In section 10.1.1, System Characterization (pg. 87) the publication discusses the characterization of information systems to establish the scope of the risk assessment effort. This step begins with the identification of the information system boundaries, resources, and information. FIPS 199 is used to determine the system’s appropriate security categorization, which informs the risk assessment.
This step is important as the results are critical to appropriately assessing the risk of the systems being assessed. Inaccurate information will carry over to other aspects of the playbook which may lead to inaccurate results. Incorrect inputs at this step will lead to an inaccurate risk assessment. The old adage “garbage in, garbage out” applies here as poor information inputs can have cascading effects.
Hi Matthew, yes I agree that even though this information may be given misleading or inaccurate results that it should be thrown out. But this is only after the information is thoroughly looked over. One mans trash can be another mans treasure, so the most important part of this is to make sure there is nothing leftover.
Chapter 10 of NIST SP 800-100 details the importance of an effective risk management process. Having an effective risk management process means having a process in place that will protect the organization and its ability to successfully perform its mission. This risk management process will give security program managers the opportunity to balance operational and economic costs. An effective risk management process should be a priority because having strong procedures in place helps an organization protect their information systems as well as their data,
Chapter 10 on NIST SP explains the functionality of risk management where it’s not just for information systems but it applies to every management process in an organization. Section 10.1 illustrates the steps of the risk management process including, risk assessment, mitigation, and evaluation. The key point is that organizations should be able to assess the risk well before going any further in the process. As NIST SP 800-30 defines the risk something resulting impact of that adverse event on the organization, there is a six-step process recommended to assess these events. The steps are listed in order: system characterization, threat Identification, vulnerability Identification, risk analysis, control analysis, likelihood analysis, risk determination, control recommendations, result documentation.
I think you do a great job laying out the details of Chapter 10. I agree that risk management applies to every management process in an organization. An effective risk management process should be a priority because having strong procedures in place helps an organization protect their information systems as well as their data. It’s important that risk is always assessed before continuing on with a project.
The second phase of the risk management process described by the NIST framework is risk mitigation. Some of the options available to reduce the risk in a system are risk assumption, risk avoidance, risk transference. Figure 10-4 on page 92 illustrates a straightforward strategy that can be used to determine whether risk mitigation actions are necessary. By following the diagram, managers can decide whether the identified risk is acceptable or unacceptable. Risk acceptance is a legitimate option in risk management. There are various reasons why companies may choose risk acceptance in certain situations. The most common reason is that the cost of other risk management options may outweigh the cost of the risk itself. For example, there is no benefit in spending $85,000 to avoid a $5,000 risk. While it is viewed as the least expensive option in the near-term, it could become the most expensive option further down the line if an event were to occur. However, if a risk is determined to be unacceptable, there is the option to implement additional controls.
Chapter 10, Risk management consists of risk assessment, risk mitigation, and evaluation and assessment.
An effective risk management process is an important component of a successful information security program. The principal goal of an organization’s risk management process is to protect the organization and its ability to perform its mission, not just its information assets. Therefore, the risk management process should not be treated primarily as a technical function carried out by the information security experts who operate and manage the information security system, but as an essential management function of the organization that is tightly woven into the system development life cycle (SDLC), 67 as depicted in Figure 10-1. Because risk cannot be eliminated entirely, the risk management process allows information security program managers to balance the operational and economic costs of protective measures and achieve gains in mission capability. By employing practices and procedures designed to foster informed decision making, agencies help protect their information systems and the data that support their own mission.
The risk management process consists of a lot of different steps within the three phases outlined in NIST 800-100. After reading this chapter on risk management, it is apparent that the first step of security categorization is imperative to a successful risk management process. As outlined in the chapter, the accuracy of this categorization process is essential. If the categorization is not done correctly, it will “propagate and lead to a cascade of analytical errors as the process progresses.”, as stated in the chapter. This chapter correctly asserts that the process of risk management should be present through out the SDLC. Organizations should regularly be considering possible threats and vulnerabilities. If the systems and their data are properly categorized, then the organization will know what number of resources, if any, to invest in mitigating the risk.
Hi Ryan thanks for sharing. I too believe the security categorization is very important, if not the most important, component of the risk management process. The security categorization lays the foundation for the process and if this step is not appropriately performed it can render the security controls that have already been put into place ineffective or could potentially create gaps in the control environment.
I agree. For example; certain controls may not be applicable which vary between systems. Selecting non-applicable controls can generate illegitimate test results and lead the organize to assess risks that may not be applicable to the system. For example; Real-Time Operating Systems (RTOS) may not be able to store information at rest due to their processing. Instead, either the security control can be deemed non-applicable if the data is found to be purgible which results in data at rest being useless. It depends vastly on the system categorization. Additionally, if controls cannot be implemented it is important that compensating controls could be referenced. Such as using adding access control as a compensator.
This chapter describes the importance of Risk Management process in an organization system development life cycle. It’s an essential step for an organization as it allows them to understand that this process is not only to focus on their information systems (technical functions) but to help them achieve their goals and concentrate on their mission.
The use of this process is to minimize the risk, to perform their mission and protect mainly against the three big components of an information system such as confidentiality, integrity and availability. In this process, there is also 3 subprocesses that support the organization mission such as risk assessment, risk determination and risk mitigation. All of these processes are required by law but also are a good practice for example to identify the system boundaries, categorize the system impact level using FIPS 199 and make an analysis of the criticality and sensitivity of the system functions and data.
NIST 800-100 Chapter 10 “Risk Management” provides an overview of the risk management framework and the subsequent steps to manage and assess risk. To me, at the end of the risk management process the question becomes “has the risk been assessed?” To which identification, mitigation, and evaluation helps us determine whether or not the organization has assessed the risk into a manageable state for operation. As stated in the first paragraph, the goal isn’t necessarily to protect information assets – but to ensure that the system has it’s capability to carry out it’s mission.
Ideally this evaluation takes place during authorization of the system; as the information from generated threats and identified vulnerabilities allow the organization to implement mitigations and determine if additional security controls are necessary to maintain the operation. I think the point is that needs to be stressed at the end of an assessment is that it’s not about always implementing every possible security measure – but whether the risk has been assessed properly with or without the proposed/implemented mitigations provided by the organizations. Failure to determine the actual assessment can lead to an impact on the mission or disapproval from the authorizing official. Depending on the organization this could cost time and resources to re-evaluate if not assessed properly; or even jeopardize an agencies mission depending on what it is.
Risk management is an aggregation of three processes that have their roots in several federal laws, regulations, and guidelines, including the Computer Security Act of 1987, the Federal Information Security Management Act (FISMA), Office of Management and Budget (OMB) Circular A-130, and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30, Risk Management Guide for Information Technology Systems.
The three processes are risk assessment, risk mitigation, and evaluation and assessment. If applied appropriately and with due diligence, this process meets the FISMA requirements of “providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of…information…and…information systems” collected by and used by the federal government, and “ensuring that information security management processes are integrated with agency strategic and operational planning processes.”
Organization are required to make risk assessment plan and obtained results, the results data can be used to determine a cost-effective strategy, in terms of financial costs and costs of acceptable risk. However, risk assessments should be conducted and integrated into the SDLC for information systems which is important as a practice and supports the organization’s business objectives or mission.
Risk assessment has six step processes which can help organization analyze the level of risk and this risk assessment process is usually repeated at least every three years for federal agencies. However, risk assessments should be conducted and integrated into the SDLC for information systems is because it is a good practice and supports the organization’s business objectives or mission.
NIST 800-100 Chapter 10 “Risk Management” provides an overview of the risk management which is an aggregation of three processes. These processes are risk assessment, risk mitigate, and evaluation and assessment. Moreover, these processes have their roots in several Fed laws, regulations, and guidelines. In these processes, Risk assessment is an essential process because the goal of risk assessment is to identify and assess the risks to a given environment. To have an effective risk assessment, NIST SP 800-30 provides 9 steps; however, in this chapter there is a six-step process (Fig. 10-3). Because there no perfect solution without high costs, and risk cannot be eliminated entirely, the information security managers will balance the operational and economic costs of protective measures in their risk managements.
The risk assessment process includes system characterization, threat identification, vulnerability identification, control analysis, control identification, and results documentation. Step 1 – system characterization allows the person conducting the risk assessment to lay out a basic review of the system being assessed and the scope of the assessment. Step 2 – threat identification is used to find natural, environmental, and human threats to the system. Step 3 – vulnerability identification finds the weaknesses within the system that could be affected or taken advantage of by the threats. Step 4 – risk analysis takes the threats and vulnerabilities into consideration and analyses what the true risk of these factors would be for the organization. Step 5 – control recommendations proposes the controls that would bring the risk that the organization faces down to an acceptable level. The results documentation phase is a crucial step in this process as it allows the organization to review and implement the suggested controls.
You mentioned “person conducting the risk assessment to lay out a basic review of the system being assessed and the scope of the assessment”. I think security awareness and training programs for risk assessment personnel are key components of an information security program. Project managers and their team’s stakeholders need to identify risks for specific projects or things that may create risks. Everyone on the team needs to Familiar with common tools for analyzing and identifying risks, and they need to understand the losses incurred by different risks, and finally they need to use critical thinking to identify each risk.
SP 800-100 provides elements of an information security program to help managers understand and establish an information security program. Businesses need to select and implement appropriate security controls to reduce risk. Risk management is divided into three processes: risk mitigation, risk assessment, and risk evaluation. Risk assessment can break down the entire process into easier-to-understand, simpler steps that enable organizations to accurately assess their company, such as when an organization’s assets are compromised, and the risk management process speaks to confidentiality, integrity, and availability. Impact analysis, and classification of assets into high, medium and low levels helps to prioritize risks and ensure adequate risk controls are implemented to reduce risk to acceptable levels. Risk mitigation helps an organization develop a risk assessment plan and get the results, so that the organization can use this data to determine the most cost-effective strategy, including financial cost and cost of acceptable risk.
While reading chapter 10 of the ‘NIST SP 800-100 “Information Security Handbook: A Guide for Managers”’, I found the section about likelihood determination to be very interesting. Likelihood ratings consist of high, moderate and low. A few things are taken into consideration when likelihood is being determined, such as; the motivation and capability of the threat source to exploit a vulnerability, the nature of the vulnerability, current security controls that are in place, and the effectiveness of mitigating security controls.
When risk is high, there is a need for corrective measures, and those measures should be implemented hastily. When a risk level is moderate, corrective measures need to be implemented here as well, but within a reasonable period of time. When the risk level is determined to be low, the system’s authorizing official needs to determine whether corrective measures are required or if the risk should just be accepted.
Moreover, after looking more into ‘likelihood determination’ in my CISSP book I found that there are 5 categories for it:
– Almost certain
– Likely
– Possible
– Unlikely
-Rare
Also the consequences can be one of the following:
– Insignificant
– Minor
– Moderate
– Major
– Severe
In reading NIST SP 800-100 I found section 10.1.4.2 Likelihood Determination, very interesting.
It says “Likelihood determination considers a threat source’s motivation and capability to
exploit a vulnerability, the nature of the vulnerability, the existence of security
controls, and the effectiveness of mitigating security controls. Likelihood ratings are
described in the qualitative terms of high, moderate, and low, and are used to
describe how likely is a successful exploitation of a vulnerability by a given threat.
For example, if a threat is highly motivated and sufficiently capable, and controls
implemented to protect the vulnerability are ineffective, then it is highly likely that
the attack would be successful. In this scenario, the appropriate likelihood rating
would be high. The likelihood ratings of moderate and low are similarly defined to
successively lesser degrees.”
The concept of likelihood is interesting to me, and I believe the formula explained here for determining likelihood is a great one, I think depending on the scenario we may see some disagreements on threat levels but for the most part using this formula will work. Likelihood can be tricky because even if “X” event is likely to have a one and a million chance of happening, if “X” event can cripple the business if it does happen, it still has to be categorized and treated accordingly.
Hello Jason,
I also thought likelihood determination was an interesting subject. The controlled environment that an organization has in place needs to be taken into account to get an accurate likelihood determination. Just to elaborate on the reading, here are some more details about the likelihood determination.
High: Threat source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exploited are ineffective.
Med: The threat source is motivated and capable, but controls are in place that may impede successful exploitation of the vulnerability.
Low: The threat source lacks motivation or capability. Controls are in place to prevent or at least significantly impede the vulnerability from being exploited.
After concluding the reading I gained an understanding of how essential steps 1 (system characterization), 2 (threat identification), and 3 (vulnerability identification) are to risk management process. The procedures performed in steps 4 (risk analysis), 5 (control recommendations), and 6 (results documentation) may not adequately protect the system If an organization does not accurately document and assess their systems at each of the first three steps. Organizational project management teams should utilize strong risk management practices to ensure any new systems or applications meets both business and security objectives of the organization.
10.1.2 Step 2 Threat Identification. There are three types of common threats that can be categorized. 1: Natural threats such as a floods, earthquakes, and avalanches. 2: Human threats which can be either intentional such as a terrorist attack or unintentional such as dropping coffee onto the server. 3: Environmental threats like a power failure and oil spills.
In chapter a key point that I took out from Table 2-1 for ongoing monitoring activities was incident and event statistics as a major direction for simplifying and organizing the focus of a security department. This is due to the fact that it gives managers valuable insight as to what security policies that are in place that are working are not working. It allows for a broader visualization with performance trends. Collecting this type of data is crucial to preventing the past incidents from re-occurring and realizing that there are many ways to attack a vulnerability of a system. It also helps support and help change security policies across the board as factual evidence.
One key point I took away from this article was from section 10.2 Risk Mitigation, specifically Figure 10-4, and the reason for that is due to a main point I took away from the introduction, which is that “the principal goal of an organization’s risk management process is to protect the organization and its ability to perform its mission, not just its information assets”. It is impossible to completely eliminate risk, so it is essential to have the necessary risk-reducing controls as recommended by NIST SP 800-53. Figure 10-4 is an easy to understand flowchart of how the process works by looking at key factors to determine if a risk is acceptable or unacceptable in order to determine the necessity of implementing additional controls to mitigate a risk if unacceptable.
As per the NIST standards, the Information Security governance defines the process of maintaining and establishing of framework to support management structure to assure information security strategies. Such as Supporting business objectives, consistent with applicable laws and regulations adhere to policies and internal control. The organization must provide periodic Information Protection Awareness and training to all employees and users regarding company policies.
Information security risk is never eliminated entirely but it can be minimized with various factors, policies, and components. In this era, the organization requires funding toward the InfoSec investment to provide appropriate security to the organization. Also, a proper plan is required to provide the information security requirement, plan always gives one an overview of the security requirements to minimize the risk factor. in plan Contingency planning and disaster recovery plan which must be tested regularly to ensure the proper business operation to continuity and data recovery.
A proper plan gives an overview to minimize the risk and it is useful for avoiding the obstacle to business continuity and handling any situation to protect information security. Attacks on System security, network, and other component are become common now for so many organizations, to minimize the impact on organization business continuity is proper incident response.
Matthew Bryan says
In section 10.1.1, System Characterization (pg. 87) the publication discusses the characterization of information systems to establish the scope of the risk assessment effort. This step begins with the identification of the information system boundaries, resources, and information. FIPS 199 is used to determine the system’s appropriate security categorization, which informs the risk assessment.
This step is important as the results are critical to appropriately assessing the risk of the systems being assessed. Inaccurate information will carry over to other aspects of the playbook which may lead to inaccurate results. Incorrect inputs at this step will lead to an inaccurate risk assessment. The old adage “garbage in, garbage out” applies here as poor information inputs can have cascading effects.
Wilmer Monsalve says
Hi Matthew, yes I agree that even though this information may be given misleading or inaccurate results that it should be thrown out. But this is only after the information is thoroughly looked over. One mans trash can be another mans treasure, so the most important part of this is to make sure there is nothing leftover.
Michael Galdo says
Chapter 10 of NIST SP 800-100 details the importance of an effective risk management process. Having an effective risk management process means having a process in place that will protect the organization and its ability to successfully perform its mission. This risk management process will give security program managers the opportunity to balance operational and economic costs. An effective risk management process should be a priority because having strong procedures in place helps an organization protect their information systems as well as their data,
Miray Bolukbasi says
Chapter 10 on NIST SP explains the functionality of risk management where it’s not just for information systems but it applies to every management process in an organization. Section 10.1 illustrates the steps of the risk management process including, risk assessment, mitigation, and evaluation. The key point is that organizations should be able to assess the risk well before going any further in the process. As NIST SP 800-30 defines the risk something resulting impact of that adverse event on the organization, there is a six-step process recommended to assess these events. The steps are listed in order: system characterization, threat Identification, vulnerability Identification, risk analysis, control analysis, likelihood analysis, risk determination, control recommendations, result documentation.
Michael Galdo says
Hi Miray,
I think you do a great job laying out the details of Chapter 10. I agree that risk management applies to every management process in an organization. An effective risk management process should be a priority because having strong procedures in place helps an organization protect their information systems as well as their data. It’s important that risk is always assessed before continuing on with a project.
Elizabeth Gutierrez says
The second phase of the risk management process described by the NIST framework is risk mitigation. Some of the options available to reduce the risk in a system are risk assumption, risk avoidance, risk transference. Figure 10-4 on page 92 illustrates a straightforward strategy that can be used to determine whether risk mitigation actions are necessary. By following the diagram, managers can decide whether the identified risk is acceptable or unacceptable. Risk acceptance is a legitimate option in risk management. There are various reasons why companies may choose risk acceptance in certain situations. The most common reason is that the cost of other risk management options may outweigh the cost of the risk itself. For example, there is no benefit in spending $85,000 to avoid a $5,000 risk. While it is viewed as the least expensive option in the near-term, it could become the most expensive option further down the line if an event were to occur. However, if a risk is determined to be unacceptable, there is the option to implement additional controls.
Shubham Patil says
Chapter 10, Risk management consists of risk assessment, risk mitigation, and evaluation and assessment.
An effective risk management process is an important component of a successful information security program. The principal goal of an organization’s risk management process is to protect the organization and its ability to perform its mission, not just its information assets. Therefore, the risk management process should not be treated primarily as a technical function carried out by the information security experts who operate and manage the information security system, but as an essential management function of the organization that is tightly woven into the system development life cycle (SDLC), 67 as depicted in Figure 10-1. Because risk cannot be eliminated entirely, the risk management process allows information security program managers to balance the operational and economic costs of protective measures and achieve gains in mission capability. By employing practices and procedures designed to foster informed decision making, agencies help protect their information systems and the data that support their own mission.
Ryan Trapp says
The risk management process consists of a lot of different steps within the three phases outlined in NIST 800-100. After reading this chapter on risk management, it is apparent that the first step of security categorization is imperative to a successful risk management process. As outlined in the chapter, the accuracy of this categorization process is essential. If the categorization is not done correctly, it will “propagate and lead to a cascade of analytical errors as the process progresses.”, as stated in the chapter. This chapter correctly asserts that the process of risk management should be present through out the SDLC. Organizations should regularly be considering possible threats and vulnerabilities. If the systems and their data are properly categorized, then the organization will know what number of resources, if any, to invest in mitigating the risk.
Bryan Garrahan says
Hi Ryan thanks for sharing. I too believe the security categorization is very important, if not the most important, component of the risk management process. The security categorization lays the foundation for the process and if this step is not appropriately performed it can render the security controls that have already been put into place ineffective or could potentially create gaps in the control environment.
Michael Duffy says
Hi Ryan,
I agree. For example; certain controls may not be applicable which vary between systems. Selecting non-applicable controls can generate illegitimate test results and lead the organize to assess risks that may not be applicable to the system. For example; Real-Time Operating Systems (RTOS) may not be able to store information at rest due to their processing. Instead, either the security control can be deemed non-applicable if the data is found to be purgible which results in data at rest being useless. It depends vastly on the system categorization. Additionally, if controls cannot be implemented it is important that compensating controls could be referenced. Such as using adding access control as a compensator.
Ornella Rhyne says
This chapter describes the importance of Risk Management process in an organization system development life cycle. It’s an essential step for an organization as it allows them to understand that this process is not only to focus on their information systems (technical functions) but to help them achieve their goals and concentrate on their mission.
The use of this process is to minimize the risk, to perform their mission and protect mainly against the three big components of an information system such as confidentiality, integrity and availability. In this process, there is also 3 subprocesses that support the organization mission such as risk assessment, risk determination and risk mitigation. All of these processes are required by law but also are a good practice for example to identify the system boundaries, categorize the system impact level using FIPS 199 and make an analysis of the criticality and sensitivity of the system functions and data.
Michael Duffy says
NIST 800-100 Chapter 10 “Risk Management” provides an overview of the risk management framework and the subsequent steps to manage and assess risk. To me, at the end of the risk management process the question becomes “has the risk been assessed?” To which identification, mitigation, and evaluation helps us determine whether or not the organization has assessed the risk into a manageable state for operation. As stated in the first paragraph, the goal isn’t necessarily to protect information assets – but to ensure that the system has it’s capability to carry out it’s mission.
Ideally this evaluation takes place during authorization of the system; as the information from generated threats and identified vulnerabilities allow the organization to implement mitigations and determine if additional security controls are necessary to maintain the operation. I think the point is that needs to be stressed at the end of an assessment is that it’s not about always implementing every possible security measure – but whether the risk has been assessed properly with or without the proposed/implemented mitigations provided by the organizations. Failure to determine the actual assessment can lead to an impact on the mission or disapproval from the authorizing official. Depending on the organization this could cost time and resources to re-evaluate if not assessed properly; or even jeopardize an agencies mission depending on what it is.
Oluwaseun Soyomokun says
Risk management is an aggregation of three processes that have their roots in several federal laws, regulations, and guidelines, including the Computer Security Act of 1987, the Federal Information Security Management Act (FISMA), Office of Management and Budget (OMB) Circular A-130, and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30, Risk Management Guide for Information Technology Systems.
The three processes are risk assessment, risk mitigation, and evaluation and assessment. If applied appropriately and with due diligence, this process meets the FISMA requirements of “providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of…information…and…information systems” collected by and used by the federal government, and “ensuring that information security management processes are integrated with agency strategic and operational planning processes.”
Organization are required to make risk assessment plan and obtained results, the results data can be used to determine a cost-effective strategy, in terms of financial costs and costs of acceptable risk. However, risk assessments should be conducted and integrated into the SDLC for information systems which is important as a practice and supports the organization’s business objectives or mission.
Risk assessment has six step processes which can help organization analyze the level of risk and this risk assessment process is usually repeated at least every three years for federal agencies. However, risk assessments should be conducted and integrated into the SDLC for information systems is because it is a good practice and supports the organization’s business objectives or mission.
Hang Nu Song Nguyen says
NIST 800-100 Chapter 10 “Risk Management” provides an overview of the risk management which is an aggregation of three processes. These processes are risk assessment, risk mitigate, and evaluation and assessment. Moreover, these processes have their roots in several Fed laws, regulations, and guidelines. In these processes, Risk assessment is an essential process because the goal of risk assessment is to identify and assess the risks to a given environment. To have an effective risk assessment, NIST SP 800-30 provides 9 steps; however, in this chapter there is a six-step process (Fig. 10-3). Because there no perfect solution without high costs, and risk cannot be eliminated entirely, the information security managers will balance the operational and economic costs of protective measures in their risk managements.
Amelia Safirstein says
The risk assessment process includes system characterization, threat identification, vulnerability identification, control analysis, control identification, and results documentation. Step 1 – system characterization allows the person conducting the risk assessment to lay out a basic review of the system being assessed and the scope of the assessment. Step 2 – threat identification is used to find natural, environmental, and human threats to the system. Step 3 – vulnerability identification finds the weaknesses within the system that could be affected or taken advantage of by the threats. Step 4 – risk analysis takes the threats and vulnerabilities into consideration and analyses what the true risk of these factors would be for the organization. Step 5 – control recommendations proposes the controls that would bring the risk that the organization faces down to an acceptable level. The results documentation phase is a crucial step in this process as it allows the organization to review and implement the suggested controls.
Yangyuan Lin says
Hi Amelia,
You mentioned “person conducting the risk assessment to lay out a basic review of the system being assessed and the scope of the assessment”. I think security awareness and training programs for risk assessment personnel are key components of an information security program. Project managers and their team’s stakeholders need to identify risks for specific projects or things that may create risks. Everyone on the team needs to Familiar with common tools for analyzing and identifying risks, and they need to understand the losses incurred by different risks, and finally they need to use critical thinking to identify each risk.
Yangyuan Lin says
SP 800-100 provides elements of an information security program to help managers understand and establish an information security program. Businesses need to select and implement appropriate security controls to reduce risk. Risk management is divided into three processes: risk mitigation, risk assessment, and risk evaluation. Risk assessment can break down the entire process into easier-to-understand, simpler steps that enable organizations to accurately assess their company, such as when an organization’s assets are compromised, and the risk management process speaks to confidentiality, integrity, and availability. Impact analysis, and classification of assets into high, medium and low levels helps to prioritize risks and ensure adequate risk controls are implemented to reduce risk to acceptable levels. Risk mitigation helps an organization develop a risk assessment plan and get the results, so that the organization can use this data to determine the most cost-effective strategy, including financial cost and cost of acceptable risk.
Joshua Moses says
While reading chapter 10 of the ‘NIST SP 800-100 “Information Security Handbook: A Guide for Managers”’, I found the section about likelihood determination to be very interesting. Likelihood ratings consist of high, moderate and low. A few things are taken into consideration when likelihood is being determined, such as; the motivation and capability of the threat source to exploit a vulnerability, the nature of the vulnerability, current security controls that are in place, and the effectiveness of mitigating security controls.
When risk is high, there is a need for corrective measures, and those measures should be implemented hastily. When a risk level is moderate, corrective measures need to be implemented here as well, but within a reasonable period of time. When the risk level is determined to be low, the system’s authorizing official needs to determine whether corrective measures are required or if the risk should just be accepted.
Moreover, after looking more into ‘likelihood determination’ in my CISSP book I found that there are 5 categories for it:
– Almost certain
– Likely
– Possible
– Unlikely
-Rare
Also the consequences can be one of the following:
– Insignificant
– Minor
– Moderate
– Major
– Severe
Jason Burwell says
In reading NIST SP 800-100 I found section 10.1.4.2 Likelihood Determination, very interesting.
It says “Likelihood determination considers a threat source’s motivation and capability to
exploit a vulnerability, the nature of the vulnerability, the existence of security
controls, and the effectiveness of mitigating security controls. Likelihood ratings are
described in the qualitative terms of high, moderate, and low, and are used to
describe how likely is a successful exploitation of a vulnerability by a given threat.
For example, if a threat is highly motivated and sufficiently capable, and controls
implemented to protect the vulnerability are ineffective, then it is highly likely that
the attack would be successful. In this scenario, the appropriate likelihood rating
would be high. The likelihood ratings of moderate and low are similarly defined to
successively lesser degrees.”
The concept of likelihood is interesting to me, and I believe the formula explained here for determining likelihood is a great one, I think depending on the scenario we may see some disagreements on threat levels but for the most part using this formula will work. Likelihood can be tricky because even if “X” event is likely to have a one and a million chance of happening, if “X” event can cripple the business if it does happen, it still has to be categorized and treated accordingly.
Joshua Moses says
Hello Jason,
I also thought likelihood determination was an interesting subject. The controlled environment that an organization has in place needs to be taken into account to get an accurate likelihood determination. Just to elaborate on the reading, here are some more details about the likelihood determination.
High: Threat source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exploited are ineffective.
Med: The threat source is motivated and capable, but controls are in place that may impede successful exploitation of the vulnerability.
Low: The threat source lacks motivation or capability. Controls are in place to prevent or at least significantly impede the vulnerability from being exploited.
Bryan Garrahan says
After concluding the reading I gained an understanding of how essential steps 1 (system characterization), 2 (threat identification), and 3 (vulnerability identification) are to risk management process. The procedures performed in steps 4 (risk analysis), 5 (control recommendations), and 6 (results documentation) may not adequately protect the system If an organization does not accurately document and assess their systems at each of the first three steps. Organizational project management teams should utilize strong risk management practices to ensure any new systems or applications meets both business and security objectives of the organization.
Corey Arana says
10.1.2 Step 2 Threat Identification. There are three types of common threats that can be categorized. 1: Natural threats such as a floods, earthquakes, and avalanches. 2: Human threats which can be either intentional such as a terrorist attack or unintentional such as dropping coffee onto the server. 3: Environmental threats like a power failure and oil spills.
Wilmer Monsalve says
In chapter a key point that I took out from Table 2-1 for ongoing monitoring activities was incident and event statistics as a major direction for simplifying and organizing the focus of a security department. This is due to the fact that it gives managers valuable insight as to what security policies that are in place that are working are not working. It allows for a broader visualization with performance trends. Collecting this type of data is crucial to preventing the past incidents from re-occurring and realizing that there are many ways to attack a vulnerability of a system. It also helps support and help change security policies across the board as factual evidence.
Alexander William Knoll says
One key point I took away from this article was from section 10.2 Risk Mitigation, specifically Figure 10-4, and the reason for that is due to a main point I took away from the introduction, which is that “the principal goal of an organization’s risk management process is to protect the organization and its ability to perform its mission, not just its information assets”. It is impossible to completely eliminate risk, so it is essential to have the necessary risk-reducing controls as recommended by NIST SP 800-53. Figure 10-4 is an easy to understand flowchart of how the process works by looking at key factors to determine if a risk is acceptable or unacceptable in order to determine the necessity of implementing additional controls to mitigate a risk if unacceptable.
Mohammed Syed says
As per the NIST standards, the Information Security governance defines the process of maintaining and establishing of framework to support management structure to assure information security strategies. Such as Supporting business objectives, consistent with applicable laws and regulations adhere to policies and internal control. The organization must provide periodic Information Protection Awareness and training to all employees and users regarding company policies.
Information security risk is never eliminated entirely but it can be minimized with various factors, policies, and components. In this era, the organization requires funding toward the InfoSec investment to provide appropriate security to the organization. Also, a proper plan is required to provide the information security requirement, plan always gives one an overview of the security requirements to minimize the risk factor. in plan Contingency planning and disaster recovery plan which must be tested regularly to ensure the proper business operation to continuity and data recovery.
A proper plan gives an overview to minimize the risk and it is useful for avoiding the obstacle to business continuity and handling any situation to protect information security. Attacks on System security, network, and other component are become common now for so many organizations, to minimize the impact on organization business continuity is proper incident response.