Risk Management Guide For Information Technology
Special Publication 800-30Risk Management Guide forInformation Technology SystemsRecommendations of the National Institute ofStandards and TechnologyGary Stoneburner, Alice Goguen, and Alexis Feringa
NIST Special Publication 800-30Risk Management Guide forInformation Technology SystemsRecommendations of theNational Institute of Standards and TechnologyGary Stoneburner, Alice Goguen1, andAlexis Feringa1C O M P U T E RS E C U R I T YComputer Security DivisionInformation Technology LaboratoryNational Institute of Standards and TechnologyGaithersburg, MD 20899-89301Booz Allen Hamilton Inc.3190 Fairview Park DriveFalls Church, VA 22042July 2002U.S. DEPARTMENT OF COMMERCEDonald L. Evans, SecretaryTECHNOLOGY ADMINISTRATIONPhillip J. Bond, Under Secretary for TechnologyNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGYArden L. Bement, Jr., DirectorSP 800-30Page ii
Reports on Computer Systems TechnologyThe Information Technology Laboratory (ITL) at the National Institute of Standards and Technologypromotes the U.S. economy and public welfare by providing technical leadership for the nation’smeasurement and standards infrastructure. ITL develops tests, test methods, reference data, proof-ofconcept implementations, and technical analyses to advance the development and productive use ofinformation technology. ITL’s responsibilities include the development of technical, physical,administrative, and management standards and guidelines for the cost-effective security and privacy ofsensitive unclassified information in federal computer systems. The Special Publication 800-seriesreports on ITL’s research, guidance, and outreach efforts in computer security, and its collaborativeactivities with industry, government, and academic organizations.National Institute of Standards and Technology Special Publication 800-30Natl. Inst. Stand. Technol. Spec. Publ. 800-30, 54 pages (July 2002)CODEN: NSPUE2Certain commercial entities, equipment, or materials may be identified in this document in order to describe anexperimental procedure or concept adequately. Such identification is not intended to imply recommendation orendorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities,materials, or equipment are necessarily the best available for the purpose.SP 800-30Page iii
AcknowledgementsThe authors, Gary Stoneburner, from NIST and Alice Goguen and Alexis Feringa from BoozAllen Hamilton wish to express their thanks to their colleagues at both organizations whoreviewed drafts of this document. In particular, Timothy Grance, Marianne Swanson, and JoanHash from NIST and Debra L. Banning, Jeffrey Confer, Randall K. Ewell, and WaseemMamlouk from Booz Allen provided valuable insights that contributed substantially to thetechnical content of this document. Moreover, we gratefully acknowledge and appreciate themany comments from the public and private sectors whose thoughtful and constructivecomments improved the quality and utility of this publication.SP 800-30Page iv
TABLE OF CONTENTS1.INTRODUCTION.11.11.21.31.41.51.62.RISK MANAGEMENT OVERVIEW .42.12.22.33.STEP 1: SYSTEM CHARACTERIZATION .10System-Related Information.10Information-Gathering Techniques .11STEP 2: THREAT IDENTIFICATION .12Threat-Source Identification.12Motivation and Threat Actions .13STEP 3: VULNERABILITY IDENTIFICATION.15Vulnerability Sources.16System Security Testing .17Development of Security Requirements Checklist.18STEP 4: CONTROL ANALYSIS .19Control Methods .20Control Categories .20Control Analysis Technique.20STEP 5: LIKELIHOOD DETERMINATION .21STEP 6: IMPACT ANALYSIS .21STEP 7: RISK DETERMINATION .24Risk-Level Matrix.24Description of Risk Level.25STEP 8: CONTROL RECOMMENDATIONS .26STEP 9: RESULTS DOCUMENTATION .26RISK MITIGATION .274.14.24.34.44.4.14.4.24.4.34.54.65.IMPORTANCE OF RISK MANAGEMENT .4INTEGRATION OF RISK MANAGEMENT INTO SDLC .4KEY ROLES .6RISK ASSESSMENT .4.13.4.23.4.33.53.63.73.7.13.7.23.83.94.AUTHORITY .1PURPOSE.1OBJECTIVE .2TARGET AUDIENCE .2RELATED REFERENCES .3GUIDE STRUCTURE .3RISK MITIGATION OPTIONS .27RISK MITIGATION STRATEGY .28APPROACH FOR CONTROL IMPLEMENTATION .29CONTROL CATEGORIES .32Technical Security Controls.32Management Security Controls.35Operational Security Controls.36COST-BENEFIT ANALYSIS .37RESIDUAL RISK .39EVALUATION AND ASSESSMENT.415.15.2GOOD SECURITY PRACTICE .41KEYS FOR SUCCESS .41Appendix A—Sample Interview Questions . A-1Appendix B—Sample Risk Assessment Report Outline .B-1SP 800-30Page iv
Appendix C—Sample Implementation Safeguard Plan Summary Table .C-1Appendix D—Acronyms . D-1Appendix E—Glossary.E-1Appendix F—References. F-1LIST OF FIGURESFigure 3-1 Risk Assessment Methodology Flowchart.9Figure 4-1 Risk Mitigation Action Points.28Figure 4-2 Risk Mitigation Methodology Flowchart.31Figure 4-3 Technical Security Controls.33Figure 4-4 Control Implementation and Residual Risk .40LIST OF TABLESTable 2-1 Integration of Risk Management to the SDLC.5Table 3-1 Human Threats: Threat-Source, Motivation, and Threat Actions .14Table 3-2 Vulnerability/Threat Pairs .15Table 3-3 Security Criteria .18Table 3-4 Likelihood Definitions .21Table 3-5 Magnitude of Impact Definitions .23Table 3-6 Risk-Level Matrix .25Table 3-7 Risk Scale and Necessary Actions .25SP 800-30Page v
1. INTRODUCTIONEvery organization has a mission. In this digital era, as organizations use automated informationtechnology (IT) systems1 to process their information for better support of their missions, riskmanagement plays a critical role in protecting an organization’s information assets, and thereforeits mission, from IT-related risk.An effective risk management process is an important component of a successful IT securityprogram. The principal goal of an organization’s risk management process should be to protectthe organization and its ability to perform their mission, not just its IT assets. Therefore, the riskmanagement process should not be treated primarily as a technical function carried out by the ITexperts who operate and manage the IT system, but as an essential management function of theorganization.1.1 AUTHORITYThis document has been developed by NIST in furtherance of its statutory responsibilities underthe Computer Security Act of 1987 and the Information Technology Management Reform Act of1996 (specifically 15 United States Code (U.S.C.) 278 g-3 (a)(5)). This is not a guideline withinthe meaning of 15 U.S.C 278 g-3 (a)(3).These guidelines are for use by Federal organizations which process sensitive information.They are consistent with the requirements of OMB Circular A-130, Appendix III.The guidelines herein are not mandatory and binding standards. This document may be used bynon-governmental organizations on a voluntary basis. It is not subject to copyright.Nothing in this document should be taken to contradict standards and guidelines mademandatory and binding upon Federal agencies by the Secretary of Commerce under his statutoryauthority. Nor should these guidelines be interpreted as altering or superseding the existingauthorities of the Secretary of Commerce, the Director of the Office of Management and Budget,or any other Federal official.1.2 PURPOSERisk is the net negative impact of the exercise of a vulnerability, considering both the probabilityand the impact of occurrence. Risk management is the process of identifying risk, assessing risk,and taking steps to reduce risk to an acceptable level. This guide provides a foundation for thedevelopment of an effective risk management program, containing both the definitions and thepractical guidance necessary for assessing and mitigating risks identified within IT systems. Theultimate goal is to help organizations to better manage IT-related mission risks.1 The term “IT system” refers to a general support system (e.g., mainframe computer, mid-range computer, localarea network, agencywide backbone) or a major application that can run on a general support system and whoseuse of information resources satisfies a specific set of user requirements.SP 800-30Page 1
In addition, this guide provides information on the selection of cost-effective security controls.2These controls can be used to mitigate risk for the better protection of mission-criticalinformation and the IT systems that process, store, and carry this information.Organizations may choose to expand or abbreviate the comprehensive processes and stepssuggested in this guide and tailor them to their environment in managing IT-related missionrisks.1.3 OBJECTIVEThe objective of performing risk management is to enable the organization to accomplish itsmission(s) (1) by better securing the IT systems that store, process, or transmit organizationalinformation; (2) by enabling management to make well-informed risk management decisions tojustify the expenditures that are part of an IT budget; and (3) by assisting management inauthorizing (or accrediting) the IT systems3 on the basis of the supporting documentationresulting from the performance of risk management.1.4 TARGET AUDIENCEThis guide provides a common foundation for experienced and inexperienced, technical, andnon-technical personnel who support or use the risk management process for their IT systems.These personnel include Senior management, the mission owners, who make decisions about the IT securitybudget. Federal Chief Information Officers, who ensure the implementation of riskmanagement for agency IT systems and the security provided for these IT systems The Designated Approving Authority (DAA), who is responsible for the finaldecision on whether to allow operation of an IT system The IT security program manager, who implements the security program Information system security officers (ISSO), who are responsible for IT security IT system owners of system software and/or hardware used to support IT functions. Information owners of data stored, processed, and transmitted by the IT systems Business or functional managers, who are responsible for the IT procurement process Technical support personnel (e.g., network, system, application, and databaseadministrators; computer specialists; data security analysts), who manage andadminister security for the IT systems IT system and application programmers, who develop and maintain code that couldaffect system and data integrity2 The terms “safeguards” and “controls” refer to risk-reducing measures; these terms are used interchangeably inthis guidance document.3 Office of Management and Budget’s November 2000 Circular A-130, the Computer Security Act of 1987, and theGovernment Information Security Reform Act of October 2000 require that an IT system be authorized prior tooperation and reauthorized at least every 3 years thereafter.SP 800-30Page 2
IT quality assurance personnel, who test and ensure the integrity of the IT systemsand data Information system auditors, who audit IT systems IT consultants, who support clients in risk management.1.5 RELATED REFERENCESThis guide is based on the general concepts presented in National Institute of Standards andTechnology (NIST) Special Publication (SP) 800-27, Engineering Principles for IT Security,along with the principles and practices in NIST SP 800-14, Generally Accepted Principles andPractices for Securing Information Technology Systems. In addition, it is consistent with thepolicies presented in Office of Management and Budget (OMB) Circular A-130, Appendix III,“Security of Federal Automated Information Resources”; the Computer Security Act (CSA) of1987; and the Government Information Security Reform Act of October 2000.1.6 GUIDE STRUCTUREThe remaining sections of this guide discuss the following: Section 2 provides an overview of risk management, how it fits into the systemdevelopment life cycle (SDLC), and the roles of individuals who support and use thisprocess. Section 3 describes the risk assessment methodology and the nine primary steps inconducting a risk assessment of an IT system. Section 4 describes the risk mitigation process, including risk mitigation options andstrategy, approach for control implementation, control categories, cost-benefitanalysis, and residual risk. Section 5 discusses the good practice and need for an ongoing risk evaluation andassessment and the factors that will lead to a successful risk management program.This guide also contains six appendixes. Appendix A provides sample interview questions.Appendix B provides a sample outline for use in documenting risk assessment results. AppendixC contains a sample table for the safeguard implementation plan. Appendix D provides a list ofthe acronyms used in this document. Appendix E contains a glossary of terms used frequently inthis guide. Appendix F lists references.SP 800-30Page 3
2. RISK MANAGEMENT OVERVIEWThis guide describes the risk management methodology, how it fits into each phase of the SDLC,and how the risk management process is tied to the process of system authorization (oraccreditation).2.1 IMPORTANCE OF RISK MANAGEMENTRisk management encompasses three processes: risk assessment, risk mitigation, and evaluationand assessment. Section 3 of this guide describes the risk assessment process, which includesidentification and evaluation of risks and risk impacts, and recommendation of risk-reducingmeasures. Section 4 describes risk mitigation, which refers to prioritizing, implementing, andmaintaining the appropriate risk-reducing measures recommended from the risk assessmentprocess. Section 5 discusses the continual evaluation process and keys for implementing asuccessful risk management program. The DAA or system authorizing official is responsible fordetermining whether the remaining risk is at an acceptable level or whether additional securitycontrols should be implemented to further reduce or eliminate the residual risk beforeauthorizing (or accrediting) the IT system for operation.Risk management is the process that allows IT managers to balance the operational andeconomic costs of protective measures and achieve gains in mission capability by protecting theIT systems and data that support their organizations’ missions. This process is not unique to theIT environment; indeed it pervades decision-making in all areas of our daily lives. Take the caseof home security, for example. Many people decide to have home security systems installed andpay a monthly fee to a service provider to have these systems monitored for the better protectionof their property. Presumably, the homeowners have weighed the cost of system installation andmonitoring against the value of their household goods and their family’s safety, a fundamental“mission” need.The head of an organizational unit must ensure that the organization has the capabilities neededto accomplish its mission. These mission owners must determine the security capabilities thattheir IT systems must have to provide the desired level of mission support in the face of realworld threats. Most organizations have tight budgets for IT security; therefore, IT securityspending must be reviewed as thoroughly as other management decisions. A well-structured riskmanagement methodology, when used effectively, can help management identify appropriatecontrols for providing the mission-essential security capabilities.2.2 INTEGRATION OF RISK MANAGEMENT INTO SDLCMinimizing negative impact on an organization and need for sound basis in decision making arethe fundamental reasons organizations implement a risk management process for their ITsystems. Effective risk management must be totally integrated into the SDLC. An IT system’sSDLC has five phases: initiation, development or acquisition, implementation, operation ormaintenance, and disposal. In some cases, an IT system may occupy several of these phases atthe same time. However, the risk management methodology is the same regardless of the SDLCphase for which the assessment is being conducted. Risk management is an iterative process thatcan be performed during each major phase of the SDLC. Table 2-1 describes the characteristicsSP 800-30Page 4
of each SDLC phase and indicates how risk management can be performed in support of eachphase.Table 2-1 Integration of Risk Management into the SDLCSDLC PhasesPhase CharacteristicsPhase 1—InitiationThe need for an IT system isexpressed and the purpose andscope of the IT system isdocumentedPhase 2—Development orAcquisitionThe IT system is designed,purchased, programmed,developed, or otherwiseconstructedPhase 3—ImplementationThe system security featuresshould be configured, enabled,tested, and verifiedPhase 4—Operation orMaintenanceThe system performs itsfunctions. Typically the system isbeing modified on an ongoingbasis through the addition ofhardware and software and bychanges to organizationalprocesses, policies, andproceduresPhase 5—DisposalThis phase may involve thedisposition of information,hardware, and software.Activities may include moving,archiving, discarding, ordestroying information andsanitizing the hardware andsoftwareSP 800-30Support from RiskManagement Activities Identified risks are used tosupport the development of thesystem requirements, includingsecurity requirements, and asecurity concept of operations(strategy) The risks identified during thisphase can be used to supportthe security analyses of the ITsystem that may lead toarchitecture and design tradeoffs during systemdevelopment The risk management processsupports the assessment of thesystem implementation againstits requirements and within itsmodeled operationalenvironment. Decisionsregarding risks identified mustbe made prior to systemoperation Risk management activities areperformed for periodic systemreauthorization (orreaccreditation) or whenevermajor changes are made to anIT system in its operational,production environment (e.g.,new system interfaces) Risk management activitiesare performed for systemcomponents that will bedisposed of or replaced toensure that the hardware andsoftware are properly disposedof, that residual data isappropriately handled, and thatsystem migration is conductedin a secure and systematicmannerPage 5
2.3 KEY ROLESRisk management is a management responsibility. This section describes the key roles of thepersonnel who should support and participate in the risk management process. Senior Management. Senior management, under the standard of due care andultimate responsibility for mission accomplishment, must ensure that the necessaryresources are effectively applied to develop the capabilities needed to accomplish themission. They must also assess and incorporate results of the risk assessment activityinto the decision making process. An effective risk management program thatassesses and mitigates IT-related mission risks requires the support and involvementof senior management. Chief Information Officer (CIO). The CIO is responsible for the agency’s ITplanning, budgeting, and performance including its information security components.Decisions made in these areas should be based on an effective risk managementprogram. System and Information Owners. The system and information owners areresponsible for ensuring that proper controls are in place to address integrity,confidentiality, and availability of the IT systems and data they own. Typically thesystem and information owners are responsible for changes to their IT systems. Thus,they usually have to approve and sign off on changes to their IT systems (e.g., systemenhancement, major changes to the software and hardware). The system andinformation owners must therefore understand their role in the risk managementprocess and fully support this process. Business and Functional Managers. The managers responsible for businessoperations and IT procurement process must take an active role in the riskmanagement process. These managers are the individuals with the authority andresponsibility for making the trade-off decisions essential to mission accomplishment.Their involvement in the risk management process enables the achievement of propersecurity for the IT systems, which, if managed properly, will provide missioneffectiveness with a minimal expenditure of resources. ISSO. IT security program managers and computer security officers are responsiblefor their organizations’ security programs, including risk management. Therefore,they play a leading role in introducing an appropriate, structured methodology to helpidentify, evaluate, and minimize risks to the IT systems that support theirorganizations’ missions. ISSOs also act as major consultants in support of seniormanagement to ensure that this activity takes place on an ongoing basis. IT Security Practitioners. IT security practitioners (e.g., network, system,application, and database administrators; computer specialists; security analysts;security consultants) are responsible for proper implementation of securityrequirements in their IT systems. As changes occur in the existing IT systemenvironment (e.g., expansion in network connectivity, changes to the existinginfrastructure and organizational policies, introduction of new technologies), the ITsecurity practitioners must support or use the risk management process to identify andassess new potential risks and implement new security controls as needed tosafeguard their IT systems.SP 800-30Page 6
Security Awareness Trainers (Security/Subject Matter Professionals). Theorganization’s personnel are the users of the IT systems. Use of the IT systems anddata according to an organization’s policies, guidelines, and rules of behavior iscritical to mitigating risk and protecting the organization’s IT resources. To minimizerisk to the IT systems, it is essential that system and application users be providedwith security awareness training. Therefore, the IT security trainers orsecurity/subject matter professionals must understand the risk management process sothat they can develop appropriate training materials and incorporate risk assessmentinto training programs to educate the end users.SP 800-30Page 7
3. RISK ASSESSMENTRisk assessment is the first process in the risk management methodology. Organizations use riskassessment to determine the extent of the potential threat and the risk associated with an ITsystem throughout its SDLC. The output of this process helps to identify appropriate controls forreducing or eliminating risk during the risk mitigation process, as discussed in Section 4.Ri
NIST Special Publication 800-30 . Risk Management Guide for Information Technology Systems . Recommendations of the National Institute of Standards and Technology . Gary Stoneburner, Alice Goguen. 1, and Alexis Feringa. 1 . C O M P U T E R S E C U R I T Y . Computer Security Division Information Technology Laboratory
Bruksanvisning för bilstereo . Bruksanvisning for bilstereo . Instrukcja obsługi samochodowego odtwarzacza stereo . Operating Instructions for Car Stereo . 610-104 . SV . Bruksanvisning i original
10 tips och tricks för att lyckas med ert sap-projekt 20 SAPSANYTT 2/2015 De flesta projektledare känner säkert till Cobb’s paradox. Martin Cobb verkade som CIO för sekretariatet för Treasury Board of Canada 1995 då han ställde frågan
service i Norge och Finland drivs inom ramen för ett enskilt företag (NRK. 1 och Yleisradio), fin ns det i Sverige tre: Ett för tv (Sveriges Television , SVT ), ett för radio (Sveriges Radio , SR ) och ett för utbildnings program (Sveriges Utbildningsradio, UR, vilket till följd av sin begränsade storlek inte återfinns bland de 25 största
Hotell För hotell anges de tre klasserna A/B, C och D. Det betyder att den "normala" standarden C är acceptabel men att motiven för en högre standard är starka. Ljudklass C motsvarar de tidigare normkraven för hotell, ljudklass A/B motsvarar kraven för moderna hotell med hög standard och ljudklass D kan användas vid
LÄS NOGGRANT FÖLJANDE VILLKOR FÖR APPLE DEVELOPER PROGRAM LICENCE . Apple Developer Program License Agreement Syfte Du vill använda Apple-mjukvara (enligt definitionen nedan) för att utveckla en eller flera Applikationer (enligt definitionen nedan) för Apple-märkta produkter. . Applikationer som utvecklas för iOS-produkter, Apple .
81. Risk Identification, page 29 82. Risk Indicator*, page 30 83. Risk Management Ω, pages 30 84. Risk Management Alternatives Development, page 30 85. Risk Management Cycle, page 30 86. Risk Management Methodology Ω, page 30 87. Risk Management Plan, page 30 88. Risk Management Strategy, pages 31 89. Risk
och krav. Maskinerna skriver ut upp till fyra tum breda etiketter med direkt termoteknik och termotransferteknik och är lämpliga för en lång rad användningsområden på vertikala marknader. TD-seriens professionella etikettskrivare för . skrivbordet. Brothers nya avancerade 4-tums etikettskrivare för skrivbordet är effektiva och enkla att
Den kanadensiska språkvetaren Jim Cummins har visat i sin forskning från år 1979 att det kan ta 1 till 3 år för att lära sig ett vardagsspråk och mellan 5 till 7 år för att behärska ett akademiskt språk.4 Han införde två begrepp för att beskriva elevernas språkliga kompetens: BI
