to read government documents which show proof that this disaster would happen. I can’t use something like a facebook article to justify recognizing a threat. This tells us that we also have to know what would be considered a reliable and non reliable source when we gather our information.
Good analysis Hashem, while understanding the importance of threat identification and the need for a tailored approach for each business, it’s essential to recognize that there might be some challenges and limitations in relying solely on government documents for accurate information. Government sources are often considered authoritative, but they may not cover all aspects or provide real-time data.
In today’s rapidly evolving world, threats can emerge swiftly, and sometimes official documentation may not be immediately available. It’s crucial to complement government sources with other reliable and up-to-date information from various channels. The exclusive reliance on government documents might inadvertently create a blind spot, especially when dealing with emerging or unconventional threats.
One key point I took away is about the comprehensive approach to vulnerability identification outlined in NIST SP 800-100. The definition of vulnerability as a flaw or weakness in system security is clear, encompassing various aspects such as procedures, design, implementation, and internal controls. The reading emphasizes the importance of utilizing diverse techniques and sources, including reviews of risk assessments, audit reports, vulnerability databases, and security advisories. Notably, the incorporation of system security testing, such as automated vulnerability scanning tools, security test and evaluation, and penetration testing, complements the source reviews. Additionally, the suggestion to develop a security requirements checklist based on the SDLC phases ensures a thorough inspection of the system from conceptualization to implementation. This holistic approach, including a 360-degree inspection and compliance evaluation, contributes to a robust identification of potential vulnerabilities within a system.
Like you stated it is a 360-degree inspection and compliance evaluation which makes me think align with what and how vulnerabilities will change and how these reports, tests, procedures etc. will all have to pivot eventually or may even shift change quickly based off how the vulnerabilities changes as well and how AI will more than like drive this change.
My favorite section of this reading was 10.1.4.4 Risk Determination, I liked the formula they used to calculate an overall risk rating using threat likelihood as as well as a range of impact categories. This also functions as an easy way to communicate between management. Although it is highly subjective the range leeway allows for an easier determining of risk levels along with degrees of risk that a system faces when a particular vulnerability is abused.
Hi Alex,You are right, risk rating makes the whole decision making easier and helps cooperations to make informed decisions. Knowing the level likelihood of something will be exploited and the impact it will have helps to know what to prioritize.
Hi Alex, I also enjoyed reading section 10.1.4.4. The formula they presented for calculating an overall risk rating by considering threat likelihood and a range of impact categories caught my attention. It’s great that this formula provides a simple way to communicate with management. While I understand that risk determination can be subjective, the flexibility in the range allows for easier assessment of risk levels and the severity of risks a system might face when a specific vulnerability is exploited. What are your thoughts on how this approach enhances risk communication within an organization?
Hello Alex, it’s very important to know about risk ratings, it’s going to be a big part of our work in the field. I also like the point you made about the ratings being an easy way to communicate with management. We can tell management or anyone outside IT our perspectives on things. But ultimately, if the other side doesn’t understand what we’re saying, then it’s completely useless what we tell the person. While I do think we should put more effort in to be able to communicate with management, I also think management should put in effort to understand cybersecurity more. it’s impossible for management to be an expert in every department but I do think it would prove to be beneficial for them to at least understand the basics.
Chapter 10 of the NIST SP 800-100 discusses how important a constructive risk management process is in the overall success of an information security program. Key point that stood out to me was the second phase of the risk management process which is RISK MITIGATION. This phase aims to prioritize, evaluate, and implement risk-reducing controls based on the guidance in NIST SP 800-53. Various options, such as risk assumption, avoidance, limitation, planning, research, and transference, can be used to reduce system risk. The decision to address risks is determined by assessing their acceptability. A seven-step approach guides the selection and implementation of security controls, considering system security categorization and FIPS 199 methodology. New systems implement selected controls, while legacy systems verify them. Residual risk, unavoidable despite controls, should be analyzed for acceptability. Authorizing officials sign statements accepting residual risk for federal agencies, and if risk remains unacceptable, the risk management cycle is repeated.
I would say one key point I took away from Chapter 10, “Risk Management” of NIST SP 800-100, is the mindset that risk management is not a one-time event but rather a continuous process that requires regular evaluation and updates. This includes monitoring risk, identifying new threats, reassessing risk, and updating controls. By continuously observing and improving your risk management program, you can ensure that your organization effectively protects its information systems from the latest threats. The continuous monitoring process is a fundamental part of an organization’s risk management strategy. It ensures ongoing assessment and adaptation to new threats and changes in the organization’s environment, aligning with the broader objectives of maintaining information systems’ integrity, confidentiality, and availability. The golden rule of cybersecurity!
Hi Kelly,
I agree with the point you made about contious monitoring and assessment as threats are always evolving and something that was not a risk today might be vulnerable tomorrow.
Hi Kelly,
I agree that risk management is not designed to eliminate all risks. By its own nature some risks can have a low probability of occurrence or a low impact, so it would not be advisable from an economic point of view to expend resources eliminating these risks. Risk management also involves forecasting and evaluating the potential risks associated with day-to-day operations, while actively identifying ways to reduce them or minimize their impact on the business.
You bring up a point I was talking and thinking about the whole time, when happens when you have to pivot as the technology changes. I was curious on how the system security controls are updated. I want to see how the continuous monitoring process is updated and what goes into making it a well-oiled machine.
One key point I took from this reading is that the primary objective of an organization’s risk management is safeguarding the organization’s network to ensure the organization’s goals. It is nearly impossible to eradicate risk within an organization, so the organization must find a way to control the risks. Also, the organization needs to make a proper plan to provide information about their security. Then the organization will decide if a risk is acceptable or unacceptable.
I totally agree with you, it’s impossible to completely remove risk. A functional risk management process must be an integral part of the information security plan of an organization and should run throughout the system development life cycle,
One key takeaway for me is that When designing a system in the systems development life cycle (SDLC), risk management should be taken into account by determining what type of hardware, software, and data will be used. Using this and other information, the system can be used to define the scope of a risk assessment and, ultimately, to determine whether any potential risks are acceptable or unacceptable and require mitigation. Finally, the mitigations implemented can be used to assess any residual risk.
Hi Samuel,
I agree with you that it is crucial to choose hardware and software carefully when designing a network. An organization would be aware of the potential risk if they carefully choose their platforms. This will enable them to choose the acceptable risk and the unacceptable risks.
Michael Obiukwu says
NIST SP 800-100 Chapter 10 “Risk Management” provides a comprehensive standard for defining, implementing, and managing risk in an organization. It provides a structured approach to understanding, assessing, and addressing risk. Based on my analysis, this document offers a robust and systematic framework that is essential in our ever-evolving technological landscape.
According to NIST SP 800-100, risk management is a critical aspect of information security management. Notably, the risk management chapter provides an insightful overview of concepts such as risk identification, risk assessment, risk mitigation, risk monitoring, and risk communication. By implementing a risk management process based on this standard, organizations can minimize the potential impact of risk on information assets.
The NIST SP 800-100 Chapter 10 seeks to address crucial dimensions in the realm of risk management. Its multidimensional approach in the facet of risk management allows the integrated performance of diverse organizational functions and processes, contributing significantly to the attainment of organizational objectives. Yet, it also bears further exploration to investigate and address more specific issues related to each dimension.
In conclusion, the NIST SP 800-100 Chapter 10 successfully encapsulates the essential elements of a well-rounded risk management approach. Its importance cannot be overstated in the current corporate landscape, where risk pervades every data point and process. It is well-recognized for providing a systematic route to a disciplined and informed risk-based decision-making process.
Mariam Hazali says
Risk assessment is a crucial step in the risk management process. conduct a comprehensive risk assessment to determine the likelihood of a risk occurring and the potential impact it might have. Organization needs to recognize not all risks require immediate action as the cost of mitigation and implementing security controls might outweigh the potential consequences of the risk being exploited. Organizations have the option to accept, mitigate, or transfer the risk to a third party.
The use of a risk rating approach helps organizations identify where to prioritize their focus. By assigning the overall score and risk level(low, medium, and high) organization gains an insight into which risk to address first and what type of security control should the organization invest in to effectively manage and mitigate identified risks.
Michael Obiukwu says
Hi Miriam,
Thank you for bringing this mix of perspective up. Your second paragraph brings to bare the need to balance the cost implications of mitigating some risks with respect to how negligible the impact of the risk is. On the contrary, I hold the belief that every risk , no matter how negligible the impact is, if not properly addressed immediately could open door for a bigger risk. This risk could be as small as having a secretary who is totally ignorant of what phishing is. What do you think?
Kenneth Saltisky says
Hi Michael,
While I do agree that all risks can introduce problems to any organization, there is a need for prioritization and managing what needs to be done. For example, Wiz.IO is a risk management solution I have used previously that automates some aspects of assessing how risky IT assets are based on active vulnerabilities on systems or based on configurations on systems. Wiz.IO utilizes five levels of risks based on each item/issue found on a system: critical, high, medium, low, and informational. Through these levels, the more important issues come to surface and what needs to be mitigated/resolved comes up based on the level of criticality from the report. Organizations should take care of critical and high level issues before dealing with medium and low level issues since critical usually involves a simple-to-execute vulnerability or a long-standing issue on systems.
In the case of large organizations, it is not possible to immediately address all levels of issues at the same time, especially if dealing with an issue results in other issues or other conflicts in other parts of an organization.
Michael Obiukwu says
Hi Kenneth,
Thanks a lot, I appreciate this perspective you brought here. I appreciate the Wiz.IO you introduced.I would have to further my readings on it. It seems quite insightful. Almost taking a cue from FIPS-199.
Mariam Hazali says
Hi Michael, I agree with your reasoning on some risks can lead to bigger problems. However sometimes you can be fixing a risks that will cost you 5000 usd and the impact of when the risk is exploited is 2000 usd then on this scenario it doesn’t make sense fixing the risk,therefore organizations can choose to either accept the risk or implement compensating controls.
Michael Obiukwu says
Hi Mariam,
Thanks for giving more clarity.It makes more sense now.
Kelly Conger says
Mariam,
I agree that conducting a thorough risk assessment is essential for understanding the landscape of potential threats your organization faces. This includes identifying the risks, analyzing their likelihood of occurrence, and evaluating their possible impact. However, not all risks are created equal. Some pose a more significant threat than others, limiting your resources. That’s why prioritizing risks is crucial. By understanding the likelihood and impact of each risk, you can focus your efforts on mitigating the most critical ones first.
Erskine Payton says
After reading chapter 10 of NIST 800-100 on Risk Management, I find it difficult to find one key point when the entire chapter was so informative. The chapter starts with the importance of treating risk more than a technical function but also, “an essential management function of the organization” that is in lock step with the system development life cycle management (SDLC). I like this because this strengthens the point that business operations and technical operations must work together to be successful.
Looking at the diagram of Risk Management in the System Security Life Cycle gave me a visual of the process and the publications that provide guidance of each control. The Risk Assessment Process diagram again was nice as it you see the process and goes into it. This is vital when trying to explain risk to those who truly do not understand. Overall, the entire chapter as again informative but the straight forward explanations.
Michael Obiukwu says
Hi Erskine,
I am in agreement with you on this. Upon reading Chapter 10 of NIST 800-100 on Risk Management, I alao found profound insight into how risk transcends being just a technical function, simultaneously operating as an integral management component. This synergy in business and technical operations, punctuated further by the System Security Life Cycle’s diagram, is crucial. Notably, the Risk Assessment Process diagram effectively unravels the complicated subject of risk for those with limited understanding, thereby making this chapter highly informative.
Andrew Young says
NIST 800-100 chapter 10 deals with the overall process of risk management. The chapter goes into very specific detail about how to evaluate, calculate, and place controls into an organization to mitigate risk.. My key takeaway from this chapter was specifically how mathematical or numeric you can make something as abstract as risk. Typically in our every day we conceptualize risks as things that can’t be prevented past a certain point and are relatively unpredictable. This NIST chapter, however, walks the reader through how this isn’t necessarily the case. NIST has created robust charts and formulas, not only to outline the risks that exist to organization’s security, but how responses and evaluations of this should work. Being able to quantify the abstract and present it as a hard number or equation is extremly useful, especially when trying to explain to somebody outside of the IT world how these things operate. The diagrams provided in the article gice the reader a wide overview of the ideas while also being condesned for convenience, and allow students like myself to see how these systems work in concept
Kenneth Saltisky says
Hi Andrew,
You bring an excellent point on numerically identifying risk even if it doesn’t seem like something that can be done on the outside. By quantifying how risky assets are, you can convince the right people and implement the right controls to reduce how risky assets are even if they don’t seem like they have any problems to the business on the outside. Although the handbook mentions utilizing a high-medium-low matrix based on impact and threat likelihood, do you think there are other options for assessing risk level?
Andrew Young says
I would think there likely are. A lot of what I’ve noticed in the IT field so far is that there are a lot of tools for different jobs, and a lot of categories for different types of things. This chapter does a great job of giving us an overview, but I’m sure if we zoom in on very specific aspects or elements in various categories or asset areas we’d find risk calculations specifically tailored for them. It’s interesting to me to see how specific these categories or areas can get and I’m excited to see how these concepts are expanded on going further down the line
Jeffrey Sullivan says
Chapter 10 is packed with information on Risk Management. The risk analysis 10.1.4 Step 4 is one that stood out for me at first as I found it interesting that, “It is not possible to estimate the level of risk posted by the successful exploitation of given vulnerability without considering the EFFICACY of the security controls that have been or are to be implemented to mitigate or eliminate the potential for such exploitation”. It then goes on to explain how the four steps which are: control analysis, likelihood determination, impact analysis, and risk determination are performed simultaneously or nearly simultaneously because they’re so tightly linked to each other. So, what I gleaned from that is that it is all about the controls and their efficacy which seems obvious but what comes to mind in this, and the other sections are that the risks, I assume, change all the time. It may not be the same kind of risk or vulnerability etc. that you found or fought the day prior. This then made me post my question in the weekly question section so I can get a more in depth understanding on how the security controls are kept updated with the constant threats. It also makes me think about how AI will play a role on each side coming from the threat to mitigating the threat. I also think I found that the control analysis 10.1.4.1 section may help me in identifying how the controls are kept updated via the NIST SP 800-53A. I’m curious to see what the answer will be on keeping these controls updated.
What I also found interesting is the diagram on pg. 85, this finally shows me what the professor has kept speaking about. It gives me a visual to the information that is brought up in this class and my prior class of protection of information assets.
Alex Ruiz says
Jeffrey, your insights on the efficacy of security controls are spot-on, the dynamic nature of risks in the cybersecurity landscape requires a proactive approach to control analysis and constant updates to stay ahead of evolving threats. Your questioning about how security controls are kept updated is crucial especially considering the rapid changes in the threat landscape. Also your observation about the diagram on page 85 it’s great to see concepts materialize visually, aiding in a better grasp of complex information at least for me. How do you envision AI influencing not only threats but also the strategies for mitigating them in the realm of cybersecurity?
Kenneth Saltisky says
Chapter 10 of NIST SP 800-100 outlines the Risk Management process in great detail including a general format for assessing assets, mitigating risk, and the evaluation and assessment process to execute risk-based decisions. One key point that stood out to me was 10.1.1 which is the system characterization step for risk management. The most important step to conducting any form of risk management is to fully understand the asset(s) that need to be assessed. Understanding all system components including hardware, software, interfaces, data, and people are all essential in understanding how important and how risky the asset is to an organization. There are also other assets that are not directly related such as network topology and physical security that are equally important when understanding how risky an asset is. Through understanding each asset that is part of a risk assessment, prioritization and threat identification can be properly conducted.
Hashem Alsharif says
My favorite section for this chapter was within 10.1.2 which would be threat identification. I found it interesting when it mentioned a threat statement. This is essentially a list of possible sources of threats. Before doing a threat statement, A threat evaluation must be done. It should be noted that This must be individually tailored for each business. I think this part is important because in an effort to save time, a specialist could try and create a one size fits all list, but every situation is different and to truly have an accurate representation, each business must be looked at on their own. This section also is a callback to last terms course as it talks about natural disasters and how they too should be considered natural disasters. Another key thing I take away from this reading is that having access to accurate information regarding facts. For example, If I were to truly identify whether or not said natural disaster was going to happen, I need to read government documents which show proof that this disaster would happen. I can’t use something like a facebook article to justify recognizing a threat. This tells us that we also have to know what would be considered a reliable and non reliable source when we gather our information.
Chidiebere Okafor says
Good analysis Hashem, while understanding the importance of threat identification and the need for a tailored approach for each business, it’s essential to recognize that there might be some challenges and limitations in relying solely on government documents for accurate information. Government sources are often considered authoritative, but they may not cover all aspects or provide real-time data.
In today’s rapidly evolving world, threats can emerge swiftly, and sometimes official documentation may not be immediately available. It’s crucial to complement government sources with other reliable and up-to-date information from various channels. The exclusive reliance on government documents might inadvertently create a blind spot, especially when dealing with emerging or unconventional threats.
Nicholas Nirenberg says
One key point I took away is about the comprehensive approach to vulnerability identification outlined in NIST SP 800-100. The definition of vulnerability as a flaw or weakness in system security is clear, encompassing various aspects such as procedures, design, implementation, and internal controls. The reading emphasizes the importance of utilizing diverse techniques and sources, including reviews of risk assessments, audit reports, vulnerability databases, and security advisories. Notably, the incorporation of system security testing, such as automated vulnerability scanning tools, security test and evaluation, and penetration testing, complements the source reviews. Additionally, the suggestion to develop a security requirements checklist based on the SDLC phases ensures a thorough inspection of the system from conceptualization to implementation. This holistic approach, including a 360-degree inspection and compliance evaluation, contributes to a robust identification of potential vulnerabilities within a system.
Jeffrey Sullivan says
Like you stated it is a 360-degree inspection and compliance evaluation which makes me think align with what and how vulnerabilities will change and how these reports, tests, procedures etc. will all have to pivot eventually or may even shift change quickly based off how the vulnerabilities changes as well and how AI will more than like drive this change.
Alex Ruiz says
My favorite section of this reading was 10.1.4.4 Risk Determination, I liked the formula they used to calculate an overall risk rating using threat likelihood as as well as a range of impact categories. This also functions as an easy way to communicate between management. Although it is highly subjective the range leeway allows for an easier determining of risk levels along with degrees of risk that a system faces when a particular vulnerability is abused.
Mariam Hazali says
Hi Alex,You are right, risk rating makes the whole decision making easier and helps cooperations to make informed decisions. Knowing the level likelihood of something will be exploited and the impact it will have helps to know what to prioritize.
Nicholas Nirenberg says
Hi Alex, I also enjoyed reading section 10.1.4.4. The formula they presented for calculating an overall risk rating by considering threat likelihood and a range of impact categories caught my attention. It’s great that this formula provides a simple way to communicate with management. While I understand that risk determination can be subjective, the flexibility in the range allows for easier assessment of risk levels and the severity of risks a system might face when a specific vulnerability is exploited. What are your thoughts on how this approach enhances risk communication within an organization?
Hashem Alsharif says
Hello Alex, it’s very important to know about risk ratings, it’s going to be a big part of our work in the field. I also like the point you made about the ratings being an easy way to communicate with management. We can tell management or anyone outside IT our perspectives on things. But ultimately, if the other side doesn’t understand what we’re saying, then it’s completely useless what we tell the person. While I do think we should put more effort in to be able to communicate with management, I also think management should put in effort to understand cybersecurity more. it’s impossible for management to be an expert in every department but I do think it would prove to be beneficial for them to at least understand the basics.
Chidiebere Okafor says
Chapter 10 of the NIST SP 800-100 discusses how important a constructive risk management process is in the overall success of an information security program. Key point that stood out to me was the second phase of the risk management process which is RISK MITIGATION. This phase aims to prioritize, evaluate, and implement risk-reducing controls based on the guidance in NIST SP 800-53. Various options, such as risk assumption, avoidance, limitation, planning, research, and transference, can be used to reduce system risk. The decision to address risks is determined by assessing their acceptability. A seven-step approach guides the selection and implementation of security controls, considering system security categorization and FIPS 199 methodology. New systems implement selected controls, while legacy systems verify them. Residual risk, unavoidable despite controls, should be analyzed for acceptability. Authorizing officials sign statements accepting residual risk for federal agencies, and if risk remains unacceptable, the risk management cycle is repeated.
Kelly Conger says
I would say one key point I took away from Chapter 10, “Risk Management” of NIST SP 800-100, is the mindset that risk management is not a one-time event but rather a continuous process that requires regular evaluation and updates. This includes monitoring risk, identifying new threats, reassessing risk, and updating controls. By continuously observing and improving your risk management program, you can ensure that your organization effectively protects its information systems from the latest threats. The continuous monitoring process is a fundamental part of an organization’s risk management strategy. It ensures ongoing assessment and adaptation to new threats and changes in the organization’s environment, aligning with the broader objectives of maintaining information systems’ integrity, confidentiality, and availability. The golden rule of cybersecurity!
Mariam Hazali says
Hi Kelly,
I agree with the point you made about contious monitoring and assessment as threats are always evolving and something that was not a risk today might be vulnerable tomorrow.
Samuel Omotosho says
Hi Kelly,
I agree that risk management is not designed to eliminate all risks. By its own nature some risks can have a low probability of occurrence or a low impact, so it would not be advisable from an economic point of view to expend resources eliminating these risks. Risk management also involves forecasting and evaluating the potential risks associated with day-to-day operations, while actively identifying ways to reduce them or minimize their impact on the business.
Jeffrey Sullivan says
You bring up a point I was talking and thinking about the whole time, when happens when you have to pivot as the technology changes. I was curious on how the system security controls are updated. I want to see how the continuous monitoring process is updated and what goes into making it a well-oiled machine.
Akintunde Akinmusire says
One key point I took from this reading is that the primary objective of an organization’s risk management is safeguarding the organization’s network to ensure the organization’s goals. It is nearly impossible to eradicate risk within an organization, so the organization must find a way to control the risks. Also, the organization needs to make a proper plan to provide information about their security. Then the organization will decide if a risk is acceptable or unacceptable.
Chidiebere Okafor says
I totally agree with you, it’s impossible to completely remove risk. A functional risk management process must be an integral part of the information security plan of an organization and should run throughout the system development life cycle,
Samuel Omotosho says
One key takeaway for me is that When designing a system in the systems development life cycle (SDLC), risk management should be taken into account by determining what type of hardware, software, and data will be used. Using this and other information, the system can be used to define the scope of a risk assessment and, ultimately, to determine whether any potential risks are acceptable or unacceptable and require mitigation. Finally, the mitigations implemented can be used to assess any residual risk.
Akintunde Akinmusire says
Hi Samuel,
I agree with you that it is crucial to choose hardware and software carefully when designing a network. An organization would be aware of the potential risk if they carefully choose their platforms. This will enable them to choose the acceptable risk and the unacceptable risks.