The update – 'Guide for Conducting Risk Assessments' – focuses exclusively on risk assessment, as opposed to the broader focus of the original publication on risk management. Overall guidance for risk management is discussed in 'Managing Information Security Risk: Organization, Mission, and Information System View'.
NIST explained that risk assessments help organizations determine the most appropriate responses to cyber attacks or threats stemming from disasters; guide investment strategies and decisions for the most effective cyber defenses to help protect organizational operations, assets, individuals, and other organizations; and maintain situational awareness of the security of an organization's information systems and the environments in which those systems operate.
"Risk assessments can help federal agencies effectively evaluate the current threat, organizational and information system vulnerabilities, potential adverse impacts to core missions and business operations – using the results to determine appropriate risk responses", said NIST Fellow Ron Ross.
The risk assessment guidance has been expanded to include more information on risk factors for determining information security risk, such as threat sources and events, vulnerabilities and predisposing conditions, impact, and likelihood of threat occurrence. The publication describes a three-step process to help organizations prepare for risk assessments, conduct risk assessments, and keep assessment results up to date.
Public comments are due Nov. 4 and can be sent to sec-cert@nist.gov.