NIST Methodology for Risk Assessment

The National Institute of Standards & Technology (NIST) Methodology, specifically NIST Special Publication (SP) 800-30, outlines a nine-step process for managing risks in information technology systems [1, 2]. This standard is mandated by FISMA, requiring civilian federal government agencies to perform risk assessments [3]. While not required for non-governmental systems, the standard offers valuable guidance for commercial entities [3].

The NIST Methodology consists of nine primary steps:

1. System Characterization: Define the boundaries of the system being assessed. Identify and document the system's hardware, software, interfaces, data, information, people, mission, use cases, and workflows [4, 5]. It is crucial to clearly define what you are trying to protect, including tangible assets such as data, equipment, and facilities, and intangible assets like reputation [5].

2. Threat Identification: Identify and categorize potential threats, considering their sources, motivations, and vectors [6]. Categorize threats as natural or human-caused. Understand the "who, why, and how" of each threat [6]. Examples of threats include criminals, insider threats, script kiddies, and activists [6].

3. Vulnerability Identification: Determine weaknesses in the system that threats could exploit [7, 8]. This step involves identifying weaknesses in hardware, software, and procedures that could be exploited by threats [7, 8]. Evaluate password security, patching procedures, administrative practices, and well-known sources of vulnerabilities like web servers and human error [8].

4. Control Analysis: Analyze existing security controls and their effectiveness in mitigating vulnerabilities [2].

5. Likelihood Determination: Assess the probability of a threat event occurring [2, 4]. Analyze the likelihood of a threat being initiated or occurring and the likelihood of the event causing adverse impacts [9]. This involves considering the nature of the threat, the events, and the vulnerabilities [10].

6. Impact Analysis: Evaluate the potential negative consequences of a threat event on organizational operations, assets, individuals, and the nation [2, 4, 11]. Impacts can include harm to operations, assets, individuals, other organizations, and the nation [12].

7. Risk Determination: Combine the likelihood and impact analyses to determine the overall level of risk [2, 4, 13]. Organizations determine risk levels by combining the likelihood of threat exploitation and the impact of such exploitation [14]. This step may use risk tables or risk matrices to rank risks based on their likelihood and impact [15, 16].

8. Control Recommendations: Develop recommendations for security controls to mitigate unacceptable risks [2, 3].

9. Results Documentation: Document the findings of the risk assessment in a comprehensive report [2, 4]. Communicate assessment results to decision-makers and stakeholders [10]. Maintain and update the risk assessment over time to reflect changes in the risk environment and the effectiveness of implemented controls [10, 17].