Training TR3 – Conducting Risk Assessments NIST SP 800-30, Revision 1

Kelley Dempsey, National Institute of Standards and Technology

Wednesday, 15:30-17:00 & Thursday, 10:30-12:00

NIST Special Publication 800-30 is undergoing a transition from a risk management document to risk assessment guideline. While the traditional factors considered in performing an assessment will not change, application of the determinations will now inform and transit all three tiers of the new 3-tier risk model introduced in Special Publication 800-39. This session will cover the assessment itself, additional considerations relevant to performing assessments, and the importance of maintaining the currency of the assessment results in support of continuous monitoring.

Prerequisites

None

About the Instructor

Kelley Dempsey began her career in IT in 1986 as an electronics technician repairing PCs and printers before moving on to system administration and network management in the early 90s. While with the Department of the Navy in 1999, she began focusing on information system security by training for and then conducting a large scale DITSCAP certification and accreditation from start to finish. In 2001, Kelley joined the NIST operational Information Security team, managing the NIST information system certification and accreditation program through September 2008. Kelley joined the NIST Computer Security Division FISMA team in October 2008 and has co-authored NIST SP 800-128 (Security-Focused Configuration Management) and NIST SP 800-137 (Information Security Continuous Monitoring) and was also a major contributor to NIST SPs 800-53 Rev 3, 800-37 Rev 1, 800-53A Rev 1, and 800-39. Kelley completed a B.S. degree in Management of Technical Operations from Embry-Riddle Aeronautical University, graduating cum laude in December 2003 and earned a CISSP certification in June 2004.