1) What is the purpose of NIST Special Publication 800-30?
The purpose of NIST 800-30 is to facilitate the risk management process. The NIST 800-30 is a guide that assists entities in making better decisions about vulnerabilities to their IT systems.
2) What is the principal goal of an organization’s risk management process?
The principal goal of an organization’s risk management process according to NIST 800-30, “is to enable the organization to accomplish its missions” (NIST, 2002). Page 2, section 1.3 of NIST 800-30 recommends three practices of risk management to achieve company missions.
* Better securing the IT systems that store, process, or transmit organizational information
* Enabling management to make well-informed risk management decisions to justify the expenditures that are part of an IT budget
* Assisting management in authorizing (or accrediting) the IT systems on the basis of the supporting documentation resulting from the performance of risk management
3) According to NIST, what three processes compose risk management?
* Risk assessment
* Risk mitigation
* Evaluation assessment
4) How does risk management relate to the System Development Life Cycle (SDLC)?
The relationship between the SDLC and the risk management process is one of continuous and uninterrupted cooperation and constant adjacency. “Effective risk management must be totally integrated into the SDLC” (2002, p.4). In addition, according to figure 2-1, each cycle of the SDLC (initiation, development or acquisition, implementation, operation or maintenance, and disposal), should address risk management. With each phase of the SDLC, comes equally supporting risk management activities.
5) NIST 800-30 defines seven Information Assurance “key roles”. Name and briefly describe each of them.
Senior Management – These are the people responsible for making sure they organization meets their goals. They make sure that the project has the necessary resources and that the resources are properly utilized. Senior management is also responsible for evaluating and incorporating results from risk assessment practices.
Chief Information Officer (CIO) – The CIO is the person who takes all of the input and results from the risk assessment processes and is responsible for planning, budgeting, executing and the performance of the project.
System and Information Owners – This is the group who is obligated to target the integrity, confidentiality, and availability of the project's systems and data.
Business and Functional Managers – These managers are fundamentally responsible for the “operations and IT procurement processes” (2002, p.6). Business managers have the authority to make “trade-off” decisions that are imperative to the goals of the project.
ISSO – This manager is responsible for executing the “organizations security programs, including risk management” (2002, p.6). These professionals are the direct and main support of senior management and executive management. They lead the project in terms of identifying, evaluating, and mitigating risks of their IT systems.
IT Security Practitioners – These are the people that are actually performing the major systems jobs including: “network, system, application, and database administrators; computer specialists; security analysts; security consultants” (2002, p.6)
Security Awareness Trainers (Security/Subject Matter Professionals) – This group of individuals is responsible for providing security awareness training to the IT systems user population.
6) How does NIST 800-30 define risk?
According to NIST 800-30, “Risk is the net negative impact of the exercise of a vulnerability, considering both the probability and the impact of occurrence” (2002, p.2). More specifically, “Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization” (2002, p.8)
7) How does NIST 800-30 define a threat?
NIST 800-30 defines a threat as, “the potential for a particular threat-source to successfully exercise a particular vulnerability” (2002, p.12).
8) How is a threat source defined? Name three common threat sources.
A threat source is, “any circumstance or event with the potential to cause harm to an IT system” (2002, p.13). Three common threat sources include:
* Natural threats – hurricanes, tornadoes, earthquakes, floods, wild fires
* Human threats – intentional and non-intentional acts (e.g., typo, spilled coffee, humidity and HVAC issues, hacking)
* Environmental threats – power loss and pollution
9) How does NIST 800-30 define vulnerability?
NIST 800-30 defines a vulnerability as, “A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy” (2002, p.15).
10) According to NIST, whose responsibility is IT Security? (technical or management)
IT security is the responsibility of nearly every major functional department in an organization. Mainly, IT security responsibility lies with management, operational, and technical areas within an organization.
11) What is a security control?
Security control is a mechanism that is put in place to try to mitigate risks. Security controls can be broken into two categories. The first category is technical controls.
12) Define: technical controls, management controls, and operational controls.
Technical controls consist of, “safeguards that are incorporated into computer hardware, software, or firmware (e.g., access control mechanisms, identification and authentication mechanisms, encryption methods, intrusion detection software)” (2002, p.20). Nontechnical controls, “are management and operational controls, such as security policies; operational procedures; and personnel, physical, and environmental security” (2002, p.20). “Management security controls, in conjunction with technical and operational controls, are implemented to manage and reduce the risk of loss and to protect an organization’s mission. Management controls focus on the stipulation of information protection policy, guidelines, and standards, which are carried out through operational procedures to fulfill the organization’s goals and missions” (2002, p.35). Operational controls are, “a set of controls and guidelines to ensure that security procedures governing the use of the organization’s IT assets and resources are properly enforced and implemented in accordance with the organization’s goals and mission” (2002, p.36).
13) How should the adverse impact of a security event be described?
“The adverse impact of a security event can be described in terms of loss or degradation
of any, or a combination of any, of the following three security goals: integrity, availability, and
confidentiality” (2002, p.22)
14) Describe the difference between quantitative and qualitative assessment?
The difference between a quantitative and a qualitative assessment is the difference between quality and cost. Qualitative assessments focus more on immediate vulnerabilities and risks. A Quantitative assessment approach would focus more on the monetary impact controls.
15) Name and describe six risk mitigation options.
According to section 4.1, pg. 27, six risk mitigation options include:
Risk Assumption - to accept the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level
Risk Avoidance - to avoid the risk by eliminating the risk cause and/or consequence (e.g., forgo certain functions of the system or shut down the system when risks are identified)
Risk Limitation - to limit the risk by implementing controls that minimize the adverse impact of a threat’s exercising a vulnerability (e.g., use of supporting, preventive, detective controls)
Risk Planning - to manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains controls
Research and Acknowledgment - to lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability
Risk Transference - to transfer the risk by using other options to compensate for the loss, such as purchasing insurance.
16) What is residual risk?
Residual risk is simply the risk that is remains after the implementation of a new IT system taking into consideration the risk management process. Since it is virtually impossible to eliminate all risk, risk is forever present and risk left over after new controls have taken effect, are considered residual.
References: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
Google Group: http://itec5321fall09.googlegroups.com/web/02_classProject_NIST_800-30_Q%26A.pdf?gda=-6J3kFgAAADGz-IK4zHXi8PRhPCSPfCHRz6XUti8QGzduyUGse7EAGwUKRPiCTMMLq-0mwsOmVRd9roYZOCyGdt0OSpDR2YapsMJpo2PJSxJJuRrHXFqXxo1YHcDYvgcK1MwRk9oTs4&gsc=Wok62gsAAAB3XudsBUvSc6wDEDB1_5CO&hl=en
