NIST SPs And Risk Assessment Process
NIST SPs and Risk Assessment ProcessTable of ContentsRisk Management Frameworks . 2Overview . 3National Institute of Standards and Technology Special Publications . 4NIST SP 800-30 . 5NIST SP 800-30: Risk Management . 6Risk Assessment . 7Step 1: System Characterization . 9Step 2: Threat Identification . 11Step 3: Vulnerability Identification . 12Step 4: Control Analysis . 14Step 5: Likelihood Determination . 15Likelihood Rating. 16Step 6: Impact Analysis . 18Impact Rating . 19Step 7: Risk Determination . 21Step 8: Control Recommendations . 22Step 9: Results Documentation . 25Notices . 26Page 1 of 26
Risk Management FrameworksRisk ManagementFrameworks 2012 Carnegie Mellon University**001 Chris Evans: Let's talk aboutrisk management frameworks.Page 2 of 26
OverviewOverviewNational Institute of Standards and Technology (NIST) SpecialPublicationsOCTAVE and OCTAVE AllegroCERT -RMM2**002 As you're going through anddoing your risk management process,there are a lot of different ways thatyou can go about doing riskmanagement. There are a coupledifferent processes or frameworksthat are out there that you canfollow, or you can even come up withyour own risk management process.It really is up to you. The reasonthat we'll talk about these is theseare the significant ones that are outthere. We'll talk about how those areactually employed, where to go forguidance on doing these particularprocesses. And you might find that,depending on who you are or whatorganization you work with, that onePage 3 of 26
of these processes or one of theseframeworks for risk management willwork better than another one foryou. Or you might find that all ofthese are very complicated, toooverbearing for what you need to do.Really it's up to you. So we presentthese just as kind of a baseline forwhat's possible out there.National Institute of Standards and Technology Special PublicationsNational Institute ofStandards andTechnology SpecialPublications3**003 We'll start with the NationalInstitute of Standards, the SpecialPublications series that talk about riskmanagement framework.Page 4 of 26
NIST SP 800-30NIST SP 800-30Risk Management Guide for Information Technology Systems Provides a foundation for the development of an effective riskmanagement program Contains the definitions and the practical guidance for assessingand mitigating risks Provides information on the selection of cost-effective securitycontrols4**004 So the first one that youshould probably be aware of isSpecial Publication 800-30, and this isreally a foundational document forhow to do risk management. It'll talkabout definitions, it'll give you someguidance for how to actually build arisk management process, and ittalks a little bit about how to selectcontrols, or mitigation strategies forthe things that you need to put inplace. I would say that 800-30 is justa starting point for you. It kind oflays out a general process for you tofollow.Page 5 of 26
NIST SP 800-30: Risk ManagementNIST SP 800-30: Risk ManagementRisk management encompasses three processesEvaluationandAssessmentRiskAssessmentRisk Mitigation5**005 Within this document, thereare the three processes. There's riskassessment, risk mitigation, andevaluation and assessment. And so800-30 will lay out a process, theoverall risk management process,with each of these particularfunctions defined.Page 6 of 26
Risk AssessmentRisk AssessmentStep 1: System CharacterizationStep 2: Threat IdentificationEvaluationStep 3: Vulnerability IdentificationandRiskAssessmentAssessmentStep 4: Control AnalysisStep 5: Likelihood DeterminationStep 6: Impact AnalysisRisk MitigationStep 7: Risk DeterminationStep 8: Control RecommendationsStep 9: Results DocumentationRef: NIST SP 800-30, Risk Management Guide for Information Technology Systems6**006 As far as the risk assessmentpiece goes, 800-30 will tell you aboutthese nine steps. And so it kind ofguides you through how to do a riskassessment piece. And so it startswith system characterization-- whatkind of system do you have-- whatare the systems or pieces that arepart of this, so kind of scoping therisk assessment process. It talks alittle bit about threat identificationand vulnerability identification, sowhat are the bad things that are outthere and how are your systemsvulnerable to them. It'll talk aboutcontrol analysis, so what things doyou have in place to mitigatecurrently. It'll talk about likelihoodPage 7 of 26
determination. So if you have athreat and a vulnerability, 800-30 willhelp you determine how likely is itthat something bad will happen, orhow likely is that to occur.It'll lead you through how to do animpact analysis-- so determining ifsomething bad happens, what's thenext-level effect on my business;what actually happens there. It talksabout risk determination. So, again,I've got this picture of threats,vulnerabilities, controls, likelihood.What is my true risk? So 800-30 willhelp you with that. And then controlrecommendations: "I've got this risk.What do I do about it? What aresome of the things that I can put inplace?" And then results-- again,how do I write up and track my riskassessment, and the end-product ofthis particular process.Page 8 of 26
Step 1: System CharacterizationStep 1: System CharacterizationInput HardwareSoftwareSystem InterfacesData and InformationPeopleSystem MissionOutput SystemSystemSystemSystemBoundaryFunctionsand Data Criticalityand Data Sensitivitytems7**007 Step one: The systemcharacterization. So, what are youlooking at here in this particularprocess, or this particular step of therisk assessment function? Well,really what you're looking at is mycritical assets. Actually, not evencritical. Let's just say assets. We'relooking at systems, software,hardware, people even, and what thesystem is for-- what is it that weactually are doing here. And youroutput from this is going to be somenotion of what my systems are-- soI'm scoping my assessment bysaying, "These are the assets thatPage 9 of 26
I'm going to focus on"-- and you'realso going to have some notion ofcriticality and sensitivity.Why is criticality and sensitivityimportant? Again, it goes back toyou've got limited resources, youcan't fix everything, so prioritize. Youprioritize based on what's critical andwhat's most sensitive to yourorganization.So out of step one here in the riskassessment process, that's essentiallywhat you're looking at. "Here are thethings that I need to do my job, andhere they are ordered based on someprecedence or prioritization based onwhat's important to me as abusiness."Page 10 of 26
Step 2: Threat IdentificationStep 2: Threat IdentificationInput History of system attack Data from intelligence agencies, mass media, or gov CERTOutput Threat StatementRef: NIST SP 800-30, Risk Management Guide for Information Technology Systems8**008 Step two: Threatidentification. You're looking forproblems, what could go wrong withthis particular system or these assetsthat you identified in the previousstep. So, you could be looking athistorical attacks, like case studies.You could be pulling threatintelligence reports to see that,"Okay, hacktivists have beentargeting banks in the recent month.Maybe that's something I need to beconcerned about because I'm also abank." But maybe you pullintelligence reports, maybe you getinformation from a CERT function ora CSIRT or something like that, ormaybe you just read the news andPage 11 of 26
see that waves of attacks are comingagainst banking and financialinstitutions because somebody'supset, and there's a hacktivistinvolved, and all sorts of other funnybusiness is going on.So, what's your output from thisstep? What you're essentially lookingat is a threat statement. What couldgo wrong, or where could I seeattacks from on these particularassets from step one?Step 3: Vulnerability IdentificationStep 3: Vulnerability IdentificationInput Reports from prior risk assessmentsPrior auditsSecurity requirementsSecurity test resultsOutput List of potential vulnerabilitiesRef: NIST SP 800-30, Risk Management Guide for Information Technology Systems9**009 So the next step is you'regoing to look at vulnerabilities. Yourinputs here might be prior riskPage 12 of 26
assessments where you have a list ofall the vulnerabilities. You can gothrough that and see, "Is this stillapplicable?" You might do somethinglike a vulnerability test or avulnerability assessment or apenetration test or something likethat. That will tell you where yourvulnerabilities are.You might have information fromsecurity requirements. So if youtrack, "Why do we have a firewall inplace?" Well, the vulnerability was,"We need to separate systems fromthe internet." So you've got a-- youcan look at the controls you have inplace, the current controls you havein place, your current securityrequirements, and understandvulnerabilities from that as well. Andyour output in this process, or at thisstep in the process, is a list ofvulnerabilities. So by the end of thisstep, I have assets, I have treats,and I have vulnerabilities allidentified.Page 13 of 26
Step 4: Control AnalysisStep 4: Control AnalysisInput Current controls Planned controlsOutput List of current and planned controlsRef: NIST SP 800-30, Risk Management Guide for Information Technology Systems10**010 Step four is control analysis.You're looking at, "What do Icurrently have in place right now?" IfI have a firewall, what is it doing forme? Is it helping me mitigatesomething? Is it fixing avulnerability? So I have a list ofcurrent controls. Maybe I have a listof controls that are coming. "We'vegot a six-month plan to implement awireless intrusion detection system."Okay, document that here in thisstep. And what you're trying to do isconsolidate the controls that youcurrently have in place or comingsoon.Page 14 of 26
Step 5: Likelihood DeterminationStep 5: Likelihood DeterminationInput Threat-source motivationThreat capacityNature of vulnerabilityCurrent controlsOutput Likelihood ratingRef: NIST SP 800-30, Risk Management Guide for Information Technology Systems11**011 Likelihood determination.Here you're looking at threat sources,their capabilities or their capacity todo attacks. You're looking at thevulnerabilities that you identified inthe previous steps. You're looking atthe controls you have in place rightnow. And what you're trying to sayis, "What's the likelihood ofsomething bad happening here? Is ithighly likely, because we have a verymotivated threat source and we don'thave a control in place? Or is it lowlikelihood because nobody's reallyattacking it-- this particular exploit orthis particular vulnerability-- and wehave a mitigation strategy. We havea control in place to block it. And soPage 15 of 26
your output is going to be, for eachthreat, what's the likelihood of thisactually occurring.Likelihood RatingLikelihood RatingHighThe threat-source is highly motivated and sufficiently capable, andcontrols to prevent the vulnerability from being exercised areineffective.MediumThe threat-source is motivated and capable, but controls are in placethat may impede successful exercise of the vulnerability.LowThe threat-source lacks motivation or capability, or controls are inplace to prevent, or at least significantly impede, the vulnerability frombeing exercised.Ref: NIST SP 800-30, Risk Management Guide for Information Technology Systems12**012 You can generally classifylikelihood however you want. Youcan use a scale of zero to five. Youcan use a qualitative scale like this,that's high, medium or low.Generally it's up to you. This is anexample from 800-30 that says ahigh likelihood might match thisparticular statement. So here, if Ihave a threat source that's highlymotivated and capable, and I don'thave a control in place, that's highlikelihood. What is that saying? SoPage 16 of 26
you're kind of comparing threats withcontrols. If my threat is reallycapable and I have no controls, Ihave high likelihood. Switch that. Ihave threat that's not really capableand probably doesn't have the abilityto do this, but I have controls inplace, what's my likelihood now?Low. Right? And then somewhere inthe middle there is medium.So, high, I've got a really motivatedthreat actor. I don't have anycontrols in place. It's highly likelythat if they do this, something bad isgoing to happen. Medium says thethreat source is capable but I havesome controls in place that might dothis or might protect me, or mightmitigate some of that risk. That's amedium level of likelihood. And thenlow is the threat actor doesn't reallyknow what he's doing, but I've got afirewall in place. I have an intrusiondetection system in place. Now mylikelihood is low.Page 17 of 26
Step 6: Impact AnalysisStep 6: Impact AnalysisInput Mission impact analysisAsset criticality assessmentData criticalityData sensitivityOutput Impact ratingRef: NIST SP 800-30, Risk Management Guide for Information Technology Systems13**013 Impact analysis, you'relooking at impact to the business,impact to your mission, as it were.Your inputs to this are going to bewhat do you actually do, from abusiness perspective; what are mycritical assets; what are my criticaldata. You're actually going to look atwhat the threats and the likelihoodsare as well. So you're looking ateverything that you've done up to-in the previous five steps here, andyou're going to try to say that, "Whatactually is going to go wrong here?"Is it bad? Is it not so bad? Or is itno effect? You're trying to come upwith an impact.Page 18 of 26
Impact RatingImpact RatingHighMay result in the highly costly loss of major tangible assets or resourcesMay significantly violate, harm, or impede an organization’s mission,reputation, or interest May result in human death or serious injury MediumMay result in the costly loss of tangible assets or resourcesMay violate, harm, or impede an organization’s mission, reputation, orinterest May result in human injury Low May result in the loss of some tangible assets or resourcesMay noticeably affect an organization’s mission, reputation, or interest.14**014 And so your impact ratings-again, it could be a quantitativeimpact zero, or impact five-- that'sreally bad. Or you could say it's-qualitatively here-- high, medium orlow. And so if you look at a highimpact rating, what does a highimpact rating mean to you, or meanto your business? It means that yourbusiness is going to suffer asignificant impact. And so you maysay that high impact, it's highly costlyloss of major assets, meaningbuilding was destroyed, or I have a600 thousand dollars server farm thatwas compromised or something likethat. So it may significantly violate,harm or impede your ability to doPage 19 of 26
your job, or there's loss of life orsignificant injury. All of that may berated as a high impact.Medium impact. You get into kind ofa gray area here. Might be sometype of physical injury, might havesome loss associated with it, thoughnot extreme loss associated with it.That's medium.The low statement here, for lowimpact, is, "We might lose a littlesomething or other, but nobody'sgoing to get killed; building's notgoing to fall down around us; and itmay-- there may be some noticeablebut not significant impact on ourbusiness." That would be a lowcharacterization for impact.Page 20 of 26
Step 7: Risk DeterminationStep 7: Risk DeterminationInput Likelihood of threat exploitation Magnitude of impact Adequacy of planned or current controlsOutput Risks and risk levels The final determination of risk is derived by multiplying the ratingsassigned for threat likelihood (e.g., probability) and threat impact.Ref: NIST SP 800-30, Risk Management Guide for Information Technology Systems15**015 Once you're done with that,you're actually going to go throughand do risk determination. You'regoing to look at things like likelihood,the impact statements that you did inthe previous step and, again, lookingat the controls that you have in place,and you're going to determine, "Whatare my real risks here? What are myrisk levels? Do I have high risk, mediumrisk, low risk? Do I have no risk, becauseof likelihood and impact and controls in place?"So what you're trying to do is comeup with an assessment or evaluationof how big is this risk for thisparticular threat or asset orsomething like that.Page 21 of 26
Step 8: Control RecommendationsStep 8: Control RecommendationsTo minimize/eliminate identified risks, consider the followingfactors when recommending controls/alternative solutions Effectiveness of optionsLegal/regulatoryOrganizational policyImpact to operationsSafety/reliability16**016 Control recommendations.So here you're looking at the risk thatyou came up with in step seven, andyou're saying, "Okay, what am Igoing to do about it? How do Iminimize the risk? How do Ieliminate the risk? How do I reducethe impact from this particular risk?"And so with this, you also want toconsider that the controls you have inplace, how effective are they? Ifthey're pretty effective, maybe I don'tneed as significant as a control as Iwould if they weren't effective. Thecontrols that I'm thinking aboutputting in place, how effective arethey going to be? If I spent 10million dollars on this and I only getPage 22 of 26
this much capability out of it, a smalllevel of capability, do I really want tospend that money on it?Legal and regulatory concerns.Before you actually put a firewall in,does that break your ownorganizational policy? Is there somelegal reason or regulatory reason whyyou can't do that? Or, the flip side ofthat is, are there regulations that sayI have to have it? In which case,okay, my decision's made for me. Idon't get to select my own controlsbecause the regulatory body is tellingme which one I have to use.Organizational policy. Again, youwant to make sure that what you putin from a control standpoint fits yourorganization and doesn't kind of goagainst the grain, because if it does,nobody's going to use it. They'll findways to get around it.Impac
NIST SP 800-30: Risk Management 5 NIST SP 800-30: Risk Management Risk management encompasses three processes Risk Assessment Risk Mitigation Evaluation and Assessment **005 Within this document, there . are the three processes. There's risk . assessment, risk mitigation, and . evaluation an
2.1 NIST SP 800-18 4 2.2 NIST SP 800-30 4 2.3 NIST SP 800-34 4 2.4 NIST SP 800-37 4 2.5 NIST SP 800-39 5 2.6 NIST SP 800-53 5 2.7 NIST SP 800-53A 5 2.8 NIST SP 800-55 5 2.9 NIST SP 800-60 5 2.10 NIST SP 800-61 6 2.11 NIST SP 800-70 6 2.12 NIST SP 800-137 6 3 CERT-RMM Crosswalk of NIST 800-Series Special Publications 7
NIST SP 800-30 – Risk Assessment NIST SP 800-37 – Risk Management Framework NIST SP 800-39 – Risk Management NIST SP 800-53 – Recommended Security Controls NIST SP 800-53A – Security Control Assessment NIST SP 800-59 – National Security Systems NIST SP 800-60 – Security Category Mapping NIST
NIST Risk Management Framework 1. Categorize information system (NIST SP 800-60) 2. Select security controls (NIST SP 800-53) 3. Implement security controls (NIST SP 800-160) 4. Assess security controls (NIST SP 800-53A) 5. Authorize information system (NIST SP 800-37) 6. Monitor security controls (NIST SP 800-137) Source: NIST CSRC, http .
Source: 9th Annual API Cybersecurity Conference & Expo November 11-12, 2014 - Houston, TX. 11 Industry Standards and Committee Initiatives WIB M2784-X-10 API 1164 ISA 99/IEC 62443 NIST SP 800-82 NIST SP 800-12 NIST SP 800-53 NIST SP 800-53A NIST SP 800-39 NIST SP 800-37 NIST SP 800-30 NIST SP 800-34 ISO 27001,2 ISO 27005 ISO 31000
V1.0 02 February 2016 SPS Commerce Draft Release V1.1 15 March 2016 SPS Commerce Added THE ICONIC GLN V 1.2 23 May 2016 SPS Commerce Added Shipment date/time, requested in Header DTM Update to TOD segment V 1.3 08 March 2018 SPS Commerce Changed the maximum length for fields, Order number, supplier/ vendor number and Vendor Part
600 Ring 0 CNC 700 Ring 0 Zeile 800 Ring 0 TC2 SPS 801 TC2 SPS Laufzeitsystem 1 . 852 TC3 SPS Laufzeitsystem 2 853 TC3 SPS Laufzeitsystem 3 854 - TC3 SPS Laufzeitsystem 4 - 900 Nockenschaltwerk 950 CAM-Tool 1000-1199 Ring 0 IO Ports 2000 Ring 0 Benutzer 2500 Crestron Server . Invoke-ID4 BytesFr
2.2 Installing the Zend Server on the SPS Server This section shows how to install the Zend server on the SPS server. To install the Zend Server on the SPS Server: 1. Copy the Zend installation file to a temporary directory on the SPS server. 2. Run the Zend server installation file ZendServer-6.3.-php-5.3.28-Windows_x86.exe.
API 656 Storage Tank NATECH Natech (Natural Hazard Triggered Technological Accidents) First meeting held on 14 Feb 2020 Taskgroup formed to author this publication PEMyers of PEMY Consulting and Earl Crochet of Kinder Morgan to co-chair this TG Tank owners/operators have interest in this project This project is needed given most of the world is not seriously considering how to .
