A summary of NIST Risk Management guidelines discussed in Special Publications 800-30, -37, -39 and -53


Download, Study and Compare/Contrast NIST Risk Management guidelines discussed in Special Publications 800-30, -37, -39 and -53

You will be working individually. You will download and skim several NIST Special Publications, extracting key concepts:
In an 800-1200 word paper, provide a high level summary of the NIST documents, identify key points and assess the value as a practical tool for making IT decisions. Compare this model to one other assigned this term. How helpful do you think the NIST suite is in comparison?

My Response

  1. Introduction -  NIST publications are an excellent starting point for getting a comprehensive overview of Risk Management.  The publications offer an overview, a framework and a step by step plan for implementing risk management for information systems in organisations. The four Publications 800-30, -37, -39 and -53 cover the entire range of risk management  activities. The first publication 800-30 covers the basic fundamental aspects of risk management and only provided a basic approach of how to deal with risk management. The later publications i.e. 800-37and 39 include a framework to handle risk management in a more methodical and structured manner. The last publication 800-53 covers the various security controls used for risk management. 
  2. NIST SP 800-30 -  This publication provides a very good introduction to risk management for a Information Security Specialist. It begins with an overview of the risk management process and how it can be integrated in the SDLC of a Information System. It subsequently coves the risk assessment process which is clearly elucidated with a flow charts for easy understanding and assimilation. The key aspects of risk assessment involve 9 steps starting from System Characterization, threat and vulnerability identification, likelihood and impact analysis and recommended controls after risk determination. Though the section is comprehensive and covers all key aspects it would have benefited by the addition of a case study thereby making it more useful for a practical implementation. The next section on risk mitigation covers various options and strategies before delivery on various controls. This is followed by explanation on how to do cost benefit analysis and how to deal with residual risk. Finally the last section deals with evaluation and assessment of risk. The publication is comprehensive and is an easy read with number of figures and charts supplementing the text. It provides a high level view of risk management with necessary guidelines on how to proceed ahead. It has the drawback on not having concrete examples as well references to other methods and techniques of risk management. Moreover it works on one size fits all methodology with no recommendations on how it can be tailored small, medium & large organisations 
  3. NIST SP 800 – 37 - This publication provides guidelines for applying the risk management framework to information systems. It covers key concepts of risk management and how information risk management can be integrated into the SDLC. It describes the tasks required to apply the framework to information systems It uses a multi tiered approach to risk management  addressing risk at he organisation, business and system level. Compared to the 800-30 it lays more stress on security controls and divides the into specific, hybrid and common controls. It provides a step wise sequential approach to applying the risk management framework with options to organisation to tailor this to their needs and requirements. It clearly defines the roles and responsibilities of key participants in the risk management process. 
  4. NIST SP 800 – 39 - This publication is focused on managing information security risk by an integrated, organisation wide  program with a view at organisational, business and system levels. Like the 800-37 it describes the multitier approach to managing risk with additional emphasis on relationships between each level. It then focuses on the risk management process on how to assess, respond and monitor risk. Before these steps it is essential to frame risk to establish the context in which risk is being managed. It also focuses on various trust models as well as risk response strategies. It is broad based and provides guidelines without providing specifics of implementation process. 
  5. NIST SP 800 – 53 - This publication outlines the security controls necessary for Information Systems. It combines with FIPS 200 to apply security controls and meet the security requirements of information systems in organization. Chapter 1 outlines the need for security controls and how to apply the risk management to various information systems along with FIPS 199 and FIPS 200. FIPS 199 is used to categorize information systems while FIPS 200 details the minimum security requirements for information systems. In the chapter 2 it focus on security controls by detailing the organization and structure for controls, the baselines as well as     various common controls applies to information systems. It describes security controls and their structural components and baselines. In the final chapter it shows how security controls are used to manage risk by categorizing information risk and applying selected controls and  monitoring them. The publication does a good job of categorizing security controls and providing a framework in which they can be applied to various information systems. It also provides a strong theoretical background for understanding of security controls. The various appendices provide a formal way of knowing the security baselines for various impact types, minimum assurance requirements as well as detailed catalog of various types of security controls. By mapping these security controls the various international standards like ISO 270001 it allows it to be used in various  settings and permit for the InfoSec manager to use a hybrid approach for risk management. 
  6. Comparison with OCTAVE -  OCTAVE is a suite of tools, techniques and methods for risk-based infosec strategic assessment and planning. OCTAVE provides more specific tools and uses specific tools provided by CERT for risk assessment and management. There are three models, including the original, OCTAVE-S, similar to the original but aimed at companies with limited security and risk-management resources; and OCTAVE-Allegro, a streamlined approach to information security assessment and assurance. The NIST publications compared to the OCTAVE approach are more broad based though both have a qualitative approach to risk management. OCTAVE is more focused towards strategic risk assessments and related shortcomings rather than technological vulnerabilities whereas NIST is more oriented towards management responsibility for managing risk.. It is more complex to understand than the NIST standards.  OCTAVE approach works on a risk management being an inhouse affair i.e. implemented by inhouse business and technical reps whereas NIST allows for execution by both organisation own team as well as contracted to third party service providers.  Finally, OCTAVE uses workshops for gathering information whereas NIST recommends use of interviews, surveys and questionaires.
  7. Conclusion -  In conclusion, I would say that the NIST publication are a good reference and useful guide for risk management     professionals. By being broad based they cater to a large audience and allow it to be tailored to various organisations as well avoid the risk of being specific to certain information systems and not cover the entire range of organisations requiring risk management. The set of risk management publications allow an Information security professional to gain a sound understanding of risk management and use it with other methodologies to build a hybrid and custom made solution for his organisation. 

Comments

Post a Comment

Popular posts from this blog

API Security - A risk based approach for CISOs

       APIs or Application Programming Interfaces are the building blocks of modern applications. As the usage of APIs  and API traffic increases it is likely to be the major attack vector for hackers. APIs are utilised for a variety of purposes such as - share data with partners, customers, and other third parties. As per Akamai, 83 % of internet traffic is driven by APis. While APIs are a powerful enabler of digital transformation, they also present new security challenges. In fact, Gartner predicts that in 2023, API abuses will be the most frequent attack vector. To substantiate that prediction, OWASP has come out with a separate OWASP Top 10 for APIs in 2019. Also multiple organisations such as Coinbase and IRCTC have been affected by API security vulnerabilities in their applications.  To tackle this emerging attack vector, CISOs should understand the key risks associated with APIs. These include: Data Breaches or Data Leakages -  Risk of data le...
Read more

2024 Year Review and thoughts

  My review of 2024.  The year was a mixed bag with a overall positive outlook and a few hiccups. My ratings on key parameters  Health - Average  Family - Good  Professional - Good  Career - Good  Finances - Average  Health -  My health has been a mixed bag with several notable improvements and some setbacks. Exercise - I was able to regularly attend Gym and do strength training.  Due to improved leg strength I was able to run a 10 k run in Dec in a time of 67 mins . I was 40th out of 120 runners in the Veteran category which I am satisfied with keeping in mind the several issues I had been having at the start of the year.  Gut Health : My stomach and gut issues continued which led me to a take a nutritionist led meal plan. This has helped but I still continue to have gas and loose motions intermittently  and outside food does not suit me at all. The worry is that my weight has reduced from 68 Kg to 63 Kg in las...
Read more

Key Steps for Building an Effective Data Protection Program: From Analysing Business Needs to Ongoing Protection

Key Steps for Building an Effective Data Protection Program: From Analysing Business Needs to Ongoing Protection In today's world, data is often referred to as the new oil, given its immense value to organisations. Companies have access to vast amounts of data, from customer information to intellectual property and strategic plans.  Over the last decade cyber criminals have targeted organisations repeatedly related to multiple breaches. Some organisations like Uber have faced multiple breaches and even government organisations are not spared as we observed in the Snowden case where confidential data of US  govt was leaked online. Protecting this data has become essential, and having an effective data protection program is crucial to achieving this requirement.  In my role as a CISO for the last five years I have found data protection as the most complex initiative yet most closely related to business enablement. This can be related to protecting customer data to prevent c...
Read more