TR3: Risk Assessment using NIST SP 800-30 and SP 800-39

Risk Assessments are an essential tool for organizations to employ as part of a comprehensive risk management program. The risk assessment guidance includes in-depth information on a wide variety of risk factors essential to determining information security risk (e.g., threat sources and events, vulnerabilities and predisposing conditions, impact, and likelihood of threat occurrence). A three-step process is described including key activities to prepare for risk assessments, activities to successfully conduct risk assessments, and approaches to maintain the currency of assessment results. Guidance also describes how to apply the process at the three tiers in the risk management hierarchy – the organization level, mission/business process level, and information system level.  The objectives of risk assessment are to:

• Determine the most appropriate risk responses to ongoing cyber attacks or threats from man-made or natural disasters;
• Guide investment strategies and decisions for the most effective cyber defenses to help protect organizational operations (including missions, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and
• Maintain ongoing situational awareness with regard to the security state of organizational information systems and the environments in which the systems operate.