SlideShare a Scribd company logo

NIST 800 30 revision Sep 2012

Download as PPTX, PDF
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
1 of 23
Information Systems Risk Assessment Framework (ISRAF) (Addendum of NIST 800-39 information systems risk management and revision of NIST SP 800 30 ) Prepared by S. Periyakaruppan (PK)
Need of Addendum/ Revision ?
Should It get transformed ? ! Why
Does it need a Model/Framework ?? !!!!!!! ???
Assessing risk – What & Why ???????
Assessing risks - When
Risk framing  Model ???
The Model/Framework Frame (CONTEXT) Tier 1 Tier 2 Tier 3 The Frame work addresses comprehensive risk management function in a hierarchical approach and leverage context centric approach.
The Focus Assess Respond Monitor Risk Assessment is a key element of risk management  Risk Assessment process in modular approach.  Preparation checklist.  Activity checklist.  Protocol to maintain appropriate result of risk assessments.  Method of communicating risk results across organization.
Strategy/Approach
Risk – Key concepts
Risk – Key Factors
Assessing Risk – High Level Process Step -1 Step -2 Step -3 Step -4
Prepare for Assessment
Conducting Assessment Intent,Target,Capability Identify Threat source and events Capability of adversaries Step 1 Range of effects Identify vulnerabilities and pre-disposing conditions Step 2 Effect of existing controls Intentional/accidental Determine likelihood of Occurrence flaw /weakness in Step 3 system/process Determine Magnitude of Impact Depends on the degree of Step 4 Step 1 and the effect of Determine Risk Step 2 Step 5 Result of BIA Depends on effective BCP/DR MTTR/MTBF RTO/RPO
Method of Risk Analysis Threat oriented Vulnerability oriented Asset/Impact Oriented • Identify threat source • Identify pre-disposing • Identify mission/business and event conditions critical assets • Developing Threat • Identify exploitable • Analyze the scenario and model vulnerabilities consequences of the • Identify vulnerabilities in • Identify threats related adversarial threat event context of threats to the known/open • Identify vulnerabilities to vulnerabilities the threat events/scenario of critical assets with severe adverse impact.
Method of Risk Assessments • Objective oriented assessment • Using non-numerical values to define risk factors Qualitative • Likelihood and impact with definite value based on individual expertise • Subjective oriented approach • Using numerical values to define risk factors Quantitative • Likelihood and impact with definite number based on history of events. • Contextual analysis and result oriented approach • Using Bin values (numerical range) with unique Semi Quantitative meaning and context. • Likelihood and impact derived with range of numerical values with degree of unique context
Sample Assessment Scale Qualitative Quantitative Semi Qualitative Caution: The assessment scales and its descriptive meanings are subject to vary between organization to organization and with in organization discretion to the organizational culture and its policies and guidelines
Communicate Result Determine the Communicate to the Furnish evidence comply appropriate method of designated organizational with organizational communication stakeholders policies & Guidelines Format defined by Identify appropriate Capture appropriate organization. authority. analysis data support the Executive briefings Ensure right result. Presenting Illustrative information reach right Include applicable risk figures person at right time. supporting documents Risk Assessment  Present contextual to convey the degree of Dashboards information in results Out sketch the accordance with risk  Identify and organizational prioritized strategy document the source of risk internal and external information.
Maintain Risk Posture Identify Key Risk Define Frequency of Reconfirm the scope factors revisit and assumptions • Monitor the key • Track the risk • Get the risk factors response as concurrence of • Document the required scope and variations. • Initiate the assumptions from • Re-define the key assessment when appropriate risk factors needed authorities • Communicate the • Document the plan results to of action with organizational respect to the risk entities response.
Applications of Risk Assessment Information Risk Strategy decisions Contribute EA design decisions IS Policy/Program/Guidance decisions Common Control/Security Standards decisions. Help risk response – Avoid/Accept/Mitigate/Transfer Investment decisions – ROSI(Returns Of Security Investments)/VAR(value at Risk)/ALE(Annual Loss Expectancy) Support EA(Enterprise Architecture) integration in to SA. Assist in business/function information continuity decisions Assist in business process resiliency requirements Contribute IS systems design decisions Supports vendor/product decisions Supports on-going system operations authorizations
Risk Assessment in RMF life Cycle 1 2 6 3 5 4
Organizational cultural effects on Risk assessment

Recommended

ISO 27001 Checklist - Operation - Clause 8 ( 8.1, 8.2, 8.3 ) - 95 checklist Q...
ISO 27001 Checklist - Operation - Clause 8 ( 8.1, 8.2, 8.3 ) - 95 checklist Q...ISO 27001 Checklist - Operation - Clause 8 ( 8.1, 8.2, 8.3 ) - 95 checklist Q...
ISO 27001 Checklist - Operation - Clause 8 ( 8.1, 8.2, 8.3 ) - 95 checklist Q...himalya sharma
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMSAkhil Garg
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureUppala Anand
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCPECB
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk AssessmentSmart Assessment
 

Recommended

ISO 27001 Checklist - Operation - Clause 8 ( 8.1, 8.2, 8.3 ) - 95 checklist Q...
ISO 27001 Checklist - Operation - Clause 8 ( 8.1, 8.2, 8.3 ) - 95 checklist Q...ISO 27001 Checklist - Operation - Clause 8 ( 8.1, 8.2, 8.3 ) - 95 checklist Q...
ISO 27001 Checklist - Operation - Clause 8 ( 8.1, 8.2, 8.3 ) - 95 checklist Q...himalya sharma
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMSAkhil Garg
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureUppala Anand
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCPECB
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk AssessmentSmart Assessment
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementationRalf Braga
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30timmcguinness
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGArul Nambi
 
Iso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsIso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsUppala Anand
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 IntroductionAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1Denise Tawwab
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awarenessÃsħâr Ãâlâm
 
Bsi iso27001-mapping-guide
Bsi iso27001-mapping-guideBsi iso27001-mapping-guide
Bsi iso27001-mapping-guidefloora_jj
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Yokogawa1
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
27001.pptx
27001.pptx27001.pptx
27001.pptxAvniJain836319
 
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...PECB
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewNaresh Rao
 
NIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartNIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartJames W. De Rienzo
 
Risk assessment
Risk assessmentRisk assessment
Risk assessmentdoogstone
 

More Related Content

What's hot

Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementationRalf Braga
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30timmcguinness
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGArul Nambi
 
Iso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsIso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsUppala Anand
 
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1Denise Tawwab
 
Bsi iso27001-mapping-guide
Bsi iso27001-mapping-guideBsi iso27001-mapping-guide
Bsi iso27001-mapping-guidefloora_jj
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Yokogawa1
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...PECB
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewNaresh Rao
 

What's hot (20)

ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdf
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTING
 
Iso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsIso 27001 2013 Standard Requirements
Iso 27001 2013 Standard Requirements
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
Bsi iso27001-mapping-guide
Bsi iso27001-mapping-guideBsi iso27001-mapping-guide
Bsi iso27001-mapping-guide
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
27001.pptx
27001.pptx27001.pptx
27001.pptx
 
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overview
 

Viewers also liked

Risk assessment
Risk assessmentRisk assessment
Risk assessmentdoogstone
 
Powerpoint Risk Assessment
Powerpoint Risk AssessmentPowerpoint Risk Assessment
Powerpoint Risk AssessmentSteve Bishop
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)Jeremiah Grossman
 
Statistics - Top Website Vulnerabilities
Statistics - Top Website VulnerabilitiesStatistics - Top Website Vulnerabilities
Statistics - Top Website VulnerabilitiesJeremiah Grossman
 
Risks threats and vulnerabilities
Risks threats and vulnerabilitiesRisks threats and vulnerabilities
Risks threats and vulnerabilitiesManish Chaurasia
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterTuan Phan
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleEnterpriseGRC Solutions, Inc.
 
Understanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeUnderstanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeSounil Yu
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
Network infrastructure security management solution - A holistic approach in ...
Network infrastructure security management solution - A holistic approach in ...Network infrastructure security management solution - A holistic approach in ...
Network infrastructure security management solution - A holistic approach in ...Twinkle Sebastian
 
Risk Matrix, Definition, Theory and Practice (B - Exercise) / DRM Series / Bi...
Risk Matrix, Definition, Theory and Practice (B - Exercise) / DRM Series / Bi...Risk Matrix, Definition, Theory and Practice (B - Exercise) / DRM Series / Bi...
Risk Matrix, Definition, Theory and Practice (B - Exercise) / DRM Series / Bi...Bijan Yavar
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapWAJAHAT IQBAL
 
Iso 9001:2015 Documented Information Guidance
Iso 9001:2015 Documented Information GuidanceIso 9001:2015 Documented Information Guidance
Iso 9001:2015 Documented Information GuidanceMohammad Elshahat
 
Risk Assessment: Creating a Risk Matrix
Risk Assessment: Creating a Risk MatrixRisk Assessment: Creating a Risk Matrix
Risk Assessment: Creating a Risk MatrixEtQ, Inc.
 

Viewers also liked (20)

NIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartNIST SP 800 30 Flow Chart
NIST SP 800 30 Flow Chart
 
Risk assessment
Risk assessmentRisk assessment
Risk assessment
 
Powerpoint Risk Assessment
Powerpoint Risk AssessmentPowerpoint Risk Assessment
Powerpoint Risk Assessment
 
Analysis of Anions and Cations in Produced Water from Hydraulic Fracturing Us...
Analysis of Anions and Cations in Produced Water from Hydraulic Fracturing Us...Analysis of Anions and Cations in Produced Water from Hydraulic Fracturing Us...
Analysis of Anions and Cations in Produced Water from Hydraulic Fracturing Us...
 
IT Infrastrucutre Security
IT Infrastrucutre SecurityIT Infrastrucutre Security
IT Infrastrucutre Security
 
E payment security – pci dss
E payment security – pci dssE payment security – pci dss
E payment security – pci dss
 
Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)
 
Statistics - Top Website Vulnerabilities
Statistics - Top Website VulnerabilitiesStatistics - Top Website Vulnerabilities
Statistics - Top Website Vulnerabilities
 
Risks threats and vulnerabilities
Risks threats and vulnerabilitiesRisks threats and vulnerabilities
Risks threats and vulnerabilities
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
 
Understanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeUnderstanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor Landscape
 
Risk vs. reward decision matrix
Risk vs. reward decision matrixRisk vs. reward decision matrix
Risk vs. reward decision matrix
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
Network infrastructure security management solution - A holistic approach in ...
Network infrastructure security management solution - A holistic approach in ...Network infrastructure security management solution - A holistic approach in ...
Network infrastructure security management solution - A holistic approach in ...
 
Risk Matrix, Definition, Theory and Practice (B - Exercise) / DRM Series / Bi...
Risk Matrix, Definition, Theory and Practice (B - Exercise) / DRM Series / Bi...Risk Matrix, Definition, Theory and Practice (B - Exercise) / DRM Series / Bi...
Risk Matrix, Definition, Theory and Practice (B - Exercise) / DRM Series / Bi...
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - Mindmap
 
Iso 9001:2015 Documented Information Guidance
Iso 9001:2015 Documented Information GuidanceIso 9001:2015 Documented Information Guidance
Iso 9001:2015 Documented Information Guidance
 
Risk Assessment: Creating a Risk Matrix
Risk Assessment: Creating a Risk MatrixRisk Assessment: Creating a Risk Matrix
Risk Assessment: Creating a Risk Matrix
 

Similar to NIST 800 30 revision Sep 2012

Risk Management And Communication Maps
Risk Management And Communication MapsRisk Management And Communication Maps
Risk Management And Communication MapsJonelle Hilleary
 
Risk Management Overview
Risk Management OverviewRisk Management Overview
Risk Management OverviewJIGNESH PADIA
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).pptAjjuSingh2
 
Risk management v imp
Risk management v impRisk management v imp
Risk management v impSIVA GOPAL
 
Project Management Risks Review
Project Management Risks ReviewProject Management Risks Review
Project Management Risks ReviewDavid Tennant
 
Risk managementslides
Risk managementslidesRisk managementslides
Risk managementslidesAbhilash Jha
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820minhaj52
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820Vijay Kejriwal
 
Risk management standard
Risk management standardRisk management standard
Risk management standardLuis Vitiritti
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820Tim Smith
 
ISO 31000 risk management process
ISO 31000 risk management processISO 31000 risk management process
ISO 31000 risk management processMuizz Anibire
 

Similar to NIST 800 30 revision Sep 2012 (20)

Risk Management And Communication Maps
Risk Management And Communication MapsRisk Management And Communication Maps
Risk Management And Communication Maps
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Risk Management Overview
Risk Management OverviewRisk Management Overview
Risk Management Overview
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).ppt
 
Risk Assessment and Management
Risk Assessment and ManagementRisk Assessment and Management
Risk Assessment and Management
 
Risk Health Check
Risk Health CheckRisk Health Check
Risk Health Check
 
Risk Analysis Pat New
Risk Analysis Pat NewRisk Analysis Pat New
Risk Analysis Pat New
 
MAA_Riskmanagement
MAA_RiskmanagementMAA_Riskmanagement
MAA_Riskmanagement
 
Presentation qrm shc
Presentation qrm shcPresentation qrm shc
Presentation qrm shc
 
Risk management v imp
Risk management v impRisk management v imp
Risk management v imp
 
Project Management Risks Review
Project Management Risks ReviewProject Management Risks Review
Project Management Risks Review
 
ADCB Presentation - MENA Bank Tech June 2014 v2
ADCB Presentation - MENA Bank Tech June 2014 v2ADCB Presentation - MENA Bank Tech June 2014 v2
ADCB Presentation - MENA Bank Tech June 2014 v2
 
Risk managementslides
Risk managementslidesRisk managementslides
Risk managementslides
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820
 
Risk management standard
Risk management standardRisk management standard
Risk management standard
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820
 
Erm
ErmErm
Erm
 
ISO 31000 risk management process
ISO 31000 risk management processISO 31000 risk management process
ISO 31000 risk management process
 

NIST 800 30 revision Sep 2012

  • 1. Information Systems Risk Assessment Framework (ISRAF) (Addendum of NIST 800-39 information systems risk management and revision of NIST SP 800 30 ) Prepared by S. Periyakaruppan (PK)
  • 2. Need of Addendum/ Revision ?
  • 3. Should It get transformed ? ! Why
  • 4. Does it need a Model/Framework ?? !!!!!!! ???
  • 5. Assessing risk – What & Why ???????
  • 7. Risk framing  Model ???
  • 8. The Model/Framework Frame (CONTEXT) Tier 1 Tier 2 Tier 3 The Frame work addresses comprehensive risk management function in a hierarchical approach and leverage context centric approach.
  • 9. The Focus Assess Respond Monitor Risk Assessment is a key element of risk management  Risk Assessment process in modular approach.  Preparation checklist.  Activity checklist.  Protocol to maintain appropriate result of risk assessments.  Method of communicating risk results across organization.
  • 11. Risk – Key concepts
  • 12. Risk – Key Factors
  • 13. Assessing Risk – High Level Process Step -1 Step -2 Step -3 Step -4
  • 15. Conducting Assessment Intent,Target,Capability Identify Threat source and events Capability of adversaries Step 1 Range of effects Identify vulnerabilities and pre-disposing conditions Step 2 Effect of existing controls Intentional/accidental Determine likelihood of Occurrence flaw /weakness in Step 3 system/process Determine Magnitude of Impact Depends on the degree of Step 4 Step 1 and the effect of Determine Risk Step 2 Step 5 Result of BIA Depends on effective BCP/DR MTTR/MTBF RTO/RPO
  • 16. Method of Risk Analysis Threat oriented Vulnerability oriented Asset/Impact Oriented • Identify threat source • Identify pre-disposing • Identify mission/business and event conditions critical assets • Developing Threat • Identify exploitable • Analyze the scenario and model vulnerabilities consequences of the • Identify vulnerabilities in • Identify threats related adversarial threat event context of threats to the known/open • Identify vulnerabilities to vulnerabilities the threat events/scenario of critical assets with severe adverse impact.
  • 17. Method of Risk Assessments • Objective oriented assessment • Using non-numerical values to define risk factors Qualitative • Likelihood and impact with definite value based on individual expertise • Subjective oriented approach • Using numerical values to define risk factors Quantitative • Likelihood and impact with definite number based on history of events. • Contextual analysis and result oriented approach • Using Bin values (numerical range) with unique Semi Quantitative meaning and context. • Likelihood and impact derived with range of numerical values with degree of unique context
  • 18. Sample Assessment Scale Qualitative Quantitative Semi Qualitative Caution: The assessment scales and its descriptive meanings are subject to vary between organization to organization and with in organization discretion to the organizational culture and its policies and guidelines
  • 19. Communicate Result Determine the Communicate to the Furnish evidence comply appropriate method of designated organizational with organizational communication stakeholders policies & Guidelines Format defined by Identify appropriate Capture appropriate organization. authority. analysis data support the Executive briefings Ensure right result. Presenting Illustrative information reach right Include applicable risk figures person at right time. supporting documents Risk Assessment  Present contextual to convey the degree of Dashboards information in results Out sketch the accordance with risk  Identify and organizational prioritized strategy document the source of risk internal and external information.
  • 20. Maintain Risk Posture Identify Key Risk Define Frequency of Reconfirm the scope factors revisit and assumptions • Monitor the key • Track the risk • Get the risk factors response as concurrence of • Document the required scope and variations. • Initiate the assumptions from • Re-define the key assessment when appropriate risk factors needed authorities • Communicate the • Document the plan results to of action with organizational respect to the risk entities response.
  • 21. Applications of Risk Assessment Information Risk Strategy decisions Contribute EA design decisions IS Policy/Program/Guidance decisions Common Control/Security Standards decisions. Help risk response – Avoid/Accept/Mitigate/Transfer Investment decisions – ROSI(Returns Of Security Investments)/VAR(value at Risk)/ALE(Annual Loss Expectancy) Support EA(Enterprise Architecture) integration in to SA. Assist in business/function information continuity decisions Assist in business process resiliency requirements Contribute IS systems design decisions Supports vendor/product decisions Supports on-going system operations authorizations
  • 22. Risk Assessment in RMF life Cycle 1 2 6 3 5 4
  • 23. Organizational cultural effects on Risk assessment