The risk assessment guidance is designed to go beyond its first mission of protecting government entities to meet the needs of a variety of organizations, large and small, including financial institutions, healthcare providers, software developers, manufacturing companies, military planners and operators, and law enforcement groups.
NIST said that the top risks for organizations extend not just to critical assets such as data and physical property, but also reputation and the ability to carry out strategic objectives. Ron Ross, NIST fellow and one of the authors of 'Guide for Conducting Risk Assessments', explained that in some cases, these risks extend to the nation as a whole. "With the increasing breadth and depth of cyberattacks on federal information systems and the U.S. critical infrastructure, risk assessments provide important information to guide and inform the selection of appropriate defensive measures so organizations can respond effectively to cyber-related risks,” he noted.
In March 2011, NIST released Managing Information Security Risk: Organization, Missions and Information System View, which describes the process for managing information security risk for federal agencies and contractors. That process includes framing risk, assessing risk, responding to risk and monitoring risk over time.
The new publication focuses exclusively on risk assessment – the second step in the information security risk management process. The guidance covers the four elements of a classic risk assessment: threats, vulnerabilities, impact to missions and business operations, and the likelihood of threat exploitation of vulnerabilities in information systems and their physical environment to cause harm or adverse consequences.
"As the size and complexity of our collective IT infrastructure grows, we cannot protect everything we own or manage to the highest degree," said Ross. "Risk assessments show us where we are most at risk. It provides a way to decide where managers should focus their attention."
The new guide rounds out the original series of five key computer security documents envisioned by the Joint Task Force – a partnership of NIST, the Department of Defense, the Office of the Director of National Intelligence and the Committee on National Security Systems – to create a unified information security framework for the federal government.