Full Program »
TR3: Risk Assessment using NIST SP 800-30 and SP 800-39
Thursday, 6 December 2012
13:30 - 15:00
Risk Assessments are an essential tool for organizations to employ as part of a comprehensive risk management program. The risk assessment guidance includes in-depth information on a wide variety of risk factors essential to determining information security risk (e.g., threat sources and events, vulnerabilities and predisposing conditions, impact, and likelihood of threat occurrence). A three-step process is described including key activities to prepare for risk assessments, activities to successfully conduct risk assessments, and approaches to maintain the currency of assessment results. Guidance also describes how to apply the process at the three tiers in the risk management hierarchy – the organization level, mission/business process level, and information system level. The objectives of risk assessment are to:
- Determine the most appropriate risk responses to ongoing cyber attacks or threats from man-made or natural disasters;
- Guide investment strategies and decisions for the most effective cyber defenses to help protect organizational operations (including missions, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and
- Maintain ongoing situational awareness with regard to the security state of organizational information systems and the environments in which the systems operate.
Dr. Marshall D. Abrams is a Principal Scientist at MITRE, McLean. He holds two patents and has taught cyber security courses on six continents. He received the BSEE from Carnegie Institute of Technology and the MSEE and Ph.D. from the University of Pittsburgh. While at the (then) National Bureau of Standards he received the Department of Commerce Silver Metal Award. Two awards were received from the Federal Aviation Administration for contributions to the Information Systems Security Program. He continues to contribute to NIST standards and guidelines concerning cyber security and to FAA cyber security.