Last week I noticed NIST put out another draft infosec document that they need comments on. This time the publication that needs updated is SP 800-30, Guide for Conducting Risk Assessment, Revision 1. And updated it is in need of… NIST released the original version almost 10 years ago. Then it was known as the “Risk Management Guide for Information Technology Systems.” This revision narrows the focus of the document to just risk assessment rather than the entire risk management process. As you may know SP 800-39, Managing Information Security Risk, has taken over those duties.
Over the years we’ve had several posts discussing this key document. @rybolov talked about it way back in 2008 where he discussed how NIST should not change it. SP 800-30 also made several appearances at many of the local meetups, including this ISSA DC meeting two years ago. A few months later @rybolov hit on it again in an overview post about NIST’s core publications.
NIST puts these recommendations out and many of us working around DC have to deal with them due to customer requirements. And we spend a lot of time complaining about what they should and shouldn’t be. Instead of complaining, this is our chance … again … to give some feedback.
The National Institute of Standards and Technology unveiled Monday its initial draft of an update to its Guide for Conducting Risk Assessment, Special Publication 800-30, Revision 1.
The update’s focus on risk assessment, one of the four steps in the risk management process, expands from the earlier version of SP 800-30 to include more in-depth information on a variety of factors essential to determining information security risk, such as threat sources and events, vulnerabilities and impact and likelihood of threat occurrence. The draft guidance describes a three-step process that includes key activities to prepare for risk assessments, activities to successfully conduct risk assessments and approaches to maintain the currency of assessment results.
InfosecIsland.com also had a recent article on SP 800-30 that you may want to check out if you’re looking for a different perspective.
Today’s post image is from NetworkArmor.com. See ya!