WIXLIB

I!1.'Every organization has a mission. InINTRODUCTIONthis digital era, as organizationsuse automated informationtechnology (IT) systems to process their information for better support of their missions, riskmanagement playsitsAna critical role in protecting an organization's information assets, and thereforemission, from IT-related risk.effective riskmanagement processisan important component of a successful IT securityprogram. The principal goal of an organization's risk management process should be to protectandperform their mission, not just its IT assets. Therefore, the riskmanagement process should not be treated primarily as a technical function carried out by the ITexperts who operate and manage the IT system, but as an essential management function of thethe organizationitsability toorganization.1.1AUTHORITYThis document has been developed byNISTin furtherance of its statutory responsibilitiesunderComputer Security Act of 1987 and the Information Technology Management Reform Act of1996 (specifically 15 United States Code (U.S.C.) 278 g-3 (a)(5)). This is not a guideline withinthe meaning of 15 U.S.C 278 g-3 (a)(3).theThese guidelines are for use by Federal organizations which process sensitive information.They are consistent with the requirements of 0MB Circular A-130, Appendix HI.mandatory and binding standards. This document may be used bynon-governmental organizations on a voluntary basis. It is not subject to copyright.The guidelines hereinare notNothing in this document should be taken to contradict standards and guidelines mademandatory and binding upon Federal agencies by the Secretary of Commerce under his statutoryauthority. Nor should these guidelines be interpreted as altering or superseding the existingauthorities of the Secretary of Commerce, the Director of the Office of Management and Budget,or any other Federal official.1.2PURPOSERiskisthe net negative impact of the exercise of a vulnerability, considering both the probabilityand the impact of occurrence. Risk management is the process of identifying risk, assessing risk,and taking steps to reduce risk to an acceptable level. This guide provides a foundation for thedevelopment of an effective risk management program, containing both the definitions and thepractical guidance necessary for assessing and mitigating risks identified within IT systems. Theultimate goal1isto help organizations to betterThe term "IT system"refers to a general supportmanagesystem(e.g.,IT-related mission risks.mainframe computer, mid-range computer,area network, agencywide backbone) or a major application that can run on a general support system andlocalwhoseuse of information resources satisfies a specific set of user requirements.SP 800-30Page1

—In addition, this guide provides informationon the selection of cost-effective security controls. These controls can be used to mitigate risk for the better protection of mission-criticalinformation and the IT systems that process, store, and carry this information.Organizationsmay chooseexpand or abbreviate the comprehensive processes and stepsguide and tailor them to their environment in managing IT-related missionsuggested in thistorisks.OBJECTIVE1.3Theobjective of performing riskmanagementis toenable the organization to accomplishitsmission(s) (1) by better securing the IT systems that store, process, or transmit organizationalinformation; (2)by enabling managementjustify the expenditures that are part of antomake well-informedIT budget; and (3)management decisionsby assisting management inrisktoauthorizing (or accrediting) the IT systems- on the basis of the supporting documentationresulting1.4from the performance of risk management.TARGET AUDIENCEcommon foundation for experienced and inexperienced, technical, andpersonnel who support or use the risk management process for their IT systems.This guide provides anon-technicalThese personnel include Senior management, the mission owners,who makedecisions about the IT securitybudget. Federal Chief Information Officers,management forwhoensure the implementation of riskagency IT systems and the security provided for these IT systemsThe Designated Approving Authority (DAA), whoisresponsible for the finaldecision on whether to allow operation of an IT systemprogram manager, who implements the security program The IT Information system security officers (ISSO), IT system owners of system software and/or hardware used to support IT functions. Information owners of data stored, processed, and transmitted by the IT systems Business or functional managers, Technical support personnelsecurity(e.g.,whowhoare responsible for IT securityare responsible for the IT procurement processnetwork, system, application, and databaseadministrators; computer specialists; data security analysts),who manage andadminister security for the IT systems IT system and application programmers,affectmaintain code that couldsystem and data integrityThe terms "safeguards" andthiswho develop and"controls" refer to risk-reducing measures; these terms are used interchangeably inguidance document.Management and Budget's November 2000 Circular A-130, the Computer Security Act of 1987, and theGovernment Information Security Reform Act of October 2000 require that an IT system be authorized prior toOffice ofoperation and reauthorized at least every 3 years thereafter.SP 800-30Page 2

IT quality assurance personnel, whotestand ensure the integrity of the IT systemsand data1.5 Information system auditors, IT consultants,whowhoaudit IT systemssupport clients in risk management.RELATED REFERENCESThis guideisbased on the general concepts presentedin National Institute ofStandards andTechnology (NIST) Special Publication (SP) 800-27, Engineering Principles for IT Security,along with the principles and practices in NIST SP 800-14, Generally Accepted Principles andPractices for Securing Information Technology Systems. In addition, it is consistent with thepolicies presented in Office of Management and Budget (0MB) Circular A-130, Appendix III,"Security of Federal Automated Information Resources"; the Computer Security Act (CSA) of1987; and the Government Information Security Reform Act of October 2000.1.6GUIDE STRUCTUREThe remaining sections of this guide discuss the following:Section 2 provides an overview of risk management,developmentlifehowit fitscycle (SDLC), and the roles of individualsinto the systemwhosupport and use thisprocess. Section 3 describes the risk assessment methodology and the nine primary steps inconducting a risk assessment of an IT system. Section 4 describes the risk mitigation process, including risk mitigation options andstrategy,approach for control implementation, control categories, cost-benefitanalysis,and residualrisk.Section 5 discusses the good practice and need for an ongoing risk evaluation andassessment and the factors that will lead to a successful risk management program.This guide also contains six appendixes. AppendixAppendixC containsBSP 800-30sample interview questions.provides a sample outline for use in documenting risk assessment results. Appendixa sample table for the safeguard implementation plan.acronyms used in this document. Appendixthis guide. Appendix F lists references.theA providesE containsAppendixD provides a list ofa glossary of terms used frequently inPage 3

2.RISK MANAGEMENT OVERVIEWThis guide describes the risk management methodology,and how the risk management processishowtied to the process ofit fitsinto each phase of theSDLC,system authorization (oraccreditation).2.1IMPORTANCE OF RISK MANAGEMENTRisk management encompasses three processes: risk assessment, risk mitigation, and evaluationand assessment. Section 3 of this guide describes the risk assessment process, which includesand evaluation of risks and risk impacts, and recommendation of risk-reducingmeasures. Section 4 describes risk mitigation, which refers to prioritizing, implementing, andmaintaining the appropriate risk-reducing measures recommended from the risk assessmentidentificationprocess. Section 5 discusses the continual evaluation process and keys for implementing asuccessful riskmanagement program. Thedetermining whether the remaining riskDAA or system authorizing official is responsible foris atan acceptable level or whether additional securityimplemented to further reduce or eliminate the residualaccrediting) the IT system for operation.controls should beauthorizing (orRisk managementisthe process that allows ITmanagersrisk beforeto balance the operationalandeconomic costs of protective measures and achieve gains in mission capability by protecting theIT systems and data that support their organizations' missions. This process is not unique to theIT environment; indeed it pervades decision-making in all areas of our daily lives. Take the caseof home security, for example. Many people decide to have home security systems installed andpay a monthly fee to a service provider to have these systems monitored for the better protectionof their property. Presumably, the homeowners have weighed the cost of system installation andmonitoring against the value of their household goods and their family's safety, a fundamental"mission" need.The head of antoaccomplishtheirorganizational unit must ensure that the organization has the capabilities neededitsmission. These mission owners must determine the security capabilities thatIT systems must have to provide the desired level of mission support in the face of real-worldthreats.Mostorganizations have tight budgets for IT security; therefore, IT securityspending must be reviewed as thoroughly as other management decisions.management methodology, when usedeffectively, can helpmanagementA well-structured riskidentify appropriatecontrols for providing the mission-essential security capabilities.2.2INTEGRATION OF RISK MANAGEMENT INTO SDLCMinimizing negative impact on an organization and need for sound basis in decision making arethe fundamental reasons organizations implement a risk management process for their ITsystems. Effective risk management must be totally integrated into the SDLC. An IT system'sSDLC has five phases: initiation, development or acquisition, implementation, operation ormaintenance, and disposal. In some cases, an IT system may occupy several of these phases atthe same time. However, the risk management methodology is the same regardless of the SDLCphase for which the assessment is being conducted. Risk management is an iterative process thatcan be performed during each major phase of the SDLC. Table 2-1 describes the characteristicsSP 800-30Page 4

SDLC phase and indicates how risk management can be performed inof eachsupport of eachphase.Table 2-1 Integration of Risk Management into theSDLC PhasesPhase CharacteristicsSDLCSupport fromRisl(l\/lanagement ActivitiesPhaseare used tosupport the development of thesystem requirements, includingsecurity requirements, and asecurity concept of operations Identified risks—1InitiationThe needsystem isexpressed and the purpose andscope of the IT system isforanITdocumented(strategy)— Development orPhase 2Acquisition Thesystem is designed,purchased, programmed,ITTherisks identified during thisphase can be usedsupportthe security analyses of the ITsystem that may lead toarchitecture and design tradeoffs during systemdeveloped, or otherwiseconstructedtodevelopment— ImplementationPhase 3 The systemsecurity featuresandriskmanagement processsupports the assessment of thesystem implementation againstits requirements and within itsshould be configured, enabled,tested,Theverifiedmodeled operationalenvironment. Decisionsregarding risks identified mustbe madeprior tosystemoperationPhase 4—Operation orMaintenance The system performssystembeing modified on an ongoingfunctions. Typically theismayinvolve thedisposition of information,hardware, and software.Activities may include moving,archiving, discarding, ordestroying information andsanitizing thesoftwarehardware andaresystemwhenevermajor changes are made to anIT system in its operational,production environment (e.g.,new system interfaces) This phaseactivitiesfor periodicreaccreditation) orhardware and software and bychanges to organizationalprocesses, policies, andprocedures—Disposalmanagementreauthorization (orbasis through the addition ofPhase 5RiskperformeditsRiskmanagementactivitiesare performed for systemcomponentsthat will bedisposed of or replaced toensure that the hardware andsoftware are properly disposedof, that residual data isappropriately handled, and thatsystem migration is conductedin a secure and systematicmannerSP 800-30Page 5

2.3KEY ROLESRisk managementpersonnel whoisamanagementresponsibility. This section describes thekeyroles of theshould support and participate in the risk management process.Senior Management. Senior management, under the standard of due care andultimate responsibility for mission accomplishment, must ensure that the necessaryresources are effectively applied to develop the capabilities needed to accomplish themission. They must also assess and incorporate results of the risk assessment activityinto the decisionmaking process. Aneffective riskmanagement programthatassesses and mitigates IT-related mission risks requires the support and involvementof senior management. Chief Information Officer (CIO). The CIO is responsible for the agency's ITplanning, budgeting, and performance including its information security components.Decisions made in these areas should be based on an effective risk managementprogram. System and Information Owners. The system and information ownersareresponsible for ensuring that proper controls are in place to address integrity,confidentiality,andavailability of theIT systems and data they own. Typically thesystem and information owners are responsible for changes to their IT systems. Thus,they usually have to approve and sign off on changes to their IT systemsenhancement, major changesto the software(e.g.,systemand hardware). The system andinformation owners must therefore understand their role in the risk managementprocess and fully support this process. Business and Functional Managers. The managers responsible for businessoperations and IT procurement process must take an active role in the riskmanagement process. These managers are the individuals with the authority andresponsibility formakingthe trade-off decisions essential to mission accomplishment.Their involvement in the risk management process enables the achievement of propersecurity for the IT systems, which, ifmanagedproperly, will provide missioneffectiveness with a minimal expenditure of resources. ISSO. IT IT Security Practitioners. ITprogram managers and computer security officers are responsiblefor their organizations' security programs, including risk management. Therefore,they play a leading role in introducing an appropriate, structured methodology to helpidentify, evaluate, and minimize risks to the IT systems that support theirorganizations' missions. ISSOs also act as major consultants in support of seniormanagement to ensure that this activity takes place on an ongoing basis.securitysecurity practitioners (e.g., network, system,and database administrators; computer specialists; security analysts;security consultants) are responsible for proper implementation of securityrequirements in their IT systems. As changes occur in the existing IT systemenvironment (e.g., expansion in network connectivity, changes to the existingapplication,and organizational policies, introduction of new technologies), the ITsecurity practitioners must support or use the risk management process to identify andassess new potential risks and implement new security controls as needed tosafeguard their IT systems.infrastructureSP 800-30Page 6

Security Awareness Trainers (Security/Subject Matter Professionals). Theorganization's personnel are the users of the IT systems.Use of the IT systems anddata according to an organization's policies, guidelines, and rules of behaviorcritical torisk to themitigating risk and protecting the organization's IT resources.IT systems,it isessential thatisTo minimizesystem and application users be providedwith security awareness training. Therefore, the IT security trainers ormust understand the risk management process sothey can develop appropriate training materials and incorporate risk assessmenttraining programs to educate the end users.security/subject matter professionalsthatintoSP 800-30Page 7

3.RISK ASSESSMENTRisk assessment is the first process in the risk management methodology. Organizations useassessment to determine the extent of the potential threat and the risk associated with an ITsystem throughoutitsSDLC. Theoutput of this process helps to identify appropriate controls forreducing or eliminating risk during the risk mitigation process, as discussed in SectionRiskisrisk4.a function of the likelihood of a given threat-source's exercising a particular potentialon the organization.vulnerability,and the resulting impact ofTo determinethe likelihood of a future adverse event, threats to an IT systemthat adverse eventin conjunction with the potential vulnerabilitiesand the controlsmust be analyzedin place for theIT system.Impact refers to the magnitude of harm that could be caused by a threat's exercise of avulnerability. The level of impact is governed by the potential mission impacts and in turnproduces a relative value for the IT assets and resources affected (e.g., the criticality andsensitivity of theIT system components andencompasses nine primarysteps,—Systemdata).Thewhich are describedrisk assessmentin Sections 3.1 Step Step 2 Step 3 Vulnerability Identification (Section 3.3) Step AControl Analysis (Section 3.4) Step 5Likelihood Step Step 7 Step 8 Step 91methodologythrough 3.9Characterization (Section 3.1)— Threat Identification (Section 3.2)——Determination—6—Impact—Risk DeterminationRecommendations—(Section 3.5)Analysis (Section 3.6)(Section 3.7)Control—Results Documentation(Section 3.8)(Section 3.9).and 6 can be conducted in parallel after Step 1 has been completed. Figure 3-1depicts these steps and the inputs to and outputs from each step.Steps2, 3, 4,SP 800-30Pages

Input Hardware SoftwareRisk Assessment ActivitiesOutput Step System Data and information Peopleinterfaces1. System Characterization System BoundarySystem FunctionsSystem and DataCriticality »ISystem mission,'History of system attack'Data from intelligence System and DataSensitivityStep2.Threat IdentificationThreat StatementNIPC, OIG.FedCIRC, mass media.agencies, IReports from prior riskassessments AnyauditStepcomments Security requirements Security test results- 3.List of PotentialVulnerability IdentificationVulnerabilitiesI Current controls'Planned controls Threat-source motivationThreat capacity Nahire of vulnerability Current controlsStep4.List of CurrentControl AnalysisandPlanned Controls—IStep5.Likelihood Rating1Likelihood DeterminationI Asset criticality assessment Data StepMission impact analysis Data' 6.Impact AnalysisImpact RatingLoss of Integritycriticality Loss of Availability Loss of ConfidentialitysensitivityILikelihood of threatexploitation'Magnitude of impact'Adequacy of plaimed orStep7.Risks andRisk DeterminationAssociated RiskLevelscurrent controlsStep8.Control RecommendationsStep9.Results Documentation—rRecommendedControlsRisk AssessmentReportFigure 3-1. Risk Assessment Methodology FlowchartSP 800-30Page 9

3.1STEPl: SYSTEM CHARACTERIZATIONIn assessing risks for an IT system, the first step is to define the scope of the effort. In this step,the boundaries of the IT system are identified, along with the resourcesand the informationthatconstitute the system. Characterizing an IT system establishes the scope of the risk assessmenteffort, delineates the operational authorization (or accreditation)information(e.g.,boundaries, and provideshardware, software, system connectivity, and responsible division or supportpersonnel) essential to defining the risk.Section 3.1.1 describes the system-related information used to characterize an IT system anditsoperational envi

NIST Special Publication 800-30 Risk Management Guide for Information Technology Systems July 2002 September 2012 SP 800-30 is superseded in its entirety by the publication of SP 800-30 Revision 1 (September 2012). NIST Special Publication 800-30 Revision 1 Guide for Conducting Risk Assessment