3.8 NIST 800-30 Risk Assessment Methodology

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

6 hours 30 minutes
Video Transcription
Okay, so just a quick throw back to the previous section and even the one before that where we had been talking about missed 800 deaths. 39. And if you'll recall, nest 800-39 laid out an approach to risk management, starting with framing,
then assessing, responding and monitoring. So missed 800. Dash 30 is what focuses in on the assessment piece and is gonna provide us with a very specific methodology just for that one element.
So missed. 839 tells us frame assess, respond monitor. And then we're gonna zoom in on assessment with nest 800-30.
Okay, so what do we have here to perform a risk assessment? According to 830 there are four elements for pieces that have to happen. First of all, we have to have a defined risk process.
So within our organization, we have to figure out what is our approach to managing risks.
Then we want to risk model. We want to base our strategy off of something that's already in place. May very well be, You know, the the, uh, frameworks that we've looked about already.
Ah, but ultimately with our risk model. It may very well be n'est 800. Dash 39 might be ice 0 27,005
But we want to choose a model to build upon.
Then we have to determine an assessment approach and an analysis approach. So when we talk about assessments and we're talking about getting values for risk, do we want qualitative values? Do we want quantitative values? Do we want somewhere in the middle with the semi quantitative?
And then our analysis approach is essentially going to say how we're gonna make sense of all this information and how are we going to take it in the plight toe our environment, determine what the heck did it,
All right, So our processes, we start out with our risk assessment process is right and figure out what are our steps? What do we need? Not whatever steps so much is, what do we need to define?
You can think about this information going into a risk management plan.
What are we going to be tracking in risk assessments? How do we prepare? What are the processes of risk assessments? Um, how do we continue to monitor what we've assessed today. Over time. Um, how what's our reporting for Matt? Who gets our risk reports?
So when we talk about conducting a risk process, the first thing we have to do
or risk assessment, the first thing we have to do is to find our processes. Okay, so what you can kind of see is this flow that we get is that when we're looking at the risk model because we have to define a risk model as part of
our process, Right? We looked at our process saying
we need process now. We need a model. Well, the model is gonna again just kind of give us the framework. It's gonna give us the approach. So when we're looking at our model, we may start with the threat source
and that threat source may then tell us, you know, or lead us to a threat event.
And then we look at the vulnerability and other conditions, figure out what the adverse impact is and move with the organizational risk. And this is just one ah flow chart. But ultimately, what is our model? How were these activities gonna happen?
Are their feedback loops? Is it a linear process? But What's the model in which we build?
All right, now we take this information that we've determined. Okay, here's the threat. Here's the vulnerability. Here is what happens with an adverse impact will now. And well, I said information for me.
A um
So when we look at this, we have to think, first of all, are we doing, um, threat or unit or asset? Oi. Oriented. So if I talk about being threat oriented, what I'm saying there is tell me all the things that could go wrong. And let's figure how all that could go wrong
will impact my assets.
Now, what I've used in the past, what I tend to like best is more of an asset oriented approach. So with an asset oriented approach, I say, Okay, what are the things valuable to me and what is their priority? And then on asset by asset basis, I like to do my risk modeling.
Okay, so it's all about the assets anyway, So why start with all these threats that are out there in the world? If they're not gonna impact my assets, another one that's valuable is to do Ah, vulnerability oriented assessment.
So here we look at what? Our weaknesses. Okay, we've got unpacked software with get legacy equipment. We have,
ah, 10 different administrative accounts, and we probably shouldn't. These are our weaknesses. Now, if those weaknesses were to be exploited, how large would that group? What would be the severity and impact? Hey, And then with our next piece, our analysis approach,
are we going to do qualitative or quantitative or semi quantitative?
All right, Are we looking at things like low, medium, high probability or are we looking at? Ah, you know, a 50% chance of losing $1000. That's a $500 risk.
So ultimately, we have to define how we're gonna analyze this information in
our analysis approach.
Up Next