RISK ASSESSMENT
MS CyRIGo's approach to risk assessments aligns with NIST 800-30. The purpose of performing risk management is to empower an organization to accomplish the mission of securing the IT systems that store, process, or transmit information; by helping leadership to make well-informed decisions that validate the IT budget; and by assisting management in endorsing the IT systems on the basis of the supporting software/hardware documentation. The information below provides a common foundation for experienced and inexperienced, technical, and non-technical personnel who support or use the risk management process for IT systems.
Risk assessments address the potential adverse impacts to organizational operations and assets, individuals, other organizations, and the economic and national security interests of the United States, arising from the operation and use of information systems and the information processed, stored, and transmitted by those systems. Organizations conduct risk assessments to determine risks that are common to the organization’s core missions/business functions, mission/business processes, mission/business segments, common infrastructure/support services, or information systems.
Risk assessments can support a wide variety of risk-based decisions and activities by organizational officials across all three tiers in the risk management hierarchy including, but not limited to, the following:
-
Development of an information security architecture;
-
Definition of interconnection requirements for information systems (including systems supporting mission/business processes and common infrastructure/support services);
-
Design of security solutions for information systems and environments of operation including selection of security controls, information technology products, suppliers/supply chain, and contractors;
-
Authorization (or denial of authorization) to operate information systems or to use security controls inherited by those systems (i.e., common controls);
-
Modification of missions/business functions and/or mission/business processes permanently, or for a specific time frame (e.g., until a newly discovered threat or vulnerability is addressed, until a compensating control is replaced);
-
Implementation of security solutions (e.g., whether specific information technology products or configurations for those products meet established requirements); and
-
Operation and maintenance of security solutions (e.g., continuous monitoring strategies and programs, ongoing authorizations).
Because organizational missions and business functions, supporting mission/business processes, information systems, threats, and environments of operation tend to change over time, the validity and usefulness of any risk assessment is bounded in time. Below is a risk model with key risk factors.
