The NIST 800-30 is a risk management guide for information technology systems. In this document, the risk management process is documented step by step. As stated in the document, �the principal goal of an organization�s risk management process should be to protect the organization and its ability to perform their mission, not just its IT assets�.
The processes or risk management include risk assessment, risk mitigation and evaluation and assessment. Risk assessment is used to determine the extent of the possible threat and the risk associated with an IT system. Risk mitigation involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the risk assessment process. The three security areas or classes are technical security, management security, and operational security. These controls when used properly, can prevent, limit or deter thereat source damage.
Technical security controls range from simple to complex measures and usually involve system architectures, engineering disciplines, and security packages with a mix of hardware, software, and firmware. All of these measures work together to secure critical and sensitive data, information, and IT system functions. Technical controls can be grouped in three major categories: support, prevent, detect and recover. Supporting controls include uniquely identifying users, process, and information systems, Cryptographic Key Management, and Security Administration, and System Protections. Preventive technical controls include Authentication, Authorization, Access Control Enforcement (i.e.: MAC sensitivity labels and DAC file permission sets), Nonrepudiation, Protected Communications, and Transaction Privacy. Detection controls include Auditing, Intrusion Detections and Containment, Proof of Wholeness (System Integrity tool), Restoring a system to its secure state, and Virus Detection and Elimination.
Management security controls focus on the requirement of information protection policy, guidelines, and standards, which are carried out through operational procedures to fulfill the organization�s goals and missions. There are three types these controls: preventive, detection, and recovery. Preventive controls include Management assigning security responsibility to ensure adequate security for IT projects, development and maintenance of security plans, implementation of personal security controls, and conducting security awareness and technical training to end users in order to ensure awareness in protecting the organization�s mission. Detection Controls include implementing personnel security controls, conducting periodic reviews on them, performing periodic systems audits and ongoing risk assessment. Recovery controls include developing, testing and maintaining the continuity of operations plans and developing an incident response means.
Operational security controls, implemented in compliance with a base set of requirements and good industry practices, are used to correct operational shortcomings that could be exercised by potential threat sources. To ensure uniformity in security operations, step by step procedures and methods for implementing operational controls must be clearly defined, documented, and maintained. The two types of operational controls are: preventive and detection. Preventive controls include controlling data media access and disposal, software viruses, safeguarding computer facility, and providing backup capability, protecting laptops and PCs, protecting IT assets from fire damage, controlling humidity and temperature for the IT facilities, providing emergency power source and establishing offsite storage procedures. Detection controls include providing physical security and ensuring environmental security.
Since risk management supports the organization�s business objectives and mission, it should be integrated in the Systems Development Life Cycle (SDLC) for the IT systems. In order for the risk management program to be successful IT related risks should be evaluated and assessed on an ongoing basis, senior management and the IT team should be involved and committed, the users should be aware and follow procedures to safeguard the system, and the assessment team must be competent and experts at assessing and identifying risk.
Reference: