Training TR1 – Risk Management: An Organizational Perspective

Patricia Toth, National Institute of Standards and Technology

Wednesday, December 9th, 10:30-12:00 & 13:30-15:00

Successful organization-wide risk management programs build information security into the culture and infrastructure of the organization. This requires the implementation of a carefully coordinated set of activities to ensure that fundamental requirements for information security are addressed within the mainstream management and operational processes employed by an organization.

The Risk Management Framework, supported by NIST's 800 series special publications, provides a structured, yet flexible approach for managing risk resulting from the incorporation of information systems into the mission and business processes of an organization.

The goal of this session is to provide people new to risk management with an overview of a methodology for managing organizational risk — the Risk Management Framework (RMF). The RMF was developed by NIST to help organizations manage the risks of operating information systems more easily, efficiently and effectively.

This session describes at a high level the importance of establishing an organization-wide risk management program, the information security legislation related to organizational risk management, the steps in the RMF, key roles, and the NIST publications related to each step.


None - This session is targeted at a beginner to intermediate audience.

About the Instructor

Patricia Toth is a Computer Scientist in the Computer Security Division at the National Institute of Standards and Technology. She graduated from the State University of New York Maritime College with a bachelor's degree in Computer Science and Math. Pat served on active duty with the U.S. Navy at the Naval Security Group Activity, Fort Meade, Maryland. Pat has worked numerous documents and projects during her 18 years at NIST including the Common Criteria, Common Criteria Evaluation Program and serving as Program Chair for the National Computer Security Conference. Most recently she has worked with the FISMA team to produce the family of FISMA documents, and has produced a series of Quick Start Guides covering the Risk Management Framework.