NIST 800-30

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> After looking at NIST 800-39,
00:00
we saw that the context
00:00
was to start with framing the risk,
00:00
then we assess the risk,
00:00
we respond to the risk,
00:00
and then we monitor.
00:00
NIST 800-30 specifically focuses
00:00
on conducting the risk assessment itself.
00:00
Focusing on assessing the risk.
00:00
Now, like we said,
00:00
when we talk about risk assessment,
00:00
we have to consider that risk assessment ultimately is
00:00
going to lead us to the point where we can make
00:00
a good decision on how to mitigate the risk.
00:00
We also have to keep in mind that risks are
00:00
only risk as their risks to the organization.
00:00
By that I mean,
00:00
we don't focus on
00:00
IT risks for the sake of focusing on IT risks,
00:00
we focus on IT risks because they're business risks.
00:00
Once again, on this exam and in life,
00:00
we think about IT as the means to an end.
00:00
The end is the successful operation of the organization.
00:00
We focus on risks as they impact the mission,
00:00
the vision, the strategy of the organization.
00:00
What we're looking to get to is
00:00
a determination of the risks versus
00:00
the cost of the countermeasure
00:00
so we can make a good business decision.
00:00
When we're talking about
00:00
developing a risk assessment methodology,
00:00
we generally have four main elements
00:00
of our risk assessment methodology.
00:00
We've got to have a process. That's great.
00:00
We've already looked at our process and
00:00
our process was in NIST 800-30,
00:00
just like I said,
00:00
frame, assess, respond, monitor.
00:00
That's our process, very broad.
00:00
That's our process.
00:00
Then we need to miss a risk model.
00:00
We need something on which we can build.
00:00
We need common risk terms.
00:00
We need an understanding
00:00
of how this process is going to work.
00:00
What are the various factors?
00:00
How can we assess them?
00:00
Then we need an approach, an assessment approach.
00:00
That assessment approach is going to
00:00
be whether or not we're using
00:00
qualitative or quantitative or semi qualitative analysis.
00:00
We may ultimately use all three at some point in time,
00:00
but we need to define that and we need to be consistent.
00:00
Then last is our analysis approach.
00:00
Let's go ahead and look at a couple of these.
00:00
The first step with our risk assessment,
00:00
what are processes are?
00:00
We've got to have our processes
00:00
specified and we want to make sure that we
00:00
have documentation on preparing
00:00
for the assessment, conducting the assessment,
00:00
we've got to make sure that we have documentation on to
00:00
whom and how we're going to
00:00
communicate what we've learned with the risk assessment,
00:00
as well as maintaining these assessments,
00:00
making sure they're conducted regularly across time.
00:00
These need to be artifacts, these instructions,
00:00
these policies or processes that we've documented,
00:00
need to be artifacts that are
00:00
created and stored and made accessible.
00:00
This being a particular risk model and again,
00:00
this also is from NIST 800-39, I should say.
00:00
When we're going through our process,
00:00
how are we going to determine what risks exist?
00:00
From this particular framework,
00:00
NIST 800-30, start with the thrust source.
00:00
We know that the threat source
00:00
is going to initiate a threat event.
00:00
An attacker with a financial motive is
00:00
going to initiate an exfiltration of data,
00:00
for instance, which is going to exploit our database.
00:00
Maybe our database isn't patched.
00:00
There's a vulnerability that allows that exploit.
00:00
They're also predisposing conditions that exist.
00:00
Maybe we're using dated software.
00:00
Maybe we only have single factor access control and
00:00
then we know those vulnerability so we're going to add
00:00
security controls in place to again mitigate that risk.
00:00
But then ultimately, what is the adverse impact?
00:00
Probability and likelihood.
00:00
What we've talked about, impact,
00:00
combined with probability is going to
00:00
give us the amount of organizational risk.
00:00
This is just one model in which we can build,
00:00
but this walks us through the process
00:00
of determining the value for a risk events.
00:00
Also part of that model,
00:00
we need to specify how we're conducting our assessments.
00:00
Many times we start with the asset.
00:00
It's almost easier to start
00:00
with our assets because we know what we have.
00:00
We know what we have.
00:00
We know what we value them.
00:00
We have the means of
00:00
determining how much value we associate.
00:00
A lot of times it makes sense to start with the asset.
00:00
Other times, certain risk methodologies
00:00
may decide that we start with threats and we think about,
00:00
okay, what are all the threats out there?
00:00
I prefer to start with assets because there are
00:00
a million threats out there
00:00
that have nothing to do with me.
00:00
If I start with my assets,
00:00
I can build from there.
00:00
You could also start with vulnerabilities.
00:00
All three of these come together to make a risk.
00:00
There's no reason you should have
00:00
to begin with one versus the other.
00:00
My preference, like I said, those assets.
00:00
Our next step is going to be
00:00
determining our analysis approach.
00:00
We're either going to use
00:00
quantitative or semi-quantitative.
00:00
We'll talk about that in just a second.
Up Next