NIST 800-30
The NIST 800-30 is a Risk Management Guide for Information Technology System that was created by the national institute of standards and technology. First, the document talks about risk assessment that has nine steps including: system characterization, threat identification, vulnerability identification, control analysis, likelihood determination, impact analysis, risk determination, control recommendation and result documentation. The Guide continues talking about risk mitigation and finally evaluation and assessment. These guidelines are the foundation of an effective risk management. Following these guidelines, the organizations will better support their missions because risk management is important to protect organizations information assets.
Security controls are implemented to reduce risk or loss of organizations information assets. Security controls prevent, detect and recover the threats. The best way is to prevent the securitybreach from occurring in the first place, if possible. Detective control focuses on detecting the threat. Recovery control acts right after the treat is detected and can be used to restore lost computing resources. Every organization should have security guidelines for the organization.
Security controls are divided into 3 classes: technical security control, managerial security control, and operational security control. Technical security control uses system hardware and software to protect against threats including: authentication, authorization, access control enforcement, nonrepudiation, protected communication and transaction privacy. Managerial security controls deals with information protection policies, guidelines and standards. For example, business is provided with guidelines that assure continuity of operations during emergencies or disasters. Operational security control deals with physical and environmental security. An example of operational security control would be protecting computers, control humidity and temperature of the computing facility.
These guidelines are very useful for an organization to make their data safe. Risk management is a good practice and supports business objectives and missions. Every organization should follow NIST 800-30 to better secure their assets.