The National Institute of Standards and Technology released a final version of its risk assessment guidelines, Guide for Conducting Risk Assessments.
The guide aims to provide senior leaders and executives with the information they need to understand and make decisions about organizational security risk and information technology infrastructures.
“Risk assessments are an important tool for managers,” said NIST’s Ron Ross, one of the guide’s authors. “With the increasing breadth and depth of cyber attacks on federal information systems and the U.S. critical infrastructure, risk assessments provide important information to guide and inform the selection of appropriate defensive measures so organizations can respond effectively to cyber-related risks.”
The publication focuses exclusively on risk assessment, covering four elements of classic risk assessment: threats, vulnerabilities, impact to missions and business operations, and the likelihood of threat exploitation of vulnerabilities in information systems and their physical environment to cause harm or adverse consequences.
“As the size and complexity of our collective IT infrastructure grows, we cannot protect everything we own or manage to the highest degree,” Ross said. “Risk assessments show us where we are most at risk. It provides a way to decide where managers should focus their attention.”