MS CyRIGo's approach to risk assessments aligns with NIST 800-30.  The purpose of performing risk management is to empower an organization to accomplish the mission of securing the IT systems that store, process, or transmit information; by helping leadership to make well-informed decisions that validate the IT budget; and by assisting management in endorsing the IT systems on the basis of the supporting software/hardware documentation. The information below provides a common foundation for experienced and inexperienced, technical, and non-technical personnel who support or use the risk management process for IT systems.  

​

Risk assessments address the potential adverse impacts to organizational operations and assets, individuals, other organizations, and the economic and national security interests of the United States, arising from the operation and use of information systems and the information processed, stored, and transmitted by those systems. Organizations conduct risk assessments to determine risks that are common to the organization’s core missions/business functions, mission/business processes, mission/business segments, common infrastructure/support services, or information systems.

 

Risk assessments can support a wide variety of risk-based decisions and activities by organizational officials across all three tiers in the risk management hierarchy including, but not limited to, the following: 

 

• Development of an information security architecture; 

• Definition of interconnection requirements for information systems (including systems supporting mission/business processes and common infrastructure/support services); 

• Design of security solutions for information systems and environments of operation including selection of security controls, information technology products, suppliers/supply chain, and contractors; 

• Authorization (or denial of authorization) to operate information systems or to use security controls inherited by those systems (i.e., common controls); 

• Modification of missions/business functions and/or mission/business processes permanently, or for a specific time frame (e.g., until a newly discovered threat or vulnerability is addressed, until a compensating control is replaced); 

• Implementation of security solutions (e.g., whether specific information technology products or configurations for those products meet established requirements); and 

• Operation and maintenance of security solutions (e.g., continuous monitoring strategies and programs, ongoing authorizations).

 

Because organizational missions and business functions, supporting mission/business processes, information systems, threats, and environments of operation tend to change over time, the validity and usefulness of any risk assessment is bounded in time.  Below is a risk model with key risk factors.  

 Risk, and its contributing factors, can be assessed in a variety of ways, including quantitatively, qualitatively, or semi-quantitatively. Each risk assessment approach considered by organizations has advantages and disadvantages. A preferred approach (or situation-specific set of approaches) can be selected based on organizational culture and, in particular, attitudes toward the concepts of uncertainty and risk communication. Quantitative assessments typically employ a set of methods, principles, or rules for assessing risk based on the use of numbers—where the meanings and proportionality of values are maintained inside and outside the context of the assessment. This type of assessment most effectively supports cost-benefit analyses of alternative risk responses or courses of action. 

​

The benefits of quantitative assessments, in some cases, be outweighed by the costs (in terms of the expert time and effort and the possible deployment and use of tools required to make such assessments).  In contrast to quantitative assessments, qualitative assessments typically employ a set of methods, principles, or rules for assessing risk based on nonnumerical categories or levels (e.g., very low, low, moderate, high, very high). This type of assessment supports communicating risk results to decision makers. However, the range of values in qualitative assessments is comparatively small in most cases, making the relative prioritization or comparison within the set of reported risks difficult.  Analysis approaches differ with respect to the orientation or starting point of the risk assessment, level of detail in the assessment, and how risks due to similar threat scenarios are treated. An analysis approach can be: (i) threat-oriented; (ii) asset/impact-oriented; or (iii) vulnerability-oriented.  Differences in the starting point of the risk assessment can potentially bias the results, causing some risks not to be identified. Therefore, identification of risks from a second orientation (e.g., complementing a threat-oriented analysis approach with an asset/impact-oriented analysis approach) can improve the rigor and effectiveness of the analysis.

​

The Risk Assessment Methodology encompasses nine primary steps:

​

1. System Characterization

2. Threat Identification

3. Vulnerability Identification 

4. Control Analysis 

5. Likelihood Determination 

6. Impact Analysis

7. Risk Determination  

8. Control Recommendations

9. Results Documentation

​

The methodology described above can be applied to assessments of single or multiple, interrelated systems. In the latter case, it is important that the domain of interest and all interfaces and dependencies be well defined prior to applying the methodology

​

Source: NIST